Bug 157333 - REGRESSION(r200383): Setting lazily initialized properties across frame boundaries crashes
Summary: REGRESSION(r200383): Setting lazily initialized properties across frame bound...
Status: RESOLVED DUPLICATE of bug 157045
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Filip Pizlo
URL:
Keywords:
Depends on:
Blocks: 157045
  Show dependency treegraph
 
Reported: 2016-05-03 18:20 PDT by Joseph Pecoraro
Modified: 2016-05-04 13:02 PDT (History)
9 users (show)

See Also:


Attachments
[TEST] Test case (113 bytes, text/html)
2016-05-03 18:20 PDT, Joseph Pecoraro
no flags Details
the patch (4.91 KB, patch)
2016-05-03 20:54 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Joseph Pecoraro 2016-05-03 18:20:37 PDT
Created attachment 278051 [details]
[TEST] Test case

* SUMMARY
Setting lazily initialized properties across frame boundaries crashes.

* TEST
<iframe id="x" src="data:text/html,<p>Hello</p>"></iframe>
<script>window.frames[0].Math = window.Math;</script>

* STEPS TO REPRODUCE
1. Load attached test case
  => CRASH

* NOTES
- Caught when trying to make `console` lazily initialized by test:
LayoutTests/fast/dom/Window/window-lookup-precedence.html

* CRASH SNIPPET
Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   ???                           	000000000000000000 0 + 0
1   com.apple.JavaScriptCore      	0x00000001059bcc93 JSC::callCustomSetter(JSC::ExecState*, bool (*)(JSC::ExecState*, long long, long long), bool, JSC::JSValue, JSC::JSValue) + 19 (CustomGetterSetter.cpp:43)
2   com.apple.JavaScriptCore      	0x0000000105e4d3da JSC::putEntry(JSC::ExecState*, JSC::HashTableValue const*, JSC::JSObject*, JSC::JSObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 138 (Lookup.h:312)
3   com.apple.JavaScriptCore      	0x0000000105e4c63a JSC::JSObject::putInlineSlow(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 1194 (JSObject.cpp:573)
4   com.apple.JavaScriptCore      	0x0000000105e476ae JSC::JSObject::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 526 (JSObjectInlines.h:81)
5   com.apple.JavaScriptCore      	0x0000000105e0e0cf JSC::JSGlobalObject::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 111 (JSGlobalObject.cpp:825)
6   com.apple.WebCore             	0x0000000106ee09fa WebCore::JSDOMWindow::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 90 (JSDOMWindowCustom.cpp:315)
7   com.apple.JavaScriptCore      	0x0000000105dbce9a JSC::putByVal(JSC::ExecState*, JSC::JSValue, JSC::JSValue, JSC::JSValue, JSC::ByValInfo*) + 1466 (JSCJSValueInlines.h:840)
8   ???                           	0x000039d551e0e7b3 0 + 63588364511155
9   com.apple.JavaScriptCore      	0x0000000105f283c2 llint_entry + 23764
10  com.apple.JavaScriptCore      	0x0000000105f2250b vmEntryToJavaScript + 299
11  com.apple.JavaScriptCore      	0x0000000105d9a74e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 158 (JITCode.cpp:81)
12  com.apple.JavaScriptCore      	0x0000000105d51536 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) + 15110 (Interpreter.cpp:960)
13  com.apple.JavaScriptCore      	0x00000001059b1f25 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 469 (Completion.cpp:106)
14  com.apple.WebCore             	0x00000001074e9cfe WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*) + 302 (JSMainThreadExecState.h:81)
15  com.apple.WebCore             	0x00000001074efdc7 WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 567 (CurrentScriptIncrementer.h:50)
16  com.apple.WebCore             	0x00000001074ee6fa WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) + 1066 (StdLibExtras.h:370)
17  com.apple.WebCore             	0x0000000106cb5d02 WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) + 338 (ScriptElement.h:59)
18  com.apple.WebCore             	0x0000000106cb5b60 WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) + 48 (HTMLScriptRunner.cpp:189)
19  com.apple.WebCore             	0x0000000106c5358c WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() + 316 (StdLibExtras.h:370)
20  com.apple.WebCore             	0x0000000106c5393d WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) + 669 (HTMLDocumentParser.cpp:234)
21  com.apple.WebCore             	0x0000000106c532c3 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 115 (DocumentParser.h:70)
...
Comment 1 Filip Pizlo 2016-05-03 19:25:17 PDT
Crazy!  I can take a look.
Comment 2 Filip Pizlo 2016-05-03 20:22:15 PDT
Wow, this is a huge omission in the original patch. Luckily, it's easy to fix.

Basically, I forgot to thread the new hashtable attributes through putEntry.  I didn't realize that putEntry had to also know about all of the attributes.
Comment 3 Filip Pizlo 2016-05-03 20:54:42 PDT
Created attachment 278063 [details]
the patch
Comment 4 WebKit Commit Bot 2016-05-03 22:00:32 PDT
Comment on attachment 278063 [details]
the patch

Clearing flags on attachment: 278063

Committed r200406: <http://trac.webkit.org/changeset/200406>
Comment 5 WebKit Commit Bot 2016-05-03 22:00:36 PDT
All reviewed patches have been landed.  Closing bug.
Comment 6 Chris Dumez 2016-05-04 08:47:45 PDT
Reverted r200383 and r200406 for reason:

Seems to have caused crashes on iOS / ARMv7s

Committed r200416: <http://trac.webkit.org/changeset/200416>
Comment 7 Filip Pizlo 2016-05-04 13:02:40 PDT

*** This bug has been marked as a duplicate of bug 157045 ***