Bug 149281

Summary: Regression(r189881): release assertion hit in toJS(ExecState*, JSDOMGlobalObject*, DocumentFragment*)
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: DOMAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, commit-queue, darin, ggaren, rniwa
Priority: P2    
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

Chris Dumez
Reported 2015-09-17 13:00:35 PDT
release assertion hit in toJS(ExecState*, JSDOMGlobalObject*, DocumentFragment*) after <http://trac.webkit.org/changeset/189881>: Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef VM Regions Near 0xbbadbeef: --> __TEXT 0000000100d8f000-0000000100d91000 [ 8K] r-x/rwx SM=COW /Volumes/VOLUME/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development Application Specific Information: CRASHING TEST: plugins/snapshotting/snapshot-plugin-not-quite-blocked-by-image.html Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x0000000106917d1e WTFCrash + 62 1 com.apple.WebCore 0x0000000107826155 WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::DocumentFragment*) + 149 2 com.apple.WebCore 0x00000001072cf527 WebCore::HTMLPlugInImageElement::didAddUserAgentShadowRoot(WebCore::ShadowRoot*) + 391 3 com.apple.WebCore 0x0000000107599f9e WebCore::Element::addShadowRoot(WTF::Ref<WebCore::ShadowRoot>&&) + 558 4 com.apple.WebCore 0x0000000107139a43 WebCore::Element::ensureUserAgentShadowRoot() + 83 5 com.apple.WebCore 0x000000010705f50d WebCore::ThreadTimers::sharedTimerFiredInternal() + 157 6 com.apple.WebCore 0x000000010705f438 WebCore::timerFired(__CFRunLoopTimer*, void*) + 24
Attachments
Patch (2.10 KB, patch)
2015-09-17 14:10 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (5.45 KB, patch)
2015-09-17 15:38 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2015-09-17 13:02:46 PDT
The assertion is: // If you hit this assertion you either have a use after free bug, or // DocumentFragment has subclasses. If DocumentFragment has subclasses that get passed // to toJS() we currently require DocumentFragment you to opt out of binding hardening // by adding the SkipVTableValidation attribute to the interface IDL definition RELEASE_ASSERT(actualVTablePointer == expectedVTablePointer); DocumentFragment does have a subclass: ShadowRoot. However, ShadowRoot does not have a Web-Exposed type. Therefore, I believe the current code is safe and we should bypass the assertion here.
Ryosuke Niwa
Comment 2 2015-09-17 14:04:42 PDT
ShadowRoot will be exposed to Web now.
Chris Dumez
Comment 3 2015-09-17 14:10:34 PDT
Created attachment 261420 [details] Patch
Chris Dumez
Comment 4 2015-09-17 15:38:39 PDT
Created attachment 261443 [details] Patch
WebKit Commit Bot
Comment 5 2015-09-17 17:46:28 PDT
Comment on attachment 261443 [details] Patch Clearing flags on attachment: 261443 Committed r189949: <http://trac.webkit.org/changeset/189949>
WebKit Commit Bot
Comment 6 2015-09-17 17:46:32 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.