Bug 25917

Summary: REGRESSION (r43559?): Javascript debugger crashes when pausing page
Product: WebKit Reporter: Johan Bergström <bugs>
Component: Web Inspector (Deprecated)Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: mrowe, oliver, zwarich
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
Attachments:
Description Flags
crash log none

Johan Bergström
Reported 2009-05-21 01:26:57 PDT
I've been able to reproduce a crash in the js debugger by: 1: Visiting a pastebin such as this http://pastebin.com/f1e0717d9 (will expire june 21st '09) 2: Hit develop -> start debugging javascript 3: Pause and/or reload page The crash occured instantly the first time, but while trying to reproduce I got mixed results, having to toggle / reload a time or two. Crash log attached
Attachments
crash log (32.72 KB, text/plain)
2009-05-21 01:28 PDT, Johan Bergström
no flags
Johan Bergström
Comment 1 2009-05-21 01:28:16 PDT
Created attachment 30528 [details] crash log
Mark Rowe (bdash)
Comment 2 2009-05-21 01:30:12 PDT
I can easily reproduce this as well. We're crashing inside a call to JSValue::isObject due to the JSValue's pointer being 0.
Mark Rowe (bdash)
Comment 3 2009-05-21 01:30:26 PDT
Cameron Zwarich (cpst)
Comment 4 2009-05-21 02:56:47 PDT
This is almost surely caused by r43559: <http://trac.webkit.org/changeset/43559> GDB says that it is getting a property named 'arguments' from a register slot and ending up with a null value, which is very similar to <http://trac.webkit.org/changeset/43603> and <http://trac.webkit.org/changeset/43606>.
Cameron Zwarich (cpst)
Comment 5 2009-05-21 03:36:31 PDT
The problem is in this code in JSActivation::getOwnPropertySlot(): if (symbolTableGet(propertyName, slot)) return true; if (JSValue* location = getDirectLocation(propertyName)) { slot.setValueSlot(location); return true; } // Only return the built-in arguments object if it wasn't overridden above. if (propertyName == exec->propertyNames().arguments) { slot.setCustom(this, getArgumentsGetter()); return true; } The first check in the symbol table needs to be modified to account for lazy arguments creation.
Cameron Zwarich (cpst)
Comment 6 2009-05-21 03:50:52 PDT
I am not sure of the right way to fix this. You don't want to call out to Interpreter::retrieveArguments() every time, and you don't even have the function in JSActivation to pass to retrieveArguments().
Mark Rowe (bdash)
Comment 7 2009-05-21 12:57:43 PDT
Fixed in r43976.
Note You need to log in before you can comment on or make changes to this bug.