156924 – Crash if you type "debugger" in the console and continue

Bug 156924 - Crash if you type "debugger" in the console and continue

Summary: Crash if you type "debugger" in the console and continue

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Local Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Mark Lam

URL:
Keywords:	InRadar

Duplicates (1):	157273 (view as bug list)
Depends on:	156919
Blocks:
	Show dependency tree / graph

Reported:	2016-04-22 13:22 PDT by Timothy Hatcher
Modified:	2016-05-05 13:23 PDT (History)
CC List:	10 users (show)

See Also:

Attachments
Crash Log (83.59 KB, application/octet-stream) 2016-04-22 13:22 PDT, Timothy Hatcher	no flags	Details
[PATCH] Proposed Fix (8.05 KB, patch) 2016-05-04 19:33 PDT, Joseph Pecoraro	mark.lam: review+ joepeck: commit-queue-	Details \| Formatted Diff \| Diff
[PATCH] For Landing (11.97 KB, patch) 2016-05-05 11:12 PDT, Joseph Pecoraro	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Timothy Hatcher 2016-04-22 13:22:19 PDT

Created attachment 277090 [details]
Crash Log

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000005
Exception Note:        EXC_CORPSE_NOTIFY

VM Regions Near 0x5:
--> 
    __TEXT                 000000010cd34000-000000010cd36000 [    8K] r-x/rwx SM=COW  /Users/USER/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development

Application Specific Information:
Bundle controller class:
BrowserBundleController
 
Process Model:
Multiple Web Processes
 

Global Trace Buffer (reverse chronological seconds):
95.358494    libsystem_trace.dylib     	0x00007fff913cd0fa dyld_image_header_containing_address(0x7f863945edc0) failed
111.941891   libsystem_trace.dylib     	0x00007fff913cd0fa dyld_image_header_containing_address(0x7f863b90cf40) failed
117.671978   CFNetwork                 	0x00007fff9e63dddf Explicitly setting CF cookie storage singleton
117.672232   CFNetwork                 	0x00007fff9e67478d Explicitly setting cookie storage singleton

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x000000010e384799 llint_slow_path_jtrue + 201 (JSCellInlines.h:251)
1   com.apple.JavaScriptCore      	0x000000010e3922b2 llint_entry + 20657
2   com.apple.JavaScriptCore      	0x000000010e38d01e vmEntryToJavaScript + 299
3   com.apple.JavaScriptCore      	0x000000010e202fbe JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 158 (JITCode.cpp:81)
4   com.apple.JavaScriptCore      	0x000000010e162162 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 450 (Interpreter.cpp:1020)
5   com.apple.JavaScriptCore      	0x000000010dd6f467 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 71 (MarkedBlock.h:235)
6   com.apple.WebCore             	0x000000010f4f5b50 WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 96 (JSMainThreadExecState.h:57)
7   com.apple.JavaScriptCore      	0x000000010e4c13dc Deprecated::ScriptFunctionCall::call(bool&) + 412 (ScriptFunctionCall.cpp:124)
8   com.apple.JavaScriptCore      	0x000000010e0f5062 Inspector::InjectedScriptBase::callFunctionWithEvalEnabled(Deprecated::ScriptFunctionCall&, bool&) const + 98 (InjectedScriptBase.cpp:80)
9   com.apple.JavaScriptCore      	0x000000010e0f519f Inspector::InjectedScriptBase::makeCall(Deprecated::ScriptFunctionCall&, WTF::RefPtr<Inspector::InspectorValue>*) + 79 (InjectedScriptBase.cpp:99)
10  com.apple.JavaScriptCore      	0x000000010e0f5407 Inspector::InjectedScriptBase::makeEvalCall(WTF::String&, Deprecated::ScriptFunctionCall&, WTF::RefPtr<Inspector::Protocol::Runtime::RemoteObject>*, Inspector::Protocol::OptOutput<bool>*, Inspector::Protocol::OptOutput<int>*) + 55 (RefPtr.h:71)
11  com.apple.JavaScriptCore      	0x000000010e0f1b6f Inspector::InjectedScript::evaluateOnCallFrame(WTF::String&, JSC::JSValue, WTF::String const&, WTF::String const&, WTF::String const&, bool, bool, bool, bool, WTF::RefPtr<Inspector::Protocol::Runtime::RemoteObject>*, Inspector::Protocol::OptOutput<bool>*, Inspector::Protocol::OptOutput<int>*) + 287 (StdLibExtras.h:355)
12  com.apple.JavaScriptCore      	0x000000010e130620 Inspector::InspectorDebuggerAgent::evaluateOnCallFrame(WTF::String&, WTF::String const&, WTF::String const&, WTF::String const*, bool const*, bool const*, bool const*, bool const*, bool const*, WTF::RefPtr<Inspector::Protocol::Runtime::RemoteObject>&, Inspector::Protocol::OptOutput<bool>*, Inspector::Protocol::OptOutput<int>*) + 464 (StdLibExtras.h:355)
13  com.apple.JavaScriptCore      	0x000000010e1100b0 Inspector::DebuggerBackendDispatcher::evaluateOnCallFrame(long, WTF::RefPtr<Inspector::InspectorObject>&&) + 1360 (RefPtr.h:71)
14  com.apple.JavaScriptCore      	0x000000010e10d36c Inspector::DebuggerBackendDispatcher::dispatch(long, WTF::String const&, WTF::Ref<Inspector::InspectorObject>&&) + 588 (InspectorBackendDispatchers.cpp:2506)
15  com.apple.JavaScriptCore      	0x000000010e0fb613 Inspector::BackendDispatcher::dispatch(WTF::String const&) + 2467 (Ref.h:55)
16  com.apple.WebKit              	0x000000010ced3f74 void IPC::handleMessage<Messages::WebInspector::SendMessageToBackend, WebKit::WebInspector, void (WebKit::WebInspector::*)(WTF::String const&)>(IPC::MessageDecoder&, WebKit::WebInspector*, void (WebKit::WebInspector::*)(WTF::String const&)) + 67 (StdLibExtras.h:355)
17  com.apple.WebKit              	0x000000010cd79849 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 127 (memory:2636)
18  com.apple.WebKit              	0x000000010cd7c1b2 IPC::Connection::dispatchOneMessage() + 126 (memory:2656)
19  com.apple.JavaScriptCore      	0x000000010e64abc5 WTF::RunLoop::performWork() + 437 (functional:1742)
20  com.apple.JavaScriptCore      	0x000000010e64af72 WTF::RunLoop::performWork(void*) + 34 (RunLoopCF.cpp:39)
21  com.apple.CoreFoundation      	0x00007fff9cfb7881 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17

Comment 1 Radar WebKit Bug Importer 2016-04-22 13:35:48 PDT

<rdar://problem/25884189>

Comment 2 Timothy Hatcher 2016-04-22 13:42:09 PDT

The Inspector UI had a change recently to make this case work better, and is when I saw this crash. You will want r199897 or later when looking into this.

Comment 3 Mark Lam 2016-05-04 12:14:39 PDT

This issue no longer reproduces in WebKit ToT r200422.  Will close this bug.

Comment 4 Joseph Pecoraro 2016-05-04 17:27:04 PDT

*** Bug 157273 has been marked as a duplicate of this bug. ***

Comment 5 Joseph Pecoraro 2016-05-04 17:29:03 PDT

Was able to reproduce on my machine. With Mark's help we determined that InjectedScriptSource's evaluateOnCallFrame is getting called with a C++ Empty JSValue(), which ends up causing issues. It turns out this is because the Inspector is triggering evaluateOnCallFrame when we are not paused (and doesn't have any call frames)!

The backend should be made to not crash in these situations.

The frontend, ideally, should be made to not evaluate on a call frame when we are not paused.

Comment 6 Joseph Pecoraro 2016-05-04 19:33:03 PDT

Created attachment 278152 [details]
[PATCH] Proposed Fix

Comment 7 Mark Lam 2016-05-04 21:02:53 PDT

Comment on attachment 278152 [details]
[PATCH] Proposed Fix

View in context: https://bugs.webkit.org/attachment.cgi?id=278152&action=review

r=me

> LayoutTests/inspector/debugger/evaluateOnCallFrame-errors-expected.txt:12
> +PASS: Should be an error: Inspected frame has gone

I know this is not due to this patch but "Inspected frame has gone" doesn't sound right (and I'm not clear what it's actually trying to say).  Is it supposed to say "Inspected frame is gone"?  Or maybe "Inspected frame is invalid"?  Or maybe "Inspected frame is gone or is invalid"?

Comment 8 Joseph Pecoraro 2016-05-05 11:03:16 PDT

Comment on attachment 278152 [details]
[PATCH] Proposed Fix

View in context: https://bugs.webkit.org/attachment.cgi?id=278152&action=review

>> LayoutTests/inspector/debugger/evaluateOnCallFrame-errors-expected.txt:12
>> +PASS: Should be an error: Inspected frame has gone
> 
> I know this is not due to this patch but "Inspected frame has gone" doesn't sound right (and I'm not clear what it's actually trying to say).  Is it supposed to say "Inspected frame is gone"?  Or maybe "Inspected frame is invalid"?  Or maybe "Inspected frame is gone or is invalid"?

Heh, yeah I'll update the message.

Comment 9 Joseph Pecoraro 2016-05-05 11:12:09 PDT

Created attachment 278176 [details]
[PATCH] For Landing

Comment 10 WebKit Commit Bot 2016-05-05 12:01:01 PDT

Comment on attachment 278176 [details]
[PATCH] For Landing

Clearing flags on attachment: 278176

Committed r200467: <http://trac.webkit.org/changeset/200467>