154378 – Crash on SES selftest page when loading the page while WebInspector is open

Bug 154378 - Crash on SES selftest page when loading the page while WebInspector is open

Summary: Crash on SES selftest page when loading the page while WebInspector is open

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Chris Dumez

URL:	https://rawgit.com/tvcutsem/es-lab/ma...
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2016-02-17 19:51 PST by Chris Dumez
Modified:	2020-04-08 16:32 PDT (History)
CC List:	10 users (show)

See Also:	154350 154102 200560

Attachments
Patch (2.66 KB, patch) 2016-02-18 08:47 PST, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Dumez 2016-02-17 19:51:51 PST

Crash on SES selftest page when loading the page while WebInspector is open:
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x000000010a901f81 JSC::JSObject::getOwnPropertyDescriptor(JSC::ExecState*, JSC::PropertyName, JSC::PropertyDescriptor&) + 449
1   com.apple.JavaScriptCore      	0x000000010a9bee88 JSC::objectConstructorGetOwnPropertyDescriptor(JSC::ExecState*, JSC::JSObject*, JSC::Identifier const&) + 72
2   com.apple.JavaScriptCore      	0x000000010a9bd336 JSC::objectConstructorGetOwnPropertyDescriptor(JSC::ExecState*) + 550
3   ???                           	0x00003a5d9d601028 0 + 64173746688040
4   com.apple.JavaScriptCore      	0x000000010a99baeb llint_entry + 23561
5   com.apple.JavaScriptCore      	0x000000010a99bb5d llint_entry + 23675
6   com.apple.JavaScriptCore      	0x000000010a99baeb llint_entry + 23561
7   com.apple.JavaScriptCore      	0x000000010a99baeb llint_entry + 23561
8   com.apple.JavaScriptCore      	0x000000010a995cff vmEntryToJavaScript + 299
9   com.apple.JavaScriptCore      	0x000000010a88389e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 158

Comment 1 Radar WebKit Bug Importer 2016-02-17 19:53:47 PST

<rdar://problem/24713422>

Comment 2 Chris Dumez 2016-02-17 19:57:54 PST

Looks like there were 2 checks like this in putDirectInternal:
 if ((attributes & Accessor) != (currentAttributes & Accessor))

And I only updated one of them :/

Comment 3 Chris Dumez 2016-02-17 20:58:33 PST

This time it seems we hit the following assertion in getOwnPropertyDescriptor():
ASSERT(maybeGetterSetter);

So we have a slot with CustomAccessor attribute but getDirect() returns no value somehow.

|this| is a DebuggerScope and the propertyName is “document”.

Comment 4 Chris Dumez 2016-02-17 22:24:12 PST

I think the issue is that DebuggerScope::getOwnPropertySlot() does not only return *own* properties. It searches the prototype chain, like JSDOMWindow used to do before r196676. We used to have a check at the top of GetOwnPropertyDescriptor() to return early if getOwnPropertySlot() returned a non-own property but Gavin dropped it in r 196676, assuming the workaround was only needed for JSDOMWindow...

We probably need to add the following check back:
    if (slot.slotBase() != this && slot.slotBase()) {
        if (!proxy || proxy->target() != slot.slotBase())
            return false;
    }

I will verify.

Comment 5 Chris Dumez 2016-02-18 08:47:26 PST

Created attachment 271663 [details]
Patch

Comment 6 Mark Lam 2016-02-18 08:56:26 PST

Comment on attachment 271663 [details]
Patch

r=me

Comment 7 Chris Dumez 2016-02-18 09:19:30 PST

Comment on attachment 271663 [details]
Patch

Clearing flags on attachment: 271663

Committed r196760: <http://trac.webkit.org/changeset/196760>

Comment 8 Chris Dumez 2016-02-18 09:19:35 PST

All reviewed patches have been landed.  Closing bug.