Bug 222538

Summary:

REGRESSION: Object.defineProperties triggering a setter

Product:

WebKit

Reporter:

Mark S. Miller <erights>

Component:

JavaScriptCore

Assignee:

Yusuke Suzuki <ysuzuki>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ashvayka, erights, ews-watchlist, fpizlo, keith_miller, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer, ysuzuki

Priority:

Keywords:

InRadar

Version:

Safari Technology Preview

Hardware:

Mac (Intel)

OS:

macOS 11

Attachments:

Description	Flags
Screenshot of debugger state caught in buggy behavior	none
Screenshot of debugger state caught in buggy behavior	none
Screenshot of debugger state caught in buggy behavior	none
Screenshot of debugger state caught in buggy behavior	none
Screenshot of debugger state caught in buggy behavior	none
Screenshot of debugger state caught in buggy behavior	none
Patch	none
The call to defineProperties	none
The call to the setter	none
Shows about box and full url	none
Snapshot of built package currently use by page	none
snapshot of html page	none
snapshot of demo source used by that page	none

Mark S. Miller

Reported 2021-03-01 00:53:18 PST

Created attachment 421790 [details] Screenshot of debugger state caught in buggy behavior See https://github.com/Agoric/SES-shim/pull/592 The SES Demo console, after previously having worked on Safari Technology Preview, suddenly started failing with an infinite recursion. This instrumented variation of the PR in which this started failing catches when `Object.defineProperties` causes a setter to be called. The `Object.defineProperties` is attempting to convert `Array.prototype.toString` from a data property to an accessor property, after `Object.prototype.toString` has been similarly converted. Violating the semantics of `defineProperties`, it causes the setter of the `Object.prototype.toString` accessor property to be called. There follows some screenshots examining this state from within the debugger. This is on Safari Technology Preview Release 121 (Safari 14.2, WebKit 16612.1.4.3)

Attachments
Screenshot of debugger state caught in buggy behavior (561.89 KB, image/png) 2021-03-01 00:53 PST, Mark S. Miller	no flags	Details
Screenshot of debugger state caught in buggy behavior (8.36 KB, image/png) 2021-03-01 00:54 PST, Mark S. Miller	no flags	Details
Screenshot of debugger state caught in buggy behavior (496.68 KB, image/png) 2021-03-01 00:54 PST, Mark S. Miller	no flags	Details
Screenshot of debugger state caught in buggy behavior (547.05 KB, image/png) 2021-03-01 00:55 PST, Mark S. Miller	no flags	Details
Screenshot of debugger state caught in buggy behavior (417.72 KB, image/png) 2021-03-01 00:55 PST, Mark S. Miller	no flags	Details
Screenshot of debugger state caught in buggy behavior (435.14 KB, image/png) 2021-03-01 00:56 PST, Mark S. Miller	no flags	Details
Patch (4.67 KB, patch) 2021-03-01 16:44 PST, Yusuke Suzuki	no flags	Details Formatted Diff Diff
The call to defineProperties (740.04 KB, image/png) 2021-05-07 15:30 PDT, Mark S. Miller	no flags	Details
The call to the setter (691.76 KB, image/png) 2021-05-07 15:33 PDT, Mark S. Miller	no flags	Details
Shows about box and full url (859.02 KB, image/png) 2021-05-07 15:34 PDT, Mark S. Miller	no flags	Details
Snapshot of built package currently use by page (212.98 KB, text/javascript) 2021-05-07 15:39 PDT, Mark S. Miller	no flags	Details
snapshot of html page (1.35 KB, text/html) 2021-05-07 15:40 PDT, Mark S. Miller	no flags	Details
snapshot of demo source used by that page (881 bytes, text/javascript) 2021-05-07 15:42 PDT, Mark S. Miller	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Mark S. Miller

Comment 1 2021-03-01 00:54:28 PST

Created attachment 421791 [details] Screenshot of debugger state caught in buggy behavior

Mark S. Miller

Comment 2 2021-03-01 00:54:53 PST

Created attachment 421792 [details] Screenshot of debugger state caught in buggy behavior

Mark S. Miller

Comment 3 2021-03-01 00:55:18 PST

Created attachment 421793 [details] Screenshot of debugger state caught in buggy behavior

Mark S. Miller

Comment 4 2021-03-01 00:55:45 PST

Created attachment 421794 [details] Screenshot of debugger state caught in buggy behavior

Mark S. Miller

Comment 5 2021-03-01 00:56:07 PST

Created attachment 421795 [details] Screenshot of debugger state caught in buggy behavior

Radar WebKit Bug Importer

Comment 6 2021-03-01 13:46:16 PST

<rdar://problem/74888939>

Yusuke Suzuki

Comment 7 2021-03-01 14:09:39 PST

(In reply to Mark S. Miller from comment #0) > Created attachment 421790 [details] > Screenshot of debugger state caught in buggy behavior > > See https://github.com/Agoric/SES-shim/pull/592 > > The SES Demo console, after previously having worked on Safari Technology > Preview, suddenly started failing with an infinite recursion. This > instrumented variation of the PR in which this started failing catches when > `Object.defineProperties` causes a setter to be called. The > `Object.defineProperties` is attempting to convert > `Array.prototype.toString` from a data property to an accessor property, > after `Object.prototype.toString` has been similarly converted. Violating > the semantics of `defineProperties`, it causes the setter of the > `Object.prototype.toString` accessor property to be called. There follows > some screenshots examining this state from within the debugger. > > This is on Safari Technology Preview > Release 121 (Safari 14.2, WebKit 16612.1.4.3) Thanks for the report! Is there a instruction reproducing this problem?

Mark S. Miller

Comment 8 2021-03-01 15:39:09 PST

> Thanks for the report! Is there a instruction reproducing this problem? Yes. I set aside that PR only for the purpose of demonstrating and reproducing this bug. Do a git clone of the `https://github.com/Agoric/SES-shim/tree/safari-defProps-bug` branch. (The branch corresponding to that PR) cd to packages/ses run any local web browser. I used httpdhere Visit http://localhost:8080/demos/console/ Set the breakpoint shown Refresh the page.

Mark S. Miller

Comment 9 2021-03-01 16:07:18 PST

I omitted a step in my instructions to reproduce. After > cd to packages/ses do a `yarn build` in that directory. You need yarn v1, yes v1, installed. Sorry about that.

Mark S. Miller

Comment 10 2021-03-01 16:09:44 PST

Sigh. Sorry about this. Always hard to remember habits. Before that cd'ing or yarn build, in the root directory of the monorepo, do a `yarn install && yarn build`. Not sure all of that is needed but it is what I've been doing.

Yusuke Suzuki

Comment 11 2021-03-01 16:44:34 PST

Created attachment 421886 [details] Patch

Keith Miller

Comment 12 2021-03-01 16:46:25 PST

Comment on attachment 421886 [details] Patch r=me.

EWS

Comment 13 2021-03-01 18:05:00 PST

Committed r273717: <https://commits.webkit.org/r273717> All reviewed patches have been landed. Closing bug and clearing flags on attachment 421886 [details].

Yusuke Suzuki

Comment 14 2021-03-01 18:33:14 PST

@Mark Thanks! I think the issue is now fixed.

Mark S. Miller

Comment 15 2021-03-01 21:11:10 PST

Awesomely speedy response! I am impressed. Thanks.

Mark S. Miller

Comment 16 2021-05-07 12:57:18 PDT

I have some evidence that this bug happened again under Safari Version 14.1 (16611.1.21.161.3) *in the debugger* with weaker evidence that it did not happen for the same code not under the debugger. Until I know more I'm not reopening. But posting this anyway it case it rings a bell.

Mark S. Miller

Comment 17 2021-05-07 15:26:05 PDT

Yes, the bug is still there in the latest Safari. I now believe that it is intermittent or at least sensitive to conditions I don't understand. But it seems to happen both inside the debugger and normally, so my previous speculation is wrong. I will upload a set of screenshots that make it clear is still happening.

Mark S. Miller

Comment 18 2021-05-07 15:30:03 PDT

Created attachment 428041 [details] The call to defineProperties 1 of 3 To reproduce yourself, visit https://ses-demo.netlify.app/demos/console/ and open the debugger console. You might already see the error message in the console from the page initializing itself. If not, try refreshing. If not, shut down and relaunch the browser. I really have no better formula.

Mark S. Miller

Comment 19 2021-05-07 15:33:09 PDT

Created attachment 428042 [details] The call to the setter At line 5325 is a call to a function named defineProperty. This is actually the defineProperty defined in the first screenshot, which calls defineProperties.

Mark S. Miller

Comment 20 2021-05-07 15:34:34 PDT

Created attachment 428046 [details] Shows about box and full url

Mark S. Miller

Comment 21 2021-05-07 15:36:51 PDT

Since Safari has this bug, I plan to revise our sources to workaround this bug. When I do so, the website at that url will update. So first I'll indicate the current version of out sources.

Mark S. Miller

Comment 22 2021-05-07 15:39:46 PDT

Created attachment 428049 [details] Snapshot of built package currently use by page

Mark S. Miller

Comment 23 2021-05-07 15:40:54 PDT

Created attachment 428050 [details] snapshot of html page

Mark S. Miller

Comment 24 2021-05-07 15:42:49 PDT

Created attachment 428051 [details] snapshot of demo source used by that page

Mark S. Miller

Comment 25 2021-05-07 15:47:44 PDT

https://github.com/endojs/endo/blob/0b289021eee1256c05ceb4d83318165cb6288844/packages/ses/src/enable-property-overrides.js#L87 https://github.com/endojs/endo/blob/0b289021eee1256c05ceb4d83318165cb6288844/packages/ses/src/commons.js#L50 Github permalinks into the actual sources that lockdown.umd.js is built from. These specific links that the infinite recursion ping pongs between.

Mark S. Miller

Comment 26 2021-05-07 15:50:09 PDT

I just now noticed my old reproduction advice at https://bugs.webkit.org/show_bug.cgi?id=222538#c8 I have not tried it, but nothing relevant has changed. I suspect that will also work.

Mark S. Miller

Comment 27 2021-05-07 15:58:48 PDT

Ignore my last statement. The reproduction instructions from #c8 may not work. Relevant things are different. Use the reproduction instructions I gave you today.

Yusuke Suzuki

Comment 28 2021-06-03 00:04:27 PDT

(In reply to Mark S. Miller from comment #27) > Ignore my last statement. The reproduction instructions from #c8 may not > work. Relevant things are different. Use the reproduction instructions I > gave you today. Could you test it on Safari Technology Preview?

Yusuke Suzuki

Comment 29 2021-06-09 21:47:06 PDT

> I have some evidence that this bug happened again under Safari Version 14.1 (16611.1.21.161.3) *in the debugger* with weaker evidence that it did not happen for the same code not under the debugger. Until I know more I'm not reopening. But posting this anyway it case it rings a bell. Safari 14.1 does not include this change. So closing this issue. Please reopen when you reproduced it with Safari Technology Preview :) Thanks!

Note You need to log in before you can comment on or make changes to this bug.