Bug 83353

Summary: [Chromium] Web Inspector: getEventListeners(window) crashes on NTP
Product: WebKit Reporter: Yury Semikhatsky <yurys>
Component: Web Inspector (Deprecated)Assignee: Andrey Kosyakov <caseq>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, apavlov, bweinstein, haraken, japhet, joepeck, keishi, loislo, pfeldman, pmuellr, rik, timothy, webkit.review.bot, yurys
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch pfeldman: review+

Description Yury Semikhatsky 2012-04-06 00:52:54 PDT 
1. Open DevTools on the new tab page
2. Type getEventListeners(window) in the console

Result: inspected page crashes.
Comment 1 Yury Semikhatsky 2012-04-06 01:12:48 PDT 
#
# Fatal error in ../../v8/src/objects-inl.h, line 1484
# CHECK(index < GetInternalFieldCount() && index >= 0) failed
#


==== Stack trace ============================================

Security context: 0xd2f79e1f631 <String[15]: chrome://newtab>
    1: getEventListeners [0x9090fb04121 <undefined>:690] (this=0x39c191f29b41 <a CommandLineAPIImpl>#0#,node=0x9090fb6bff1 <JS Global Object>#1#)
    3: getEventListeners(aka bound) [0x9090fb04121 <undefined>:37] (this=0x39c191f414d1 <a CommandLineAPI>#2#)
    4: arguments adaptor frame: 1->0
    5: /* anonymous */ [0x9090fb04121 <undefined>:2] (this=0x9090fb6bff1 <JS Global Object>#1#)
    6: eval [native v8natives.js:170] (this=0x9090fb6bff1 <JS Global Object>#1#,a=0x39c191f477f1 <String[103]\: with ((window && window.console && window.console._commandLineAPI) || {}) {\ngetEventListeners(window)\n}>)
    7: _evaluateOn [0x9090fb04121 <undefined>:343] (this=0x39c191f27b31 <JS Object>#3#,evalFunction=0x9090fb68bc9 <JS Function eval>#4#,object=0x9090fb6bff1 <JS Global Object>#1#,expression=0x39c191f477f1 <String[103]\: with ((window && window.console && window.console._commandLineAPI) || {}) {\ngetEventListeners(window)\n}>,isEvalOnCallFrame=0x9090fb04181 <false>,injectCommandLineAPI=0x9090fb04161 <true>)
    8: _evaluateAndWrap [0x9090fb04121 <undefined>:316] (this=0x39c191f27b31 <JS Object>#3#,evalFunction=0x9090fb68bc9 <JS Function eval>#4#,object=0x9090fb6bff1 <JS Global Object>#1#,expression=0x39c191f40b99 <String[25]: getEventListeners(window)>,objectGroup=0x39c191f29d09 <String[7]: console>,isEvalOnCallFrame=0x9090fb04181 <false>,injectCommandLineAPI=0x9090fb04161 <true>,returnByValue=0x9090fb04181 <false>)
    9: evaluate [0x9090fb04121 <undefined>:267] (this=0x39c191f27b31 <JS Object>#3#,expression=0x39c191f40b99 <String[25]: getEventListeners(window)>,objectGroup=0x39c191f29d09 <String[7]: console>,injectCommandLineAPI=0x9090fb04161 <true>,returnByValue=0x9090fb04181 <false>)

==== Details ================================================

[1]: getEventListeners [0x9090fb04121 <undefined>:690] (this=0x39c191f29b41 <a CommandLineAPIImpl>#0#,node=0x9090fb6bff1 <JS Global Object>#1#) {
  // expression stack (top to bottom)
  [02] : 0x32bf1960fe19 <JS Function getEventListeners>#5#
  [01] : 0x9090fb6bff1 <JS Global Object>#1#
  [00] : 0x39c191f1fbd9 <an InjectedScriptHost>#6#
--------- s o u r c e   c o d e ---------
function (node)?    {?        return InjectedScriptHost.getEventListeners(node);?    }
-----------------------------------------
}

[3]: getEventListeners(aka bound) [0x9090fb04121 <undefined>:37] (this=0x39c191f414d1 <a CommandLineAPI>#2#) {
  // stack-allocated locals
  var arguments = 0x39c191f47f11 <an Arguments>#7#
  // expression stack (top to bottom)
  [03] : 0x39c191f47f89 <JS Array[1]>#8#
  [02] : 0x39c191f29b41 <a CommandLineAPIImpl>#0#
  [01] : 0x39c191f29841 <JS Function>#9#
--------- s o u r c e   c o d e ---------
function bound()?    {?        return func.apply(thisObject, args.concat(Array.prototype.slice.call(arguments, 0)));?    }
-----------------------------------------
}

[4]: arguments adaptor frame: 1->0 {
  // actual arguments
  [00] : 0x9090fb6bff1 <JS Global Object>#1#  // not passed to callee
}

[5]: /* anonymous */ [0x9090fb04121 <undefined>:2] (this=0x9090fb6bff1 <JS Global Object>#1#) {
  // stack-allocated locals
  var .result = 0x9090fb04121 <undefined>
  // expression stack (top to bottom)
  [03] : 0x9090fb6bff1 <JS Global Object>#1#
  [02] : 0x39c191f414d1 <a CommandLineAPI>#2#
  [01] : 0x39c191f43eb1 <JS Function bound>#10#
--------- s o u r c e   c o d e ---------
with ((window && window.console && window.console._commandLineAPI) || {}) {?getEventListeners(window)?}
-----------------------------------------
}

[6]: eval [native v8natives.js:170] (this=0x9090fb6bff1 <JS Global Object>#1#,a=0x39c191f477f1 <String[103]\: with ((window && window.console && window.console._commandLineAPI) || {}) {\ngetEventListeners(window)\n}>) {
  // stack-allocated locals
  var b = 0x9090fb6bff1 <JS Global Object>#1#
  var d = 0x39c191f47e79 <JS Function>#11#
  var c = 0x9090fb04181 <false>
  // expression stack (top to bottom)
  [03] : 0x9090fb6bff1 <JS Global Object>#1#
--------- s o u r c e   c o d e ---------
function eval(a){?if(!(typeof(a)==='string'))return a;??var b=%GlobalReceiver(global);?var c=(global===b);???????if(c){?throw new $EvalError('The "this" value passed to eval must '+?'be the global object from which eval originated');?}??var d=%CompileString(a);?if(!(%_IsFunction(d)))return d;??return %_CallFunct...

-----------------------------------------
}

[7]: _evaluateOn [0x9090fb04121 <undefined>:343] (this=0x39c191f27b31 <JS Object>#3#,evalFunction=0x9090fb68bc9 <JS Function eval>#4#,object=0x9090fb6bff1 <JS Global Object>#1#,expression=0x39c191f477f1 <String[103]\: with ((window && window.console && window.console._commandLineAPI) || {}) {\ngetEventListeners(window)\n}>,isEvalOnCallFrame=0x9090fb04181 <false>,injectCommandLineAPI=0x9090fb04161 <true>) {
  // expression stack (top to bottom)
  [06] : 0x39c191f477f1 <String[103]\: with ((window && window.console && window.console._commandLineAPI) || {}) {\ngetEventListeners(window)\n}>
  [05] : 0x9090fb6bff1 <JS Global Object>#1#
--------- s o u r c e   c o d e ---------
function (evalFunction, object, expression, isEvalOnCallFrame, injectCommandLineAPI)?    {?        // Only install command line api object for the time of evaluation.?        // Surround the expression in with statements to inject our command line API so that?        // the window object properties still tak...

-----------------------------------------
}

[8]: _evaluateAndWrap [0x9090fb04121 <undefined>:316] (this=0x39c191f27b31 <JS Object>#3#,evalFunction=0x9090fb68bc9 <JS Function eval>#4#,object=0x9090fb6bff1 <JS Global Object>#1#,expression=0x39c191f40b99 <String[25]: getEventListeners(window)>,objectGroup=0x39c191f29d09 <String[7]: console>,isEvalOnCallFrame=0x9090fb04181 <false>,injectCommandLineAPI=0x9090fb04161 <true>,returnByValue=0x9090fb04181 <false>) {
  // expression stack (top to bottom)
  [12] : 0x9090fb04161 <true>
  [11] : 0x9090fb04181 <false>
  [10] : 0x39c191f477f1 <String[103]\: with ((window && window.console && window.console._commandLineAPI) || {}) {\ngetEventListeners(window)\n}>
  [09] : 0x9090fb6bff1 <JS Global Object>#1#
  [08] : 0x9090fb68bc9 <JS Function eval>#4#
  [07] : 0x39c191f27b31 <JS Object>#3#
  [06] : 0x39c191f27b31 <JS Object>#3#
  [05] : 0x39c191f41489 <an Object>#12#
--------- s o u r c e   c o d e ---------
function (evalFunction, object, expression, objectGroup, isEvalOnCallFrame, injectCommandLineAPI, returnByValue)?    {?        try {?            return { wasThrown: false,?                     result: this._wrapObject(this._evaluateOn(evalFunction, object, expression, isEvalOnCallFrame, injectCommandLineAPI)...

-----------------------------------------
}

[9]: evaluate [0x9090fb04121 <undefined>:267] (this=0x39c191f27b31 <JS Object>#3#,expression=0x39c191f40b99 <String[25]: getEventListeners(window)>,objectGroup=0x39c191f29d09 <String[7]: console>,injectCommandLineAPI=0x9090fb04161 <true>,returnByValue=0x9090fb04181 <false>) {
  // expression stack (top to bottom)
  [07] : 0x9090fb04181 <false>
  [06] : 0x9090fb04161 <true>
  [05] : 0x9090fb04181 <false>
  [04] : 0x39c191f29d09 <String[7]: console>
  [03] : 0x39c191f40b99 <String[25]: getEventListeners(window)>
  [02] : 0x9090fb6bff1 <JS Global Object>#1#
  [01] : 0x9090fb68bc9 <JS Function eval>#4#
  [00] : 0x39c191f27b31 <JS Object>#3#
--------- s o u r c e   c o d e ---------
function (expression, objectGroup, injectCommandLineAPI, returnByValue)?    {?        return this._evaluateAndWrap(inspectedWindow.eval, inspectedWindow, expression, objectGroup, false, injectCommandLineAPI, returnByValue);?    }
-----------------------------------------
}

==== Key         ============================================

 #0# 0x39c191f29b41: 0x39c191f29b41 <a CommandLineAPIImpl>
 #1# 0x9090fb6bff1: 0x9090fb6bff1 <JS Global Object>
 #2# 0x39c191f414d1: 0x39c191f414d1 <a CommandLineAPI>
                $x: 0x39c191f41871 <JS Function bound>#13#
            dirxml: 0x39c191f41cf1 <JS Function bound>#14#
 getEventListeners: 0x39c191f43eb1 <JS Function bound>#10#
           profile: 0x39c191f42519 <JS Function bound>#15#
              keys: 0x39c191f41f79 <JS Function bound>#16#
           inspect: 0x39c191f43299 <JS Function bound>#17#
        profileEnd: 0x39c191f42831 <JS Function bound>#18#
     monitorEvents: 0x39c191f42b79 <JS Function bound>#19#
              copy: 0x39c191f43671 <JS Function bound>#20#
             clear: 0x39c191f43a79 <JS Function bound>#21#
   unmonitorEvents: 0x39c191f42ef1 <JS Function bound>#22#
                $$: 0x39c191f41679 <JS Function bound>#23#
            values: 0x39c191f42231 <JS Function bound>#24#
               dir: 0x39c191f41a99 <JS Function bound>#25#
 #3# 0x39c191f27b31: 0x39c191f27b31 <JS Object>
_lastBoundObjectId: 2
_commandLineAPIImpl: 0x39c191f29b41 <a CommandLineAPIImpl>#0#
_idToWrappedObject: 0x39c191f27c61 <an Object>#26#
     _objectGroups: 0x39c191f27e91 <an Object>#27#
_idToObjectGroupName: 0x39c191f27d61 <an Object>#28#
 #4# 0x9090fb68bc9: 0x9090fb68bc9 <JS Function eval>
 #5# 0x32bf1960fe19: 0x32bf1960fe19 <JS Function getEventListeners>
 #6# 0x39c191f1fbd9: 0x39c191f1fbd9 <an InjectedScriptHost>
 #7# 0x39c191f47f11: 0x39c191f47f11 <an Arguments>
            callee: 0x39c191f43eb1 <JS Function bound>#10#
            length: 1
 #8# 0x39c191f47f89: 0x39c191f47f89 <JS Array[1]>
                 0: 0x9090fb6bff1 <JS Global Object>#1#
 #9# 0x39c191f29841: 0x39c191f29841 <JS Function>
 #10# 0x39c191f43eb1: 0x39c191f43eb1 <JS Function bound>
          toString: 0x32bf19619991 <JS Function>#29#
 #11# 0x39c191f47e79: 0x39c191f47e79 <JS Function>
 #12# 0x39c191f41489: 0x39c191f41489 <an Object>
            result: 0x9090fb04121 <undefined>
         wasThrown: 0x9090fb04181 <false>
 #13# 0x39c191f41871: 0x39c191f41871 <JS Function bound>
          toString: 0x32bf19619631 <JS Function>#30#
 #14# 0x39c191f41cf1: 0x39c191f41cf1 <JS Function bound>
          toString: 0x32bf196196c1 <JS Function>#31#
 #15# 0x39c191f42519: 0x39c191f42519 <JS Function bound>
          toString: 0x32bf19619799 <JS Function>#32#
 #16# 0x39c191f41f79: 0x39c191f41f79 <JS Function bound>
          toString: 0x32bf19619709 <JS Function>#33#
 #17# 0x39c191f43299: 0x39c191f43299 <JS Function bound>
          toString: 0x32bf196198b9 <JS Function>#34#
 #18# 0x39c191f42831: 0x39c191f42831 <JS Function bound>
          toString: 0x32bf196197e1 <JS Function>#35#
 #19# 0x39c191f42b79: 0x39c191f42b79 <JS Function bound>
          toString: 0x32bf19619829 <JS Function>#36#
 #20# 0x39c191f43671: 0x39c191f43671 <JS Function bound>
          toString: 0x32bf19619901 <JS Function>#37#
 #21# 0x39c191f43a79: 0x39c191f43a79 <JS Function bound>
          toString: 0x32bf19619949 <JS Function>#38#
 #22# 0x39c191f42ef1: 0x39c191f42ef1 <JS Function bound>
          toString: 0x32bf19619871 <JS Function>#39#
 #23# 0x39c191f41679: 0x39c191f41679 <JS Function bound>
          toString: 0x32bf196195e9 <JS Function>#40#
 #24# 0x39c191f42231: 0x39c191f42231 <JS Function bound>
          toString: 0x32bf19619751 <JS Function>#41#
 #25# 0x39c191f41a99: 0x39c191f41a99 <JS Function bound>
          toString: 0x32bf19619679 <JS Function>#42#
 #26# 0x39c191f27c61: 0x39c191f27c61 <an Object>
 #27# 0x39c191f27e91: 0x39c191f27e91 <an Object>
           console: 0x39c191f35e51 <JS Array[1]>#43#
 #28# 0x39c191f27d61: 0x39c191f27d61 <an Object>
 #29# 0x32bf19619991: 0x32bf19619991 <JS Function>
 #30# 0x32bf19619631: 0x32bf19619631 <JS Function>
 #31# 0x32bf196196c1: 0x32bf196196c1 <JS Function>
 #32# 0x32bf19619799: 0x32bf19619799 <JS Function>
 #33# 0x32bf19619709: 0x32bf19619709 <JS Function>
 #34# 0x32bf196198b9: 0x32bf196198b9 <JS Function>
 #35# 0x32bf196197e1: 0x32bf196197e1 <JS Function>
 #36# 0x32bf19619829: 0x32bf19619829 <JS Function>
 #37# 0x32bf19619901: 0x32bf19619901 <JS Function>
 #38# 0x32bf19619949: 0x32bf19619949 <JS Function>
 #39# 0x32bf19619871: 0x32bf19619871 <JS Function>
 #40# 0x32bf196195e9: 0x32bf196195e9 <JS Function>
 #41# 0x32bf19619751: 0x32bf19619751 <JS Function>
 #42# 0x32bf19619679: 0x32bf19619679 <JS Function>
 #43# 0x39c191f35e51: 0x39c191f35e51 <JS Array[1]>
                 0: 1
=====================
Comment 2 Yury Semikhatsky 2012-04-06 01:15:50 PDT 
(In reply to comment #1)
> #
> # Fatal error in ../../v8/src/objects-inl.h, line 1484
> # CHECK(index < GetInternalFieldCount() && index >= 0) failed
> #
It is on Chromium r130915.
Comment 3 Yury Semikhatsky 2012-04-06 01:45:56 PDT 
(In reply to comment #2)
> It is on Chromium r130915.
Also reproducible on tip-of-tree Chromium (r131113).
Comment 4 Andrey Kosyakov 2012-04-06 04:50:12 PDT 
Created attachment 136002 [details]
Patch
Comment 5 Pavel Feldman 2012-04-06 04:59:38 PDT 
Comment on attachment 136002 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=136002&action=review

> Source/WebCore/bindings/v8/custom/V8InjectedScriptHostCustom.cpp:222
> +    if (!value->IsObject() || !V8Node::HasInstance(value->ToObject()))

HasInstance receives value, no need to cast.
Comment 6 Andrey Kosyakov 2012-04-06 05:07:46 PDT 
Committed r113426: <http://trac.webkit.org/changeset/113426>