RESOLVED FIXED 141396
Web Inspector: CRASH when debugger pauses inside a Promise handler 
https://bugs.webkit.org/show_bug.cgi?id=141396
Summary Web Inspector: CRASH when debugger pauses inside a Promise handler
Brian Burg
Reported 2015-02-09 12:05:16 PST
Test case: var p = new Promise(function(resolve, reject) { debugger; })
Attachments
crash log (76.32 KB, text/plain)
2015-02-09 12:08 PST, Brian Burg 		no flags
Details
Fix with a basic test. I'll likely increase the test coverage. (4.08 KB, patch)
2015-02-25 17:03 PST, Michael Saboff 		no flags
DetailsFormatted DiffDiff
Patch (7.15 KB, patch)
2015-02-25 18:15 PST, Michael Saboff 		mark.lam: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2015-02-09 12:05:50 PST
<rdar://problem/19769491>
Brian Burg
Comment 2 2015-02-09 12:08:10 PST
Created attachment 246281 [details] crash log
Mark Lam
Comment 3 2015-02-09 17:28:11 PST
The JS call stack at the time the debugger breaks: frame 0x7fff5af1aca0 { name '' sourceURL 'file:///Volumes/Data/ws1/OpenSource/brrian-test.js' isInlinedFrame 0 callee 0x11cbd8930 returnPC 0x10f466e29 callerFrame 0x7fff5af1b560 rawLocationBits 25 0x19 codeBlock 0x11b772960 bytecodeOffset 25 0x19 / 32 line 2 column 5 jitType 2 <InterpreterThunk> isOptimizingJIT 0 hasCodeOrigins 0 } frame 0x7fff5af1b560 { name 'Promise' sourceURL '[native code]' isInlinedFrame 0 callee 0x11cbaf790 returnPC 0x0 callerFrame 0x7fff5af1b5d0 rawLocationBits 32767 0x7fff codeBlock 0x0 } frame 0x7fff5af1b5d0 { name 'global code' sourceURL 'file:///Volumes/Data/ws1/OpenSource/brrian-test.js' isInlinedFrame 0 callee 0x11cbaf5f0 returnPC 0x10f466e29 callerFrame 0x0 rawLocationBits 43 0x2b codeBlock 0x11b772708 bytecodeOffset 43 0x2b / 66 line 1 column 20 jitType 2 <InterpreterThunk> isOptimizingJIT 0 hasCodeOrigins 0 } The crash is due to an assertion when the DebuggerCallFrame tries to get the callee scope of the 2nd frame (“Promise” constructor). The DebuggerCallFrame does so by jsCast’ing the callee to a JSCallee and invoking its scope() method. However, the Promise constructor is an InternalFunction which does not inherit from JSCallee. Hence, the assertion failure.
Mark Lam
Comment 4 2015-02-09 17:39:25 PST
See also https://bugs.webkit.org/show_bug.cgi?id=139167 which concluded that InternalFunctions shouldn’t be JSCallees.
Michael Saboff
Comment 5 2015-02-25 17:03:31 PST
Created attachment 247368 [details] Fix with a basic test. I'll likely increase the test coverage.
Michael Saboff
Comment 6 2015-02-25 18:15:07 PST
Created attachment 247382 [details] Patch
Mark Lam
Comment 7 2015-02-25 18:22:43 PST
Comment on attachment 247382 [details] Patch r=me
Michael Saboff
Comment 8 2015-02-25 22:05:18 PST
Committed r180660: <http://trac.webkit.org/changeset/180660>
Note You need to log in before you can comment on or make changes to this bug.