157078 – Assertion failure when returning incomplete property descriptor from proxy trap

Bug 157078 - Assertion failure when returning incomplete property descriptor from proxy trap

Summary: Assertion failure when returning incomplete property descriptor from proxy trap

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Local Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Mark Lam

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2016-04-27 10:28 PDT by André Bargull
Modified:	2016-06-15 21:41 PDT (History)
CC List:	8 users (show)

See Also:

Attachments
proposed patch. (3.45 KB, patch) 2016-06-15 20:59 PDT, Mark Lam	sbarati: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description André Bargull 2016-04-27 10:28:02 PDT

SVN: rev200124
Build with: perl Tools/Scripts/build-jsc --gtk --debug


The following test case triggers this assertion error:
---
ASSERTION FAILED: value
---


Test case:
---
Object.getOwnPropertyDescriptor(new Proxy({a:0}, { getOwnPropertyDescriptor(t,pk){return {writable:true, enumerable:true, configurable:true}} }), "")
---


Stack trace:
---
#0  0x00007ffff6e289ac in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:322
#1  0x00007ffff6ceb180 in JSC::PropertyDescriptor::setDescriptor (this=0x7fffffffca50, value=..., attributes=0) at ../../Source/JavaScriptCore/runtime/PropertyDescriptor.cpp:116
#2  0x00007ffff6c62064 in JSC::JSObject::getOwnPropertyDescriptor (this=0x7fffaedbf4f0, exec=0x7fffffffcaf0, propertyName=..., descriptor=...) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:2866
#3  0x00007ffff6cd385f in JSC::objectConstructorGetOwnPropertyDescriptor (exec=0x7fffffffcaf0, object=0x7fffaedbf4f0, propertyName=...) at ../../Source/JavaScriptCore/runtime/ObjectConstructor.cpp:229
#4  0x00007ffff6cd3c71 in JSC::objectConstructorGetOwnPropertyDescriptor (exec=0x7fffffffcaf0) at ../../Source/JavaScriptCore/runtime/ObjectConstructor.cpp:272
#5  0x00007fffb0bff028 in ?? ()
#6  0x00007fffffffcb60 in ?? ()
#7  0x00007ffff6a33818 in llint_entry () at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:1037
Backtrace stopped: frame did not save the PC
---

Comment 1 Radar WebKit Bug Importer 2016-05-13 00:43:10 PDT

<rdar://problem/26263841>

Comment 2 Mark Lam 2016-06-15 16:29:56 PDT

I can reproduce this on a debug build.  Looking into it.

Comment 3 Mark Lam 2016-06-15 20:59:06 PDT

Created attachment 281434 [details]
proposed patch.

Comment 4 Mark Lam 2016-06-15 21:41:53 PDT

Thanks for the review.  Landed in r202124: <http://trac.webkit.org/r202124>.