127508 – REGRESSION: crash when evaluating JavaScript expression in breakpoint action

Bug 127508 - REGRESSION: crash when evaluating JavaScript expression in breakpoint action

Summary: REGRESSION: crash when evaluating JavaScript expression in breakpoint action

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Web Inspector (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P2 Normal
Assignee:	Nobody

URL:	http://www.nihilogic.dk/labs/tetris/
Keywords:	InRadar

Depends on:
Blocks:	127117
	Show dependency tree / graph

Reported:	2014-01-23 13:30 PST by Blaze Burg
Modified:	2014-01-24 21:08 PST (History)
CC List:	5 users (show)

See Also:

Attachments
stack trace and dump (64.36 KB, application/octet-stream) 2014-01-24 12:19 PST, Blaze Burg	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Blaze Burg 2014-01-23 13:30:10 PST

Steps to reproduce:

1. Set a breakpoint in the linked page, on tetris.js:95.
2. Edit the breakpoint and add the action "Evaluate Scritp" with expression = "e" (or anything)
3. Press a key in the game

This will crash inside ScriptDebugServer::evaluateBreakpointAction(), in the call to evaluate the expression. This seems to be a recent regression; perhaps the call frame is getting stale somehow.

This blocks further upstreaming of probes backend and UI, since it leaves no way to test probes functionality (which evaluates expressions using the same evaluation code).

Comment 1 Radar WebKit Bug Importer 2014-01-23 13:34:51 PST

<rdar://problem/15895535>

Comment 2 Timothy Hatcher 2014-01-23 19:41:52 PST

Is it because the action is throwing an exception?

Comment 3 Blaze Burg 2014-01-24 09:55:26 PST

As far as I can tell, no. Even evaluating a local variable causes it to crash for me. Could you try to reproduce?

Comment 4 Blaze Burg 2014-01-24 12:19:27 PST

Created attachment 222136 [details]
stack trace and dump

Comment 5 Mark Lam 2014-01-24 18:59:10 PST

I've reproduced the issue.  There 2 issues at play here:

1. When I enter the expression "e" into the "Evaluate Script" text box, I see auto completion which suggested that "else" as the text that I might want to enter.  I click outside the text box, and this rejects the auto complete suggestion as far as what is shown to me.

    However, later on, when I press a key and trigger the breakpoint, the expression gets passed to DebuggerCallFrame::evaluateWithCallFrame() to be evaluated.  There, I see that the script string passed in is "else", not "e".  That means the inspector UI lied when it told me that the script to eval is "e".

    Given this bad script, …
 
2. DebuggerCallFrame::evaluateWithCallFrame() fails to create an executable for it.  An exception is thrown.  However, DebuggerCallFrame::evaluateWithCallFrame() clears the exception in the VM, and proceeds to attempt to execute the null executable.  This results in a crash.

I've filed <https://webkit.org/b/127600> to track the second issue.  I'll leave this bug to track the Inspector UI issue.

Comment 6 Mark Lam 2014-01-24 19:13:57 PST

<https://webkit.org/b/127600> has been fixed, and I no longer see any crash with the steps provided in this bug.  If you're still seeing a crash, please let me know the new steps to reproduce it.  Thanks.

Comment 7 Timothy Hatcher 2014-01-24 21:08:03 PST

Lets file a new bug about the editor confusion.