This affects some LayoutTests landed in: <http://trac.webkit.org/changeset/155471> When committing a fix for this, you should remove the workarounds added to these tests, and update their expected results: LayoutTests/inspector-protocol/debugger/setPauseOnExceptions-all.html LayoutTests/inspector-protocol/debugger/setPauseOnExceptions-uncaught.html That also means you don't necessarily have to add a specific test for this fix, since it would be covered by these existing tests!

Created attachment 248504 [details] Patch

By my investigation, if the exception is not truly cleared in VM, it means that exception is thrown to the caller. So, as long as the 'Debugger::m_currentException" is saving the right status of the exception in VM, we can use it to check if it's the same exception sent to debugger.

Excuse me, is here anybody can help to review?

Comment on attachment 248504 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=248504&action=review This seems fine to me. Mark Lam would be a better reviewer. > Source/JavaScriptCore/debugger/Debugger.cpp:158 > + , m_currentException(JSValue()) I don't think this is necessary, since JSValue is a class, the default constructor would get called, and be exactly this. > Source/JavaScriptCore/debugger/Debugger.cpp:633 > + if (m_currentException != JSValue() && m_vm->exception() == JSValue() > + && !m_hasHandlerForExceptionCallback) Likewise these comparison to JSValue(). Can they just be "!foo" since JSCJSValue has operator UnspecifiedBoolType? if (m_currentException && !m_vm->exception() && !m_hasHandlerForExceptionCallback) m_currentException = JSValue(); > Source/JavaScriptCore/debugger/Debugger.cpp:698 > + if (m_isPaused && m_currentException != JSValue()) Likewise, could this just be "&& m_currentException".

Comment on attachment 248504 [details] Patch I agree with Joe's comments in terms of code styling. That said, I'm not convinced that this fix is correct. To get a feel for why this fix is needed, I tried running the tests (with the test changes applied) without the Debugger.cpp changes, and I don't see any failures. Hence, it appears that the original issue that necessitated those FIXMEs in the tests no longer exists. Peter, are you seeing an issue that still manifests without your fix? If so, can you please provide a test that demonstrates that issue?

Thank you for your comments, Joseph and Mark. Let me check it again and update the patch.

Created attachment 248922 [details] A new test case. The patch r164139 (SHA 4cbc701b) has re-implemented "Array.prototype.map" using JS in file "JavaScriptCore/builtins/Array.prototype.js", so, it's not "host function" now. So we have to change the case to use "Map.prototype.forEach" instead.

Created attachment 249100 [details] Patch

Hi Joseph and Mark, the new patch has been uploaded. There 3 modifications included: (1) Change the Layout test case, since the new implementation (SHA 4cbc701b) of "Array.prototype.map" can workaround this bug. (2) Correct the coding problem of the old patch. (3) Take a missed case into consideration: when VM is unwinding CallFrames it will clear the exception temporarily. The root cause of this bug is that the exception, thrown form the JS callback of host function, will be handled twice. So if the 'Debugger::m_currentException' can save the real state of exception of VM, we can use it to justify if it's a same exception triggering the debugger in second time. Please help to review, thank you very much.

Comment on attachment 249100 [details] Patch Attachment 249100 [details] did not pass win-ews (win): Output: http://webkit-queues.appspot.com/results/4629479943045120 Number of test failures exceeded the failure limit.

Created attachment 249126 [details] Archive of layout-test-results from ews206 for win-future The attached test failures were seen while running run-webkit-tests on the win-ews. Bot: ews206 Port: win-future Platform: CYGWIN_NT-6.1-WOW64-1.7.20-0.266-5-3-i686-32bit

Comment on attachment 249100 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=249100&action=review Definitely needs Mark to review, since you're changing the Interpreter. > LayoutTests/ChangeLog:8 > + Remove the workarounds in accroding test cases. Typo: "accroding" => "associated"?

(In reply to comment #10) > Hi Joseph and Mark, the new patch has been uploaded. > > There 3 modifications included: > (1) Change the Layout test case, since the new implementation (SHA 4cbc701b) > of "Array.prototype.map" can workaround this bug. > (2) Correct the coding problem of the old patch. > (3) Take a missed case into consideration: when VM is unwinding CallFrames > it will clear the exception temporarily. > > The root cause of this bug is that the exception, thrown form the JS > callback of host function, will be handled twice. So if the > 'Debugger::m_currentException' can save the real state of exception of VM, > we can use it to justify if it's a same exception triggering the debugger in > second time. This information about the root cause is helpful in understanding what is being fixed. It should be included in the ChangeLog. > Please help to review, thank you very much. That said, the change in Debugger::exception() that removes the clearing of m_currentException still doesn’t feel right to me. Let me think about the patch a bit more, and I’ll get back to you with some feedback soon.

Comment on attachment 249100 [details] Patch Thank you for your effort on this patch, but after analyzing the issue, I've concluded that this patch is not appropriate for the following reasons: 1. The patch is complicated and makes the code difficult to understand and reason about. Specifically, I'm referring to all the interaction between Debugger::m_currentException, m_vm->exception(), m_unwindingCallFrame, and m_hasHandlerForExceptionCallback. 2. The patch results in a bug. I wrote a simple test file: <script> function foo(x) { throw "Stuff"; } function goo() { foo(); } goo(); </script> With this patch, the WebInspector with "Break on Uncaught Exceptions" enabled, will only break the first time you reload the webpage. On all subsequent reloads of the webpage, the Inspector will no longer break on the uncaught exception. This is a regression from how ToT works. 3. The ChangeLog is also not clear about what the issue is. I finally understood only after I wrote some more test code and tested ToT against other browsers. The real issue here is that the existing implementation will break once (when "Break on Uncaught Exceptions" is enabled) for every entry / re-entry into the VM. Consider the following stack of calls (where this stack grows down): frame 0: JS function j0() frame 1: JS function j1() frame 2: native C++ function n2() frame 3: JS function j3() frame 4: JS function j4() <==== Uncaught exception thrown here ... and there are no catch clauses in any of those functions. With the existing implementation, the Inspector will break in frame 4 and frame 1. The desired behavior is to only break in frame 4. Now knowing this, this is how I think the fix should be implemented: 1. Change Debugger::exception() to Debugger::beginExceptionHandling(). It should set m_hasHandlerForExceptionCallback and m_currentException but not clear them. 2. Implement a Debugger::endExceptionHandling() which clears m_hasHandlerForExceptionCallback and m_currentException. endExceptionHandling() should be called in 2 places: a. The place where the catch clause is handled. This is the case where the exception is caught and handled, and the Inspector should break on any exceptions thrown after this. b. When the Interpreter exits the outer most VMEntryScope. This is the case where the exception is unhandled, and we've unwound out of all JS code. The Inspector should also break on any exceptions thrown in new JS code executed after this. 3. Implement some way to prevent the Interpreter from calling beginExceptionHandling() again if the debugger is already in the process of handling an exception. One way is to add a isHandlingException() query to Debugger like so: bool isHandlingException() const { return !!m_currentException; } ... and add that in Interpreter::unwind() as one of the conditions for allowing debugger->beginExceptionHandling() to be called. Because we're changing how long m_currentException is set, there might be assertions in Debugger that needs to be updated. I would do some more testing with a debug build. At minimum: 1. run all inspector layout tests with a debug build. 2. manually use the debug build Inspector to debug some JS code (which throw exceptions, uncaught and caught) to make sure everything is working as expected and nothing broke. Part 2 above may be a little more challenging for someone who is not familiar with the VM, but some grepping and debugging should get you there. If not, I can take a look into implementing the fix myself some time this weekend.

This issue turns out to be only 1 symptom of deeper issue. I’m working on a fix for the general issue. Fix coming soon.

The exceptions re-work in https://bugs.webkit.org/show_bug.cgi?id=145525 includes the fix for this issue (among a few other things). Hence, I'll close this one as a dup. *** This bug has been marked as a duplicate of bug 145525 ***