Bug 156924

Summary: Crash if you type "debugger" in the console and continue
Product: WebKit Reporter: Timothy Hatcher <timothy>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, fpizlo, ggaren, joepeck, keith_miller, mark.lam, msaboff, saam, timothy, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 156919    
Bug Blocks:    
Attachments:
Description Flags
Crash Log
none
[PATCH] Proposed Fix
mark.lam: review+, joepeck: commit-queue-
[PATCH] For Landing none

Timothy Hatcher
Reported 2016-04-22 13:22:19 PDT
Created attachment 277090 [details] Crash Log Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000005 Exception Note: EXC_CORPSE_NOTIFY VM Regions Near 0x5: --> __TEXT 000000010cd34000-000000010cd36000 [ 8K] r-x/rwx SM=COW /Users/USER/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development Application Specific Information: Bundle controller class: BrowserBundleController Process Model: Multiple Web Processes Global Trace Buffer (reverse chronological seconds): 95.358494 libsystem_trace.dylib 0x00007fff913cd0fa dyld_image_header_containing_address(0x7f863945edc0) failed 111.941891 libsystem_trace.dylib 0x00007fff913cd0fa dyld_image_header_containing_address(0x7f863b90cf40) failed 117.671978 CFNetwork 0x00007fff9e63dddf Explicitly setting CF cookie storage singleton 117.672232 CFNetwork 0x00007fff9e67478d Explicitly setting cookie storage singleton Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000010e384799 llint_slow_path_jtrue + 201 (JSCellInlines.h:251) 1 com.apple.JavaScriptCore 0x000000010e3922b2 llint_entry + 20657 2 com.apple.JavaScriptCore 0x000000010e38d01e vmEntryToJavaScript + 299 3 com.apple.JavaScriptCore 0x000000010e202fbe JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 158 (JITCode.cpp:81) 4 com.apple.JavaScriptCore 0x000000010e162162 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 450 (Interpreter.cpp:1020) 5 com.apple.JavaScriptCore 0x000000010dd6f467 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 71 (MarkedBlock.h:235) 6 com.apple.WebCore 0x000000010f4f5b50 WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 96 (JSMainThreadExecState.h:57) 7 com.apple.JavaScriptCore 0x000000010e4c13dc Deprecated::ScriptFunctionCall::call(bool&) + 412 (ScriptFunctionCall.cpp:124) 8 com.apple.JavaScriptCore 0x000000010e0f5062 Inspector::InjectedScriptBase::callFunctionWithEvalEnabled(Deprecated::ScriptFunctionCall&, bool&) const + 98 (InjectedScriptBase.cpp:80) 9 com.apple.JavaScriptCore 0x000000010e0f519f Inspector::InjectedScriptBase::makeCall(Deprecated::ScriptFunctionCall&, WTF::RefPtr<Inspector::InspectorValue>*) + 79 (InjectedScriptBase.cpp:99) 10 com.apple.JavaScriptCore 0x000000010e0f5407 Inspector::InjectedScriptBase::makeEvalCall(WTF::String&, Deprecated::ScriptFunctionCall&, WTF::RefPtr<Inspector::Protocol::Runtime::RemoteObject>*, Inspector::Protocol::OptOutput<bool>*, Inspector::Protocol::OptOutput<int>*) + 55 (RefPtr.h:71) 11 com.apple.JavaScriptCore 0x000000010e0f1b6f Inspector::InjectedScript::evaluateOnCallFrame(WTF::String&, JSC::JSValue, WTF::String const&, WTF::String const&, WTF::String const&, bool, bool, bool, bool, WTF::RefPtr<Inspector::Protocol::Runtime::RemoteObject>*, Inspector::Protocol::OptOutput<bool>*, Inspector::Protocol::OptOutput<int>*) + 287 (StdLibExtras.h:355) 12 com.apple.JavaScriptCore 0x000000010e130620 Inspector::InspectorDebuggerAgent::evaluateOnCallFrame(WTF::String&, WTF::String const&, WTF::String const&, WTF::String const*, bool const*, bool const*, bool const*, bool const*, bool const*, WTF::RefPtr<Inspector::Protocol::Runtime::RemoteObject>&, Inspector::Protocol::OptOutput<bool>*, Inspector::Protocol::OptOutput<int>*) + 464 (StdLibExtras.h:355) 13 com.apple.JavaScriptCore 0x000000010e1100b0 Inspector::DebuggerBackendDispatcher::evaluateOnCallFrame(long, WTF::RefPtr<Inspector::InspectorObject>&&) + 1360 (RefPtr.h:71) 14 com.apple.JavaScriptCore 0x000000010e10d36c Inspector::DebuggerBackendDispatcher::dispatch(long, WTF::String const&, WTF::Ref<Inspector::InspectorObject>&&) + 588 (InspectorBackendDispatchers.cpp:2506) 15 com.apple.JavaScriptCore 0x000000010e0fb613 Inspector::BackendDispatcher::dispatch(WTF::String const&) + 2467 (Ref.h:55) 16 com.apple.WebKit 0x000000010ced3f74 void IPC::handleMessage<Messages::WebInspector::SendMessageToBackend, WebKit::WebInspector, void (WebKit::WebInspector::*)(WTF::String const&)>(IPC::MessageDecoder&, WebKit::WebInspector*, void (WebKit::WebInspector::*)(WTF::String const&)) + 67 (StdLibExtras.h:355) 17 com.apple.WebKit 0x000000010cd79849 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 127 (memory:2636) 18 com.apple.WebKit 0x000000010cd7c1b2 IPC::Connection::dispatchOneMessage() + 126 (memory:2656) 19 com.apple.JavaScriptCore 0x000000010e64abc5 WTF::RunLoop::performWork() + 437 (functional:1742) 20 com.apple.JavaScriptCore 0x000000010e64af72 WTF::RunLoop::performWork(void*) + 34 (RunLoopCF.cpp:39) 21 com.apple.CoreFoundation 0x00007fff9cfb7881 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
Attachments
Crash Log (83.59 KB, application/octet-stream)
2016-04-22 13:22 PDT, Timothy Hatcher 		no flags
Details
[PATCH] Proposed Fix (8.05 KB, patch)
2016-05-04 19:33 PDT, Joseph Pecoraro 		mark.lam: review+
joepeck: commit-queue-
DetailsFormatted DiffDiff
[PATCH] For Landing (11.97 KB, patch)
2016-05-05 11:12 PDT, Joseph Pecoraro 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2016-04-22 13:35:48 PDT
<rdar://problem/25884189>
Timothy Hatcher
Comment 2 2016-04-22 13:42:09 PDT
The Inspector UI had a change recently to make this case work better, and is when I saw this crash. You will want r199897 or later when looking into this.
Mark Lam
Comment 3 2016-05-04 12:14:39 PDT
This issue no longer reproduces in WebKit ToT r200422. Will close this bug.
Joseph Pecoraro
Comment 4 2016-05-04 17:27:04 PDT
*** Bug 157273 has been marked as a duplicate of this bug. ***
Joseph Pecoraro
Comment 5 2016-05-04 17:29:03 PDT
Was able to reproduce on my machine. With Mark's help we determined that InjectedScriptSource's evaluateOnCallFrame is getting called with a C++ Empty JSValue(), which ends up causing issues. It turns out this is because the Inspector is triggering evaluateOnCallFrame when we are not paused (and doesn't have any call frames)! The backend should be made to not crash in these situations. The frontend, ideally, should be made to not evaluate on a call frame when we are not paused.
Joseph Pecoraro
Comment 6 2016-05-04 19:33:03 PDT
Created attachment 278152 [details] [PATCH] Proposed Fix
Mark Lam
Comment 7 2016-05-04 21:02:53 PDT
Comment on attachment 278152 [details] [PATCH] Proposed Fix View in context: https://bugs.webkit.org/attachment.cgi?id=278152&action=review r=me > LayoutTests/inspector/debugger/evaluateOnCallFrame-errors-expected.txt:12 > +PASS: Should be an error: Inspected frame has gone I know this is not due to this patch but "Inspected frame has gone" doesn't sound right (and I'm not clear what it's actually trying to say). Is it supposed to say "Inspected frame is gone"? Or maybe "Inspected frame is invalid"? Or maybe "Inspected frame is gone or is invalid"?
Joseph Pecoraro
Comment 8 2016-05-05 11:03:16 PDT
Comment on attachment 278152 [details] [PATCH] Proposed Fix View in context: https://bugs.webkit.org/attachment.cgi?id=278152&action=review >> LayoutTests/inspector/debugger/evaluateOnCallFrame-errors-expected.txt:12 >> +PASS: Should be an error: Inspected frame has gone > > I know this is not due to this patch but "Inspected frame has gone" doesn't sound right (and I'm not clear what it's actually trying to say). Is it supposed to say "Inspected frame is gone"? Or maybe "Inspected frame is invalid"? Or maybe "Inspected frame is gone or is invalid"? Heh, yeah I'll update the message.
Joseph Pecoraro
Comment 9 2016-05-05 11:12:09 PDT
Created attachment 278176 [details] [PATCH] For Landing
WebKit Commit Bot
Comment 10 2016-05-05 12:01:01 PDT
Comment on attachment 278176 [details] [PATCH] For Landing Clearing flags on attachment: 278176 Committed r200467: <http://trac.webkit.org/changeset/200467>
Note You need to log in before you can comment on or make changes to this bug.