RESOLVED WONTFIX 113735
Web Inspector: Inspector crashes in Debug build when paused inside sort function 
https://bugs.webkit.org/show_bug.cgi?id=113735
Summary Web Inspector: Inspector crashes in Debug build when paused inside sort function
Peter Rybin
Reported 2013-04-01 17:19:10 PDT
Compile debug build of Chrome. Open inspector of any page and pause on any line. Open inspector for inspector. Make a step in the first inspector. Problem: first inspector crashes with the following statcktrace: # # Fatal error in v8/src/objects.cc, line 84 # CHECK(IsJSObject()) failed # ==== C stack trace =============================== 1: ?? 2: ?? 3: ?? 4: ?? 5: ?? ==== JS stack trace ========================================= Security context: 0xd84d9c642e9 <JS Object>#0# 1: new constructor(aka FrameDetails) [native mirror.js:1374] (this=0x33637de76b01 <a FrameDetails>#1#,a=59,b=2) 3: new constructor(aka FrameMirror) [native mirror.js:1524] (this=0x33637de76ac9 <a FrameMirror>#2#,a=59,b=2) 5: frame [native debug.js:970] (this=0x33637de60f19 <an ExecutionState>#3#,a=2) 6: currentCallFrame [0x215b59104121 <undefined>:209] (this=0xd84d9cee7f1 <an Object>#4#,execState=0x33637de60f19 <an ExecutionState>#3#,args=0x215b59104121 <undefined>) 7: arguments adaptor frame: 1->2 Security context: 0x3a90d5d292a1 <String[26]: chrome-devtools://devtools> 12: /* anonymous */ [chrome-devtools://devtools/ObjectPropertiesSection.js:132] (this=0x215b5915cef9 <JS Global Object>#5#,propertyA=0x33637de606b9 <JS Object>#6#,propertyB=0x33637de4dd61 <JS Object>#7#) 13: InsertionSort(aka InsertionSort) [native array.js:773] (this=0x215b59104121 <undefined>,g=0x33637de60439 <JS Array[2]>#8#,h=0,i=2) 14: QuickSort(aka QuickSort) [native array.js:802] (this=0x215b59104121 <undefined>,g=0x33637de60439 <JS Array[2]>#8#,h=0,i=2) 15: sort [native array.js:1025] (this=0x33637de60439 <JS Array[2]>#8#,a=0x3f706c11e611 <JS Function>#9#) 16: populateWithProperties [chrome-devtools://devtools/ObjectPropertiesSection.js:475] (this=0x3f706c11e679 <JS Function>#10#,treeElement=0x33637de4ebd9 <a TreeOutline>#11#,properties=0x33637de60439 <JS Array[2]>#8#,internalProperties=0x215b59104121 <undefined>,treeElementConstructor=0x1263e6b230d9 <JS Function>#12#,comparator=0x3f706c11e611 <JS Function>#9#,skipProto=0x215b59104181 <false>,value=0x33637de4e101 <JS Object>#13#) 17: updateProperties [chrome-devtools://devtools/ObjectPropertiesSection.js:111] (this=0x33637de4e151 <JS Object>#14#,properties=0x33637de60439 <JS Array[2]>#8#,internalProp:
Attachments
Add attachment proposed patch, testcase, etc.
Peter Rybin
Comment 1 2013-04-01 17:20:31 PDT
The assert raises in V8 debugger code, when it notices that internal array sort routine has "undefined" as a global object.
Peter Rybin
Comment 2 2013-07-22 11:29:36 PDT
This was a V8-related issue.
Note You need to log in before you can comment on or make changes to this bug.