Bug 158104

Summary:

DebuggerCallFrame crashes when updated with the globalExec because neither ShadowChicken's algorithm nor StackVisitor's algorithm reasons about the globalExec

Product:

WebKit

Reporter:

Saam Barati <saam>

Component:

JavaScriptCore

Assignee:

Saam Barati <saam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bburg, benjamin, commit-queue, fpizlo, ggaren, gskachkov, joepeck, keith_miller, mark.lam, msaboff, nvasilyev, oliver, sukolsak, timothy, webkit-bug-importer, ysuzuki

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
WIP	none
patch	none

Saam Barati

Reported 2016-05-25 18:27:34 PDT

Also, there is a bad assertion in ::create because the top frame is allowed to be a tail deleted frame.

Attachments
WIP (2.79 KB, patch) 2016-05-26 17:58 PDT, Saam Barati	no flags	Details Formatted Diff Diff
patch (6.13 KB, patch) 2016-05-27 14:32 PDT, Saam Barati	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Saam Barati

Comment 1 2016-05-26 13:14:32 PDT

I think we should special case this inside DebuggerCallFrame.

Saam Barati

Comment 2 2016-05-26 13:14:57 PDT

(In reply to comment #1) > I think we should special case this inside DebuggerCallFrame. To elaborate, I don't think it's correct to have ShadowChicken handle this. It shouldn't have to reason about the globalExec()

Saam Barati

Comment 3 2016-05-26 17:14:22 PDT

rdar://problem/26467869

Saam Barati

Comment 4 2016-05-26 17:58:23 PDT

Created attachment 279931 [details] WIP this is a test case

Saam Barati

Comment 5 2016-05-27 14:32:45 PDT

Created attachment 279995 [details] patch

Filip Pizlo

Comment 6 2016-05-27 14:34:21 PDT

Comment on attachment 279995 [details] patch lol