154378 – Crash on SES selftest page when loading the page while WebInspector is open

RESOLVED FIXED 154378

Crash on SES selftest page when loading the page while WebInspector is open

https://bugs.webkit.org/show_bug.cgi?id=154378

Summary Crash on SES selftest page when loading the page while WebInspector is open

Chris Dumez

Reported 2016-02-17 19:51:51 PST

Crash on SES selftest page when loading the page while WebInspector is open: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000010a901f81 JSC::JSObject::getOwnPropertyDescriptor(JSC::ExecState*, JSC::PropertyName, JSC::PropertyDescriptor&) + 449 1 com.apple.JavaScriptCore 0x000000010a9bee88 JSC::objectConstructorGetOwnPropertyDescriptor(JSC::ExecState*, JSC::JSObject*, JSC::Identifier const&) + 72 2 com.apple.JavaScriptCore 0x000000010a9bd336 JSC::objectConstructorGetOwnPropertyDescriptor(JSC::ExecState*) + 550 3 ??? 0x00003a5d9d601028 0 + 64173746688040 4 com.apple.JavaScriptCore 0x000000010a99baeb llint_entry + 23561 5 com.apple.JavaScriptCore 0x000000010a99bb5d llint_entry + 23675 6 com.apple.JavaScriptCore 0x000000010a99baeb llint_entry + 23561 7 com.apple.JavaScriptCore 0x000000010a99baeb llint_entry + 23561 8 com.apple.JavaScriptCore 0x000000010a995cff vmEntryToJavaScript + 299 9 com.apple.JavaScriptCore 0x000000010a88389e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 158

Attachments
Patch (2.66 KB, patch) 2016-02-18 08:47 PST, Chris Dumez	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2016-02-17 19:53:47 PST

<rdar://problem/24713422>

Chris Dumez

Comment 2 2016-02-17 19:57:54 PST

Looks like there were 2 checks like this in putDirectInternal: if ((attributes & Accessor) != (currentAttributes & Accessor)) And I only updated one of them :/

Chris Dumez

Comment 3 2016-02-17 20:58:33 PST

This time it seems we hit the following assertion in getOwnPropertyDescriptor(): ASSERT(maybeGetterSetter); So we have a slot with CustomAccessor attribute but getDirect() returns no value somehow. |this| is a DebuggerScope and the propertyName is “document”.

Chris Dumez

Comment 4 2016-02-17 22:24:12 PST

I think the issue is that DebuggerScope::getOwnPropertySlot() does not only return *own* properties. It searches the prototype chain, like JSDOMWindow used to do before r196676. We used to have a check at the top of GetOwnPropertyDescriptor() to return early if getOwnPropertySlot() returned a non-own property but Gavin dropped it in r 196676, assuming the workaround was only needed for JSDOMWindow... We probably need to add the following check back: if (slot.slotBase() != this && slot.slotBase()) { if (!proxy || proxy->target() != slot.slotBase()) return false; } I will verify.

Chris Dumez

Comment 5 2016-02-18 08:47:26 PST

Created attachment 271663 [details] Patch

Mark Lam

Comment 6 2016-02-18 08:56:26 PST

Comment on attachment 271663 [details] Patch r=me

Chris Dumez

Comment 7 2016-02-18 09:19:30 PST

Comment on attachment 271663 [details] Patch Clearing flags on attachment: 271663 Committed r196760: <http://trac.webkit.org/changeset/196760>

Chris Dumez

Comment 8 2016-02-18 09:19:35 PST

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Chris Dumez

Reported

2016-02-17 19:51 PST

Modified

2020-04-08 16:32 PDT History

CC List

10 users Show

URL

https://rawgit.com/tvcutsem/es-lab/master/src/ses/contract.html

Keywords InRadar

Depends on

Blocks