Bug 154378 - Crash on SES selftest page when loading the page while WebInspector is open
Summary: Crash on SES selftest page when loading the page while WebInspector is open
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Chris Dumez
URL: https://rawgit.com/tvcutsem/es-lab/ma...
Keywords: InRadar
Depends on:
Reported: 2016-02-17 19:51 PST by Chris Dumez
Modified: 2020-04-08 16:32 PDT (History)
10 users (show)

See Also:

Patch (2.66 KB, patch)
2016-02-18 08:47 PST, Chris Dumez
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Dumez 2016-02-17 19:51:51 PST
Crash on SES selftest page when loading the page while WebInspector is open:
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x000000010a901f81 JSC::JSObject::getOwnPropertyDescriptor(JSC::ExecState*, JSC::PropertyName, JSC::PropertyDescriptor&) + 449
1   com.apple.JavaScriptCore      	0x000000010a9bee88 JSC::objectConstructorGetOwnPropertyDescriptor(JSC::ExecState*, JSC::JSObject*, JSC::Identifier const&) + 72
2   com.apple.JavaScriptCore      	0x000000010a9bd336 JSC::objectConstructorGetOwnPropertyDescriptor(JSC::ExecState*) + 550
3   ???                           	0x00003a5d9d601028 0 + 64173746688040
4   com.apple.JavaScriptCore      	0x000000010a99baeb llint_entry + 23561
5   com.apple.JavaScriptCore      	0x000000010a99bb5d llint_entry + 23675
6   com.apple.JavaScriptCore      	0x000000010a99baeb llint_entry + 23561
7   com.apple.JavaScriptCore      	0x000000010a99baeb llint_entry + 23561
8   com.apple.JavaScriptCore      	0x000000010a995cff vmEntryToJavaScript + 299
9   com.apple.JavaScriptCore      	0x000000010a88389e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 158
Comment 1 Radar WebKit Bug Importer 2016-02-17 19:53:47 PST
Comment 2 Chris Dumez 2016-02-17 19:57:54 PST
Looks like there were 2 checks like this in putDirectInternal:
 if ((attributes & Accessor) != (currentAttributes & Accessor))

And I only updated one of them :/
Comment 3 Chris Dumez 2016-02-17 20:58:33 PST
This time it seems we hit the following assertion in getOwnPropertyDescriptor():

So we have a slot with CustomAccessor attribute but getDirect() returns no value somehow.

|this| is a DebuggerScope and the propertyName is “document”.
Comment 4 Chris Dumez 2016-02-17 22:24:12 PST
I think the issue is that DebuggerScope::getOwnPropertySlot() does not only return *own* properties. It searches the prototype chain, like JSDOMWindow used to do before r196676. We used to have a check at the top of GetOwnPropertyDescriptor() to return early if getOwnPropertySlot() returned a non-own property but Gavin dropped it in r 196676, assuming the workaround was only needed for JSDOMWindow...

We probably need to add the following check back:
    if (slot.slotBase() != this && slot.slotBase()) {
        if (!proxy || proxy->target() != slot.slotBase())
            return false;

I will verify.
Comment 5 Chris Dumez 2016-02-18 08:47:26 PST
Created attachment 271663 [details]
Comment 6 Mark Lam 2016-02-18 08:56:26 PST
Comment on attachment 271663 [details]

Comment 7 Chris Dumez 2016-02-18 09:19:30 PST
Comment on attachment 271663 [details]

Clearing flags on attachment: 271663

Committed r196760: <http://trac.webkit.org/changeset/196760>
Comment 8 Chris Dumez 2016-02-18 09:19:35 PST
All reviewed patches have been landed.  Closing bug.