Bug 83108

Summary: Web Inspector: JSC Crash inspecting node with object event listener
Product: WebKit Reporter: Joseph Pecoraro <joepeck>
Component: Web Inspector (Deprecated)Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: apavlov, bweinstein, dglazkov, ggaren, joepeck, keishi, loislo, oliver, pfeldman, pmuellr, rik, timothy, webkit.review.bot, yurys
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
[REDUCTION] Test Case
none
[PATCH] Proposed Fix
ggaren: review-, joepeck: commit-queue-
[PATCH] Proposed Fix
ggaren: review+, webkit.review.bot: commit-queue-
Archive of layout-test-results from ec2-cr-linux-04 none

Joseph Pecoraro
Reported 2012-04-03 19:53:26 PDT
Created attachment 135490 [details] [REDUCTION] Test Case CRASH inspecting body of this page (attachment): <p>Inspect Body and you will Crash</p> <script> function Foo() { document.body.addEventListener("click", this, true); } new Foo(); </script> Backtrace: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore WebCore::eventListenerHandlerLocation(WebCore::Document*, WebCore::EventListener*, WTF::String&, int&) + 128 1 com.apple.WebCore WebCore::InspectorDOMAgent::buildObjectForEventListener(WebCore::RegisteredEventListener const&, WTF::AtomicString const&, WebCore::Node*) + 373 2 com.apple.WebCore WebCore::InspectorDOMAgent::getEventListenersForNode(WTF::String*, int, WTF::RefPtr<WebCore::TypeBuilder::Array<WebCore::TypeBuilder::DOM::EventListener> >&) + 286 3 com.apple.WebCore WebCore::InspectorBackendDispatcherImpl::DOM_getEventListenersForNode(long, WebCore::InspectorObject*) + 393 4 com.apple.WebCore WebCore::InspectorBackendDispatcherImpl::dispatch(WTF::String const&) + 2131 5 com.apple.WebCore WebCore::InspectorBackendDispatchTask::onTimer(WebCore::Timer<WebCore::InspectorBackendDispatchTask>*) + 73 6 com.apple.WebCore WebCore::ThreadTimers::sharedTimerFiredInternal() + 148 7 com.apple.WebCore _ZN7WebCoreL10timerFiredEP16__CFRunLoopTimerPv + 51
Attachments
[REDUCTION] Test Case (141 bytes, text/html)
2012-04-03 19:53 PDT, Joseph Pecoraro 		no flags
Details
[PATCH] Proposed Fix (3.47 KB, patch)
2012-04-03 19:59 PDT, Joseph Pecoraro 		ggaren: review-
joepeck: commit-queue-
DetailsFormatted DiffDiff
[PATCH] Proposed Fix (3.88 KB, patch)
2012-04-03 20:36 PDT, Joseph Pecoraro 		ggaren: review+
webkit.review.bot: commit-queue-
DetailsFormatted DiffDiff
Archive of layout-test-results from ec2-cr-linux-04 (6.44 MB, application/zip)
2012-04-04 00:00 PDT, WebKit Review Bot 		no flags
Details
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Joseph Pecoraro
Comment 1 2012-04-03 19:53:34 PDT
<rdar://problem/11147318>
Joseph Pecoraro
Comment 2 2012-04-03 19:59:13 PDT
Created attachment 135493 [details] [PATCH] Proposed Fix I should probably add an isFunction() check to JSObject.h instead of adding this code in WebCore/bindings/js so cq-. But I'll see how the bots do with this.
Joseph Pecoraro
Comment 3 2012-04-03 20:00:20 PDT
Comment on attachment 135493 [details] [PATCH] Proposed Fix View in context: https://bugs.webkit.org/attachment.cgi?id=135493&action=review > LayoutTests/inspector/elements/event-listener-sidebar.html:27 > + function ObjectHandler() { document.addEventListener("click", this, true); } > + ObjectHandler.prototype.toString = function() { return "ObjectHandler"; } > + new ObjectHandler(); Oops, I forgot to git add the new results! I'm making a new patch now.
Geoffrey Garen
Comment 4 2012-04-03 20:11:34 PDT
Comment on attachment 135493 [details] [PATCH] Proposed Fix View in context: https://bugs.webkit.org/attachment.cgi?id=135493&action=review > Source/WebCore/bindings/js/ScriptEventListener.cpp:-103 > - JSLock lock(SilenceAssertionsOnly); Why did you remove this lock? > Source/WebCore/bindings/js/ScriptEventListener.cpp:125 > + if (!isJSFunction(jsObject)) No need to check isJSFunction. jsCast<T> will return 0 if the cast fails.
Geoffrey Garen
Comment 5 2012-04-03 20:16:07 PDT
> No need to check isJSFunction. jsCast<T> will return 0 if the cast fails. Sorry, I meant to say "jsDynamicCast". That's the best thing to use here.
Joseph Pecoraro
Comment 6 2012-04-03 20:22:48 PDT
(In reply to comment #5) > > No need to check isJSFunction. jsCast<T> will return 0 if the cast fails. > > Sorry, I meant to say "jsDynamicCast". That's the best thing to use here. Oh awesome!
Joseph Pecoraro
Comment 7 2012-04-03 20:36:17 PDT
Created attachment 135501 [details] [PATCH] Proposed Fix - Keep JSLock and add one for the same reason (possible allocations under jsFunction) to eventListenerHandlerLocation. - Switch to jsDynamicCast. - Include updated LayoutTest results
Geoffrey Garen
Comment 8 2012-04-03 20:56:14 PDT
Comment on attachment 135501 [details] [PATCH] Proposed Fix r=me
WebKit Review Bot
Comment 9 2012-04-04 00:00:03 PDT
Comment on attachment 135501 [details] [PATCH] Proposed Fix Attachment 135501 [details] did not pass chromium-ews (chromium-xvfb): Output: http://queues.webkit.org/results/12320670 New failing tests: inspector/elements/event-listener-sidebar.html
WebKit Review Bot
Comment 10 2012-04-04 00:00:10 PDT
Created attachment 135524 [details] Archive of layout-test-results from ec2-cr-linux-04 The attached test failures were seen while running run-webkit-tests on the chromium-ews. Bot: ec2-cr-linux-04 Port: <class 'webkitpy.common.config.ports.ChromiumXVFBPort'> Platform: Linux-2.6.35-28-virtual-x86_64-with-Ubuntu-10.10-maverick
Joseph Pecoraro
Comment 11 2012-04-04 10:42:13 PDT
(In reply to comment #10) > The attached test failures were seen while running run-webkit-tests on the chromium-ews. I had to update the chromium expected results at: LayoutTests/platform/chromium/inspector/elements/event-listener-sidebar-expected.txt I took the expected results from the EWS bots, and they look correct.
Joseph Pecoraro
Comment 12 2012-04-04 11:43:26 PDT
Landed in r113220 <http://trac.webkit.org/changeset/113220>.
Note You need to log in before you can comment on or make changes to this bug.