Bug 15250 - REGRESSION: Reproducible crash in Safari when evaluating script in Drosera console
Summary: REGRESSION: Reproducible crash in Safari when evaluating script in Drosera co...
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 523.x (Safari 3)
Hardware: Mac OS X 10.4
: P1 Major
Assignee: Nobody
Keywords: InRadar, Regression
Depends on:
Reported: 2007-09-21 03:37 PDT by Mark Rowe (bdash)
Modified: 2007-09-21 04:15 PDT (History)
1 user (show)

See Also:

Proposed patch (1.52 KB, patch)
2007-09-21 03:51 PDT, Mark Rowe (bdash)
mrowe: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Rowe (bdash) 2007-09-21 03:37:11 PDT
Evaluating any JavaScript in the Drosera console will crash the Safari instance it is attached to with the following backtrace:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x01640b39 in KJS::JSCell::isObject (this=0x0) at value.h:231
231	    return type() == ObjectType;
(gdb) bt
#0  0x01640b39 in KJS::JSCell::isObject (this=0x0) at value.h:231
#1  0x01875015 in KJS::JSCell::isObject (this=0x0, info=0x1cb2120) at object.h:539
#2  0x0187507d in KJS::JSValue::isObject (this=0x0, c=0x1cb2120) at object.h:545
#3  0x018a1a28 in KJS::ScriptInterpreter::isGlobalObject (this=0x27ef6020, v=0x0) at /Volumes/Data/Home/Documents/Work/WebKit-git/OpenSource/WebCore/bindings/js/kjs_binding.cpp:270
#4  0x02c44cc5 in KJS::GlobalFuncImp::callAsFunction (this=0x27183360, exec=0xbfffd82c, thisObj=0x0, args=@0xbfffc9a0) at function.cpp:820
#5  0x02c2298a in KJS::JSObject::call (this=0x27183360, exec=0xbfffd82c, thisObj=0x0, args=@0xbfffc9a0) at object.cpp:94
#6  0x01640696 in -[WebCoreScriptCallFrame evaluateWebScript:] (self=0x27c93e20, _cmd=0x3bc2fa, script=0x26d9b990) at /Volumes/Data/Home/Documents/Work/WebKit-git/OpenSource/WebCore/bridge/mac/WebCoreScriptDebugger.mm:366
#7  0x00362880 in -[WebScriptCallFrame evaluateWebScript:] (self=0x26c1e9f0, _cmd=0x3bc2fa, script=0x26d9b990) at /Volumes/Data/Home/Documents/Work/WebKit-git/OpenSource/WebKit/WebView/WebScriptDebugDelegate.mm:192
#8  0x935a3f7d in __invoking___ ()
#9  0x935a3968 in -[NSInvocation invoke] ()
#10 0x935a3a38 in -[NSInvocation invokeWithTarget:] ()
#11 0x935a3eaa in ___forwarding___ ()
#12 0x935a3f12 in __forwarding_prep_0___ ()
#13 0x935a3f7d in __invoking___ ()
#14 0x935a3968 in -[NSInvocation invoke] ()
#15 0x93f4bc94 in -[NSConnection dispatchInvocation:] ()
#16 0x93f49c47 in -[NSConnection handleRequest:sequence:] ()
#17 0x93f4948d in -[NSConnection handlePortCoder:] ()
#18 0x93f48fbe in -[NSConcretePortCoder dispatch] ()

I'm pretty sure this is due to Antti's changes relating to the global object used by "eval".
Comment 1 Mark Rowe (bdash) 2007-09-21 03:46:09 PDT
-[WebCoreScriptCallFrame evaluateWebScript:] retrieves eval from the global object, if it exists, and then calls it with a NULL this object.  It is trivial to null-check thisObj inside GlobalFuncImp::callAsFunction in one place, which resolves the crash, but I'm not sure that it is correct for -[WebCoreScriptCallFrame evaluteWebScript:] to be passing NULL for thisObj in the first place.  It clearly used to work, so I'll go ahead and prepare a patch to restore this.
Comment 2 Mark Rowe (bdash) 2007-09-21 03:47:47 PDT
Comment 3 Mark Rowe (bdash) 2007-09-21 03:51:27 PDT
Created attachment 16338 [details]
Proposed patch
Comment 4 Mark Rowe (bdash) 2007-09-21 04:14:07 PDT
Comment on attachment 16338 [details]
Proposed patch

Antti reviewed this.
Comment 5 Mark Rowe (bdash) 2007-09-21 04:15:21 PDT
Landed in r25681.