Bug 149281 - Regression(r189881): release assertion hit in toJS(ExecState*, JSDOMGlobalObject*, DocumentFragment*)
Summary: Regression(r189881): release assertion hit in toJS(ExecState*, JSDOMGlobalObj...
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: Other
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Chris Dumez
Depends on:
Reported: 2015-09-17 13:00 PDT by Chris Dumez
Modified: 2015-09-17 17:46 PDT (History)
5 users (show)

See Also:

Patch (2.10 KB, patch)
2015-09-17 14:10 PDT, Chris Dumez
no flags Details | Formatted Diff | Diff
Patch (5.45 KB, patch)
2015-09-17 15:38 PDT, Chris Dumez
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Dumez 2015-09-17 13:00:35 PDT
release assertion hit in toJS(ExecState*, JSDOMGlobalObject*, DocumentFragment*) after <http://trac.webkit.org/changeset/189881>:
Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x00000000bbadbeef

VM Regions Near 0xbbadbeef:
    __TEXT                 0000000100d8f000-0000000100d91000 [    8K] r-x/rwx SM=COW  /Volumes/VOLUME/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development

Application Specific Information:
CRASHING TEST: plugins/snapshotting/snapshot-plugin-not-quite-blocked-by-image.html

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x0000000106917d1e WTFCrash + 62
1   com.apple.WebCore             	0x0000000107826155 WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::DocumentFragment*) + 149
2   com.apple.WebCore             	0x00000001072cf527 WebCore::HTMLPlugInImageElement::didAddUserAgentShadowRoot(WebCore::ShadowRoot*) + 391
3   com.apple.WebCore             	0x0000000107599f9e WebCore::Element::addShadowRoot(WTF::Ref<WebCore::ShadowRoot>&&) + 558
4   com.apple.WebCore             	0x0000000107139a43 WebCore::Element::ensureUserAgentShadowRoot() + 83
5   com.apple.WebCore             	0x000000010705f50d WebCore::ThreadTimers::sharedTimerFiredInternal() + 157
6   com.apple.WebCore             	0x000000010705f438 WebCore::timerFired(__CFRunLoopTimer*, void*) + 24
Comment 1 Chris Dumez 2015-09-17 13:02:46 PDT
The assertion is:
    // If you hit this assertion you either have a use after free bug, or
    // DocumentFragment has subclasses. If DocumentFragment has subclasses that get passed
    // to toJS() we currently require DocumentFragment you to opt out of binding hardening
    // by adding the SkipVTableValidation attribute to the interface IDL definition
    RELEASE_ASSERT(actualVTablePointer == expectedVTablePointer);

DocumentFragment does have a subclass: ShadowRoot. However, ShadowRoot does not have a Web-Exposed type. Therefore, I believe the current code is safe and we should bypass the assertion here.
Comment 2 Ryosuke Niwa 2015-09-17 14:04:42 PDT
ShadowRoot will be exposed to Web now.
Comment 3 Chris Dumez 2015-09-17 14:10:34 PDT
Created attachment 261420 [details]
Comment 4 Chris Dumez 2015-09-17 15:38:39 PDT
Created attachment 261443 [details]
Comment 5 WebKit Commit Bot 2015-09-17 17:46:28 PDT
Comment on attachment 261443 [details]

Clearing flags on attachment: 261443

Committed r189949: <http://trac.webkit.org/changeset/189949>
Comment 6 WebKit Commit Bot 2015-09-17 17:46:32 PDT
All reviewed patches have been landed.  Closing bug.