Bug 157078

Summary: Assertion failure when returning incomplete property descriptor from proxy trap
Product: WebKit Reporter: André Bargull <andre.bargull>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, ggaren, keith_miller, mark.lam, msaboff, sbarati, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
proposed patch. sbarati: review+

Description André Bargull 2016-04-27 10:28:02 PDT
SVN: rev200124
Build with: perl Tools/Scripts/build-jsc --gtk --debug


The following test case triggers this assertion error:
---
ASSERTION FAILED: value
---


Test case:
---
Object.getOwnPropertyDescriptor(new Proxy({a:0}, { getOwnPropertyDescriptor(t,pk){return {writable:true, enumerable:true, configurable:true}} }), "")
---


Stack trace:
---
#0  0x00007ffff6e289ac in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:322
#1  0x00007ffff6ceb180 in JSC::PropertyDescriptor::setDescriptor (this=0x7fffffffca50, value=..., attributes=0) at ../../Source/JavaScriptCore/runtime/PropertyDescriptor.cpp:116
#2  0x00007ffff6c62064 in JSC::JSObject::getOwnPropertyDescriptor (this=0x7fffaedbf4f0, exec=0x7fffffffcaf0, propertyName=..., descriptor=...) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:2866
#3  0x00007ffff6cd385f in JSC::objectConstructorGetOwnPropertyDescriptor (exec=0x7fffffffcaf0, object=0x7fffaedbf4f0, propertyName=...) at ../../Source/JavaScriptCore/runtime/ObjectConstructor.cpp:229
#4  0x00007ffff6cd3c71 in JSC::objectConstructorGetOwnPropertyDescriptor (exec=0x7fffffffcaf0) at ../../Source/JavaScriptCore/runtime/ObjectConstructor.cpp:272
#5  0x00007fffb0bff028 in ?? ()
#6  0x00007fffffffcb60 in ?? ()
#7  0x00007ffff6a33818 in llint_entry () at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:1037
Backtrace stopped: frame did not save the PC
---
Comment 1 Radar WebKit Bug Importer 2016-05-13 00:43:10 PDT
<rdar://problem/26263841>
Comment 2 Mark Lam 2016-06-15 16:29:56 PDT
I can reproduce this on a debug build.  Looking into it.
Comment 3 Mark Lam 2016-06-15 20:59:06 PDT
Created attachment 281434 [details]
proposed patch.
Comment 4 Mark Lam 2016-06-15 21:41:53 PDT
Thanks for the review.  Landed in r202124: <http://trac.webkit.org/r202124>.