Bug 61758

Summary:

Freezing a function and its prototype causes browser to crash.

Product:

WebKit

Reporter:

Mark S. Miller <erights>

Component:

JavaScriptCore

Assignee:

Oliver Hunt <oliver>

Status:

RESOLVED FIXED

Severity:

Major

CC:

ademar, oliver

Priority:

Version:

528+ (Nightly build)

Hardware:

Mac (Intel)

OS:

OS X 10.5

Attachments:

Description	Flags
Crash log attached as requested	none
Patch	ggaren: review+

Description Mark S. Miller 2011-05-30 21:09:11 PDT

On Version 5.0.5 (5533.21.1, r87697), in a squarefree shell (but consistent with other behavior I've seen), I type in:

function foo(){}
Object.freeze(foo);
Object.freeze(foo.prototype);

I then get a beach ball for a short while only over that Safari, and then that Safari crashes. For the sake of isolating this, I tried rebooting and launching a fresh Safari. Same symptoms.

Comment 1 Alexey Proskuryakov 2011-05-31 15:52:39 PDT

Could you please attach a crash log <http://www.webkit.org/quality/crashlogs.html>?

Comment 2 Mark S. Miller 2011-05-31 17:09:27 PDT

Created attachment 95514 [details]
Crash log attached as requested

After WebKit nightly crashed, I did not get a CrashReporter window. So I followed the instructions at http://www.webkit.org/quality/crashlogs.html as requested to find the attached crash log.

Comment 3 Oliver Hunt 2011-05-31 18:25:43 PDT

Created attachment 95527 [details]
Patch

Comment 4 Geoffrey Garen 2011-06-01 11:05:10 PDT

Comment on attachment 95527 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=95527&action=review

r=me

> Source/JavaScriptCore/runtime/JSFunction.cpp:193
> +    createPrototypeProperty(globalData, scope()->globalObject.get(), this);

It's kind of a shame that "no new properties" actually means "create a lot of properties right now, and none later". In the future, I think it would be nice to still allow host objects to lazily instantiate their properties, even though we forbid user extension of the object.

> Source/JavaScriptCore/runtime/JSObject.cpp:520
> +    if (isExtensible())
> +        preventExtensions(globalData);
>      setStructure(globalData, Structure::sealTransition(globalData, m_structure.get()));
>  }
>  
>  void JSObject::freeze(JSGlobalData& globalData)
>  {
> +    if (isExtensible())
> +        preventExtensions(globalData);

Instead of checking isExtensible() (which preventExtensions already does for us), I think we should check isSealed() and isFrozen() in each function, respectively, and skip the whole operation if it's been done already.

Comment 5 Oliver Hunt 2011-06-01 11:08:34 PDT

Committed r87826: <http://trac.webkit.org/changeset/87826>

Comment 6 Ademar Reis 2011-06-01 12:34:35 PDT

Revision r87826 cherry-picked into qtwebkit-2.2 with commit 638ed3d <http://gitorious.org/webkit/qtwebkit/commit/638ed3d>