Bug 141396 - Web Inspector: CRASH when debugger pauses inside a Promise handler
Summary: Web Inspector: CRASH when debugger pauses inside a Promise handler
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Michael Saboff
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2015-02-09 12:05 PST by Brian Burg
Modified: 2015-02-25 22:05 PST (History)
11 users (show)

See Also:


Attachments
crash log (76.32 KB, text/plain)
2015-02-09 12:08 PST, Brian Burg
no flags Details
Fix with a basic test. I'll likely increase the test coverage. (4.08 KB, patch)
2015-02-25 17:03 PST, Michael Saboff
no flags Details | Formatted Diff | Diff
Patch (7.15 KB, patch)
2015-02-25 18:15 PST, Michael Saboff
mark.lam: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Brian Burg 2015-02-09 12:05:16 PST
Test case:

var p = new Promise(function(resolve, reject) {
debugger;
})
Comment 1 Radar WebKit Bug Importer 2015-02-09 12:05:50 PST
<rdar://problem/19769491>
Comment 2 Brian Burg 2015-02-09 12:08:10 PST
Created attachment 246281 [details]
crash log
Comment 3 Mark Lam 2015-02-09 17:28:11 PST
The JS call stack at the time the debugger breaks:
      frame 0x7fff5af1aca0 {
         name ''
         sourceURL 'file:///Volumes/Data/ws1/OpenSource/brrian-test.js'
         isInlinedFrame 0
         callee 0x11cbd8930
         returnPC 0x10f466e29
         callerFrame 0x7fff5af1b560
         rawLocationBits 25 0x19
         codeBlock 0x11b772960
            bytecodeOffset 25 0x19 / 32
            line 2
            column 5
            jitType 2 <InterpreterThunk> isOptimizingJIT 0
            hasCodeOrigins 0
      }
      frame 0x7fff5af1b560 {
         name 'Promise'
         sourceURL '[native code]'
         isInlinedFrame 0
         callee 0x11cbaf790
         returnPC 0x0
         callerFrame 0x7fff5af1b5d0
         rawLocationBits 32767 0x7fff
         codeBlock 0x0
      }
      frame 0x7fff5af1b5d0 {
         name 'global code'
         sourceURL 'file:///Volumes/Data/ws1/OpenSource/brrian-test.js'
         isInlinedFrame 0
         callee 0x11cbaf5f0
         returnPC 0x10f466e29
         callerFrame 0x0
         rawLocationBits 43 0x2b
         codeBlock 0x11b772708
            bytecodeOffset 43 0x2b / 66
            line 1
            column 20
            jitType 2 <InterpreterThunk> isOptimizingJIT 0
            hasCodeOrigins 0
      }

The crash is due to an assertion when the DebuggerCallFrame tries to get the callee scope of the 2nd frame (“Promise” constructor).  The DebuggerCallFrame does so by jsCast’ing the callee to a JSCallee and invoking its scope() method.  However, the Promise constructor is an InternalFunction which does not inherit from JSCallee.  Hence, the assertion failure.
Comment 4 Mark Lam 2015-02-09 17:39:25 PST
See also https://bugs.webkit.org/show_bug.cgi?id=139167 which concluded that InternalFunctions shouldn’t be JSCallees.
Comment 5 Michael Saboff 2015-02-25 17:03:31 PST
Created attachment 247368 [details]
Fix with a basic test.  I'll likely increase the test coverage.
Comment 6 Michael Saboff 2015-02-25 18:15:07 PST
Created attachment 247382 [details]
Patch
Comment 7 Mark Lam 2015-02-25 18:22:43 PST
Comment on attachment 247382 [details]
Patch

r=me
Comment 8 Michael Saboff 2015-02-25 22:05:18 PST
Committed r180660: <http://trac.webkit.org/changeset/180660>