154403 – ASSERT on SES selftest page when loading the page while WebInspector is open in debug builds

Bug 154403 - ASSERT on SES selftest page when loading the page while WebInspector is open in debug builds

Summary: ASSERT on SES selftest page when loading the page while WebInspector is open ...

Status:	RESOLVED DUPLICATE of bug 152294

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Web Inspector (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:	https://rawgit.com/tvcutsem/es-lab/ma...
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2016-02-18 11:31 PST by Chris Dumez
Modified:	2016-02-18 12:27 PST (History)
CC List:	7 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Dumez 2016-02-18 11:31:00 PST

Crash on SES selftest page when loading the page while WebInspector is open in debug builds:
https://rawgit.com/tvcutsem/es-lab/master/src/ses/contract.html

Trace:
Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x00000000bbadbeef
Exception Note:        EXC_CORPSE_NOTIFY

VM Regions Near 0xbbadbeef:
--> 
    __TEXT                 000000010f456000-000000010f458000 [    8K] r-x/rwx SM=COW  /Volumes/VOLUME/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development

Application Specific Information:
Bundle controller class:
BrowserBundleController
 
Process Model:
Multiple Web Processes
 

Global Trace Buffer (reverse chronological seconds):
88.533547    CFNetwork                 	0x00007fff8f681d29 Explicitly setting CF cookie storage singleton
88.533865    CFNetwork                 	0x00007fff8f6b8621 Explicitly setting cookie storage singleton

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x000000011399e487 WTFCrash + 39 (Assertions.cpp:322)
1   com.apple.JavaScriptCore      	0x00000001133097f7 Inspector::InjectedScriptBase::makeCall(Deprecated::ScriptFunctionCall&, WTF::RefPtr<Inspector::InspectorValue>*) + 183 (InjectedScriptBase.cpp:98)
2   com.apple.JavaScriptCore      	0x0000000113305a0d Inspector::InjectedScript::getDisplayableProperties(WTF::String&, WTF::String const&, bool, WTF::RefPtr<Inspector::Protocol::Array<Inspector::Protocol::Runtime::PropertyDescriptor> >*) + 253 (InjectedScript.cpp:136)
3   com.apple.JavaScriptCore      	0x000000011339d9cb Inspector::InspectorRuntimeAgent::getDisplayableProperties(WTF::String&, WTF::String const&, bool const*, WTF::RefPtr<Inspector::Protocol::Array<Inspector::Protocol::Runtime::PropertyDescriptor> >&, WTF::RefPtr<Inspector::Protocol::Array<Inspector::Protocol::Runtime::InternalPropertyDescriptor> >&) + 283 (InspectorRuntimeAgent.cpp:192)
4   com.apple.JavaScriptCore      	0x000000011339daba non-virtual thunk to Inspector::InspectorRuntimeAgent::getDisplayableProperties(WTF::String&, WTF::String const&, bool const*, WTF::RefPtr<Inspector::Protocol::Array<Inspector::Protocol::Runtime::PropertyDescriptor> >&, WTF::RefPtr<Inspector::Protocol::Array<Inspector::Protocol::Runtime::InternalPropertyDescriptor> >&) + 90 (InspectorRuntimeAgent.cpp:180)
5   com.apple.JavaScriptCore      	0x000000011334887e Inspector::RuntimeBackendDispatcher::getDisplayableProperties(long, WTF::RefPtr<Inspector::InspectorObject>&&) + 718 (InspectorBackendDispatchers.cpp:5154)
6   com.apple.JavaScriptCore      	0x0000000113346476 Inspector::RuntimeBackendDispatcher::dispatch(long, WTF::String const&, WTF::Ref<Inspector::InspectorObject>&&) + 886 (InspectorBackendDispatchers.cpp:4970)
7   com.apple.JavaScriptCore      	0x0000000113317950 Inspector::BackendDispatcher::dispatch(WTF::String const&) + 2000 (InspectorBackendDispatcher.cpp:181)
8   com.apple.WebCore             	0x000000011698651f WebCore::InspectorController::dispatchMessageFromFrontend(WTF::String const&) + 47 (InspectorController.cpp:386)
9   com.apple.WebKit              	0x000000010fc07243 WebKit::WebInspector::sendMessageToBackend(WTF::String const&) + 83 (WebInspector.cpp:252)
10  com.apple.WebKit              	0x000000010fc1435f void IPC::callMemberFunctionImpl<WebKit::WebInspector, void (WebKit::WebInspector::*)(WTF::String const&), std::__1::tuple<WTF::String>, 0ul>(WebKit::WebInspector*, void (WebKit::WebInspector::*)(WTF::String const&), std::__1::tuple<WTF::String>&&, std::index_sequence<0ul>) + 159 (HandleMessage.h:17)
11  com.apple.WebKit              	0x000000010fc142b8 void IPC::callMemberFunction<WebKit::WebInspector, void (WebKit::WebInspector::*)(WTF::String const&), std::__1::tuple<WTF::String>, std::make_index_sequence<1ul> >(std::__1::tuple<WTF::String>&&, WebKit::WebInspector*, void (WebKit::WebInspector::*)(WTF::String const&)) + 88 (HandleMessage.h:23)
12  com.apple.WebKit              	0x000000010fc13ed0 void IPC::handleMessage<Messages::WebInspector::SendMessageToBackend, WebKit::WebInspector, void (WebKit::WebInspector::*)(WTF::String const&)>(IPC::MessageDecoder&, WebKit::WebInspector*, void (WebKit::WebInspector::*)(WTF::String const&)) + 240 (HandleMessage.h:93)
13  com.apple.WebKit              	0x000000010fc1339a WebKit::WebInspector::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) + 1306 (WebInspectorMessageReceiver.cpp:77)
14  com.apple.WebKit              	0x000000010fc13407 non-virtual thunk to WebKit::WebInspector::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) + 55 (WebInspectorMessageReceiver.cpp:37)
15  com.apple.WebKit              	0x000000010f5174d3 IPC::Connection::dispatchMessage(IPC::MessageDecoder&) + 51 (Connection.cpp:892)
16  com.apple.WebKit              	0x000000010f50e351 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 785 (Connection.cpp:924)
17  com.apple.WebKit              	0x000000010f517acf IPC::Connection::dispatchOneMessage() + 1519 (Connection.cpp:953)
18  com.apple.WebKit              	0x000000010f528e3d IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10::operator()() const + 29 (Connection.cpp:886)
19  com.apple.WebKit              	0x000000010f528e0d void std::__1::__invoke_void_return_wrapper<void>::__call<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&>(IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&&&) + 45 (__functional_base:441)
20  com.apple.WebKit              	0x000000010f528c5c std::__1::__function::__func<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10, std::__1::allocator<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10>, void ()>::operator()() + 44 (functional:1407)
21  com.apple.JavaScriptCore      	0x00000001132e2cda std::__1::function<void ()>::operator()() const + 26 (functional:1793)
22  com.apple.JavaScriptCore      	0x00000001139e8272 WTF::RunLoop::performWork() + 306 (RunLoop.cpp:106)
23  com.apple.JavaScriptCore      	0x00000001139e8a94 WTF::RunLoop::performWork(void*) + 36 (RunLoopCF.cpp:38)
24  com.apple.CoreFoundation      	0x00007fff985275c1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
25  com.apple.CoreFoundation      	0x00007fff9851941c __CFRunLoopDoSources0 + 556
26  com.apple.CoreFoundation      	0x00007fff9851893f __CFRunLoopRun + 927
27  com.apple.CoreFoundation      	0x00007fff98518338 CFRunLoopRunSpecific + 296
28  com.apple.HIToolbox           	0x00007fff9a7e4935 RunCurrentEventLoopInMode + 235
29  com.apple.HIToolbox           	0x00007fff9a7e476f ReceiveNextEventCommon + 432
30  com.apple.HIToolbox           	0x00007fff9a7e45af _BlockUntilNextEventMatchingListInModeWithFilter + 71
31  com.apple.AppKit              	0x00007fff938cd0ee _DPSNextEvent + 1067
32  com.apple.AppKit              	0x00007fff93c99943 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454
33  com.apple.WebCore             	0x000000011631542a WebCore::EventLoop::cycle() + 138 (EventLoopMac.mm:34)
34  com.apple.WebCore             	0x00000001174d2611 WebCore::PageScriptDebugServer::runEventLoopWhilePausedInternal() + 97 (PageScriptDebugServer.cpp:116)
35  com.apple.WebCore             	0x00000001174d25a5 WebCore::PageScriptDebugServer::runEventLoopWhilePaused() + 21 (PageScriptDebugServer.cpp:109)
36  com.apple.JavaScriptCore      	0x00000001137dde14 Inspector::ScriptDebugServer::handlePause(JSC::JSGlobalObject*, JSC::Debugger::ReasonForPause) + 116 (ScriptDebugServer.cpp:317)
37  com.apple.JavaScriptCore      	0x0000000112dc62fd JSC::Debugger::pauseIfNeeded(JSC::ExecState*) + 637 (Debugger.cpp:660)
38  com.apple.JavaScriptCore      	0x0000000112dc65bc JSC::Debugger::updateCallFrameAndPauseIfNeeded(JSC::ExecState*) + 60 (Debugger.cpp:612)
39  com.apple.JavaScriptCore      	0x0000000112dc6a54 JSC::Debugger::didReachBreakpoint(JSC::ExecState*) + 100 (Debugger.cpp:767)
40  com.apple.JavaScriptCore      	0x00000001133ae20b JSC::Interpreter::debug(JSC::ExecState*, JSC::DebugHookID) + 347 (Interpreter.cpp:1366)
41  com.apple.JavaScriptCore      	0x00000001135ea25b llint_slow_path_debug + 123 (LLIntSlowPaths.cpp:1379)
42  com.apple.JavaScriptCore      	0x00000001135f4ec4 llint_entry + 29472
43  com.apple.JavaScriptCore      	0x00000001135f4471 llint_entry + 26829
44  com.apple.JavaScriptCore      	0x00000001135f4471 llint_entry + 26829
45  com.apple.JavaScriptCore      	0x00000001135f4471 llint_entry + 26829
46  com.apple.JavaScriptCore      	0x00000001135f4471 llint_entry + 26829
47  com.apple.JavaScriptCore      	0x00000001135f4471 llint_entry + 26829
48  com.apple.JavaScriptCore      	0x00000001135ed98e vmEntryToJavaScript + 334
49  com.apple.JavaScriptCore      	0x000000011340e6fa JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 218 (JITCode.cpp:80)
50  com.apple.JavaScriptCore      	0x00000001133ac7b6 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) + 4518 (Interpreter.cpp:972)
51  com.apple.JavaScriptCore      	0x0000000112d97b60 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 480 (Completion.cpp:105)
52  com.apple.JavaScriptCore      	0x0000000112d97c9e JSC::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 94 (Completion.cpp:120)
53  com.apple.WebCore             	0x00000001179b8beb WebCore::JSMainThreadExecState::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 75 (JSMainThreadExecState.h:80)
54  com.apple.WebCore             	0x00000001179b6766 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*) + 326 (ScriptController.cpp:164)
55  com.apple.WebCore             	0x00000001179b68cc WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&, WebCore::ExceptionDetails*) + 76 (ScriptController.cpp:180)
56  com.apple.WebCore             	0x00000001179c5ccb WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 491 (ScriptElement.cpp:314)
57  com.apple.WebCore             	0x00000001179c4bb3 WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) + 1731 (ScriptElement.cpp:245)
58  com.apple.WebCore             	0x0000000116711f2c WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) + 364 (HTMLScriptRunner.cpp:304)
59  com.apple.WebCore             	0x0000000116711d3a WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) + 138 (HTMLScriptRunner.cpp:177)
60  com.apple.WebCore             	0x0000000116638021 WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() + 289 (HTMLDocumentParser.cpp:195)
61  com.apple.WebCore             	0x0000000116638131 WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode, WebCore::PumpSession&) + 177 (HTMLDocumentParser.cpp:214)
62  com.apple.WebCore             	0x000000011663749f WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 399 (HTMLDocumentParser.cpp:252)
63  com.apple.WebCore             	0x00000001166370ce WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) + 174 (HTMLDocumentParser.cpp:167)
64  com.apple.WebCore             	0x000000011663914f WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution() + 383 (HTMLDocumentParser.cpp:488)
65  com.apple.WebCore             	0x0000000116639557 WebCore::HTMLDocumentParser::notifyFinished(WebCore::CachedResource*) + 327 (HTMLDocumentParser.cpp:528)
66  com.apple.WebCore             	0x000000011663959f non-virtual thunk to WebCore::HTMLDocumentParser::notifyFinished(WebCore::CachedResource*) + 47 (HTMLDocumentParser.cpp:512)
67  com.apple.WebCore             	0x0000000115ca7212 WebCore::CachedResource::checkNotify() + 130 (CachedResource.cpp:295)
68  com.apple.WebCore             	0x0000000115ca7321 WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) + 49 (CachedResource.cpp:313)
69  com.apple.WebCore             	0x0000000115cc802e WebCore::CachedScript::finishLoading(WebCore::SharedBuffer*) + 126 (CachedScript.cpp:117)
70  com.apple.WebCore             	0x0000000117c9ea54 WebCore::SubresourceLoader::didFinishLoading(double) + 532 (SubresourceLoader.cpp:386)
71  com.apple.WebKit              	0x000000010fea6687 WebKit::WebResourceLoader::didFinishResourceLoad(double) + 151 (WebResourceLoader.cpp:154)
72  com.apple.WebKit              	0x000000010feabbf3 void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>&&, std::index_sequence<0ul>) + 163 (HandleMessage.h:17)
73  com.apple.WebKit              	0x000000010feabb48 void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, std::make_index_sequence<1ul> >(std::__1::tuple<double>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) + 88 (HandleMessage.h:23)
74  com.apple.WebKit              	0x000000010feaac62 void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::MessageDecoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) + 226 (HandleMessage.h:93)
75  com.apple.WebKit              	0x000000010feaa3dc WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) + 636 (WebResourceLoaderMessageReceiver.cpp:66)
76  com.apple.WebKit              	0x000000010f8638b0 WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) + 160 (NetworkProcessConnection.cpp:60)
77  com.apple.WebKit              	0x000000010f5174d3 IPC::Connection::dispatchMessage(IPC::MessageDecoder&) + 51 (Connection.cpp:892)
78  com.apple.WebKit              	0x000000010f50e351 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 785 (Connection.cpp:924)
79  com.apple.WebKit              	0x000000010f517acf IPC::Connection::dispatchOneMessage() + 1519 (Connection.cpp:953)
80  com.apple.WebKit              	0x000000010f528e3d IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10::operator()() const + 29 (Connection.cpp:886)
81  com.apple.WebKit              	0x000000010f528e0d void std::__1::__invoke_void_return_wrapper<void>::__call<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&>(IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&&&) + 45 (__functional_base:441)
82  com.apple.WebKit              	0x000000010f528c5c std::__1::__function::__func<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10, std::__1::allocator<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10>, void ()>::operator()() + 44 (functional:1407)
83  com.apple.JavaScriptCore      	0x00000001132e2cda std::__1::function<void ()>::operator()() const + 26 (functional:1793)
84  com.apple.JavaScriptCore      	0x00000001139e83ad WTF::RunLoop::performWork() + 621 (RunLoop.cpp:123)
85  com.apple.JavaScriptCore      	0x00000001139e8a94 WTF::RunLoop::performWork(void*) + 36 (RunLoopCF.cpp:38)
86  com.apple.CoreFoundation      	0x00007fff985275c1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
87  com.apple.CoreFoundation      	0x00007fff9851941c __CFRunLoopDoSources0 + 556
88  com.apple.CoreFoundation      	0x00007fff9851893f __CFRunLoopRun + 927
89  com.apple.CoreFoundation      	0x00007fff98518338 CFRunLoopRunSpecific + 296
90  com.apple.HIToolbox           	0x00007fff9a7e4935 RunCurrentEventLoopInMode + 235
91  com.apple.HIToolbox           	0x00007fff9a7e476f ReceiveNextEventCommon + 432
92  com.apple.HIToolbox           	0x00007fff9a7e45af _BlockUntilNextEventMatchingListInModeWithFilter + 71
93  com.apple.AppKit              	0x00007fff938cd0ee _DPSNextEvent + 1067
94  com.apple.AppKit              	0x00007fff93c99943 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454
95  com.apple.AppKit              	0x00007fff938c2fc8 -[NSApplication run] + 682
96  com.apple.AppKit              	0x00007fff93845520 NSApplicationMain + 1176
97  libxpc.dylib                  	0x00007fff99fcbf6c _xpc_objc_main + 793
98  libxpc.dylib                  	0x00007fff99fcd6bb xpc_main + 494
99  com.apple.WebKit.WebContent.Development	0x000000010f457110 main + 800 (XPCServiceMain.mm:114)
100 libdyld.dylib                 	0x00007fff97aed5ad start + 1

Comment 1 Radar WebKit Bug Importer 2016-02-18 11:31:45 PST

<rdar://problem/24724611>

Comment 2 Joseph Pecoraro 2016-02-18 11:36:54 PST

This is an ASSERT that InjectedScriptSource did not throw an exception, but it did. We've seen this in the past if pages override builtin things (like `Set`).

Comment 3 Timothy Hatcher 2016-02-18 11:38:04 PST

Dupe to bug 152294?

Comment 4 Chris Dumez 2016-02-18 11:45:27 PST

file:///Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/WebInspectorUI.framework/Resources/Views/ScopeChainDetailsSidebarPanel.js:183:27: CONSOLE ERROR
file:///Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/WebInspectorUI.framework/Resources/Views/ScopeChainDetailsSidebarPanel.js:183:27: CONSOLE ERROR
file:///Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/WebInspectorUI.framework/Resources/Views/ScopeChainDetailsSidebarPanel.js:183:27: CONSOLE ERROR
CONSOLE LOG Cannot convert null or undefined to object : contract.html line 217
cajaVM.confine(exprSrc, {fakeUrl: cfakeUrl, nested: cnested}, {
          sourceUrl: 'data:,' + encodeURIComponent(exprSrc)
        });

file:///Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/WebInspectorUI.framework/Resources/Models/GarbageCollection.js:32:23: CONSOLE ERROR

Comment 5 Joseph Pecoraro 2016-02-18 11:59:49 PST

This exception is thrown by user code.

It seems like the page's code overrides `Object.prototype.__proto__`. InjectedScript, traversing the prototype chain using __proto__, encounters an error it doesn't expect caused by this code throwing.

Here is where the TypeError is defined:

>  /**
>   * Repairs both getter and setter. If either are vulnerable, I don't
>   * care if the other seemed to pass the test. Better to make them
>   * both safe.
>   */
>  function repair_UNDERBAR_PROTO_accessors_USE_GLOBAL() {
>    var gopd = Object.getOwnPropertyDescriptor;
>
>    var oldDesc = gopd(Object.prototype, '__proto__');
>    var oldGetter = oldDesc.get;
>    var oldSetter = oldDesc.set;
>    function newGetter() {
>      if (this === null || this === void 0) {
>        throw new TypeError('Cannot convert null or undefined to object');
>      } else {
>        return oldGetter.call(this);
>      }
>    }
>    function newSetter(newProto) {
>      if (this === null || this === void 0) {
>        throw new TypeError('Cannot convert null or undefined to object');
>      } else {
>        oldSetter.call(this, newProto);
>      }
>    }
>    Object.defineProperty(Object.prototype, '__proto__', {
>      get: oldGetter ? newGetter : void 0,
>      set: oldSetter ? newSetter : void 0
>    });
>  }

And here is code that exercises it with a description (there is code exercising the getter and setter)

>  /**
>   * Detects https://bugs.webkit.org/show_bug.cgi?id=141865
>   *
>   * <p>On Safari 7.0.5 (9537.77.4), the getter of the
>   * Object.prototype.__proto__ property, if applied to undefined,
>   * acts like a sloppy function would, coercing the undefined to the
>   * global object and returning the global object's [[Prototype]].
>   */
>  function test_UNDERBAR_PROTO_GETTER_USES_GLOBAL() {
>    var gopd = Object.getOwnPropertyDescriptor;
>    var getProto = Object.getPrototypeOf;
>
>    var desc = gopd(Object.prototype, '__proto__');
>    if (!desc) { return false; }
>    var getter = desc.get;
>    if (!getter) { return false; }
>    var globalProto = void 0;
>    try {
>      globalProto = getter();
>    } catch (ex) {
>      if (ex instanceof TypeError && globalProto === void 0) {
>          return false;
>      }
>      return 'unexpected error: ' + ex;
>    }
>    if (getProto(global) === globalProto) { return true; }
>    return 'unexpected global.__proto__: ' + globalProto;
>  }

That said, I did not investigate what code in InjectedScriptSource encounters this.

I do think moving InjectedScriptSource to a builtin, and using @Object.@getPrototypeOf() instead of __proto__ would probably solve this.

Comment 6 Timothy Hatcher 2016-02-18 12:27:23 PST


*** This bug has been marked as a duplicate of bug 152294 ***