Bug 61758

Summary: Freezing a function and its prototype causes browser to crash.
Product: WebKit Reporter: Mark S. Miller <erights>
Component: JavaScriptCoreAssignee: Oliver Hunt <oliver>
Status: RESOLVED FIXED    
Severity: Major CC: ademar, oliver
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Mac (Intel)   
OS: OS X 10.5   
Attachments:
Description Flags
Crash log attached as requested
none
Patch ggaren: review+

Mark S. Miller
Reported 2011-05-30 21:09:11 PDT
On Version 5.0.5 (5533.21.1, r87697), in a squarefree shell (but consistent with other behavior I've seen), I type in: function foo(){} Object.freeze(foo); Object.freeze(foo.prototype); I then get a beach ball for a short while only over that Safari, and then that Safari crashes. For the sake of isolating this, I tried rebooting and launching a fresh Safari. Same symptoms.
Attachments
Crash log attached as requested (34.70 KB, text/plain)
2011-05-31 17:09 PDT, Mark S. Miller 		no flags
Details
Patch (8.73 KB, patch)
2011-05-31 18:25 PDT, Oliver Hunt 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2011-05-31 15:52:39 PDT
Could you please attach a crash log <http://www.webkit.org/quality/crashlogs.html>?
Mark S. Miller
Comment 2 2011-05-31 17:09:27 PDT
Created attachment 95514 [details] Crash log attached as requested After WebKit nightly crashed, I did not get a CrashReporter window. So I followed the instructions at http://www.webkit.org/quality/crashlogs.html as requested to find the attached crash log.
Oliver Hunt
Comment 3 2011-05-31 18:25:43 PDT
Created attachment 95527 [details] Patch
Geoffrey Garen
Comment 4 2011-06-01 11:05:10 PDT
Comment on attachment 95527 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=95527&action=review r=me > Source/JavaScriptCore/runtime/JSFunction.cpp:193 > + createPrototypeProperty(globalData, scope()->globalObject.get(), this); It's kind of a shame that "no new properties" actually means "create a lot of properties right now, and none later". In the future, I think it would be nice to still allow host objects to lazily instantiate their properties, even though we forbid user extension of the object. > Source/JavaScriptCore/runtime/JSObject.cpp:520 > + if (isExtensible()) > + preventExtensions(globalData); > setStructure(globalData, Structure::sealTransition(globalData, m_structure.get())); > } > > void JSObject::freeze(JSGlobalData& globalData) > { > + if (isExtensible()) > + preventExtensions(globalData); Instead of checking isExtensible() (which preventExtensions already does for us), I think we should check isSealed() and isFrozen() in each function, respectively, and skip the whole operation if it's been done already.
Oliver Hunt
Comment 5 2011-06-01 11:08:34 PDT
Committed r87826: <http://trac.webkit.org/changeset/87826>
Ademar Reis
Comment 6 2011-06-01 12:34:35 PDT
Revision r87826 cherry-picked into qtwebkit-2.2 with commit 638ed3d <http://gitorious.org/webkit/qtwebkit/commit/638ed3d>
Note You need to log in before you can comment on or make changes to this bug.