Bug 157442 - Web Inspector: CRASH under JSC::DebuggerCallFrame::thisValue when hitting breakpoint
Summary: Web Inspector: CRASH under JSC::DebuggerCallFrame::thisValue when hitting bre...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Web Inspector (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Normal
Assignee: Joseph Pecoraro
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2016-05-06 19:13 PDT by Joseph Pecoraro
Modified: 2016-05-10 01:53 PDT (History)
13 users (show)

See Also:

Attachments
[PATCH] Fix Without Test (837 bytes, patch)
2016-05-06 19:15 PDT, Joseph Pecoraro 		no flags Details | Formatted Diff | Diff
[PATCH] Proposed Fix (5.26 KB, patch)
2016-05-09 14:32 PDT, Joseph Pecoraro 		saam: review+
Details | Formatted Diff | Diff
[PATCH] For Landing (5.35 KB, patch)
2016-05-09 23:06 PDT, Joseph Pecoraro 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Joseph Pecoraro 2016-05-06 19:13:39 PDT 
* SUMMARY
CRASH under JSC::DebuggerCallFrame::thisValue when hitting breakpoint

* STEPS TO REPRODUCE
1. Inspect about:blank
2. Right click in the toolbar and select Inspect Element to open inspector²
3. In inspector²: Do a global search for “class CallFrameView”
4. In inspector²: Set a breakpoint on the first line of the constructor
5. In inspector¹: js> console.count()
  => Inspector Processes crash

* CRASH
Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

External Modification Warnings:
Debugger attached to process.

VM Regions Near 0:
--> 
    __TEXT                 000000010fd12000-000000010fd14000 [    8K] r-x/rwx SM=COW  /Users/USER/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development

Global Trace Buffer (reverse chronological seconds):
390.605015   CFNetwork                 	0x00007fff93162ddf Explicitly setting CF cookie storage singleton
390.605302   CFNetwork                 	0x00007fff9319978d Explicitly setting cookie storage singleton

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x00000001133b9cdc JSC::JSCell::structure(JSC::VM&) const + 44 (JSCellInlines.h:107)
1   com.apple.JavaScriptCore      	0x00000001134bcdfd JSC::JSCell::methodTable(JSC::VM&) const + 29 (JSCellInlines.h:213)
2   com.apple.JavaScriptCore      	0x00000001134bcac2 JSC::JSValue::toThis(JSC::ExecState*, JSC::ECMAMode) const + 82 (JSCJSValueInlines.h:756)
3   com.apple.JavaScriptCore      	0x00000001136ff9b4 JSC::DebuggerCallFrame::thisValueForCallFrame(JSC::ExecState*) + 132 (DebuggerCallFrame.cpp:265)
4   com.apple.JavaScriptCore      	0x00000001136ff91b JSC::DebuggerCallFrame::thisValue() const + 91 (DebuggerCallFrame.cpp:174)
5   com.apple.JavaScriptCore      	0x0000000113e62f54 Inspector::JavaScriptCallFrame::thisValue() const + 36 (JavaScriptCallFrame.h:57)
6   com.apple.JavaScriptCore      	0x0000000113e628d1 Inspector::JSJavaScriptCallFrame::thisObject(JSC::ExecState*) const + 33 (JSJavaScriptCallFrame.cpp:175)
7   com.apple.JavaScriptCore      	0x0000000113e68906 Inspector::jsJavaScriptCallFrameAttributeThisObject(JSC::ExecState*) + 358 (JSJavaScriptCallFramePrototype.cpp:171)
8   com.apple.JavaScriptCore      	0x0000000113f89eda vmEntryToNative + 340
9   com.apple.JavaScriptCore      	0x0000000113d282cc JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1164 (Interpreter.cpp:1022)
10  com.apple.JavaScriptCore      	0x00000001135fd23e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 190 (CallData.cpp:40)
11  com.apple.JavaScriptCore      	0x0000000113c481ed JSC::callGetter(JSC::ExecState*, JSC::JSValue, JSC::JSValue) + 221 (GetterSetter.cpp:85)
12  com.apple.JavaScriptCore      	0x000000011413a840 JSC::PropertySlot::functionGetter(JSC::ExecState*) const + 144 (PropertySlot.cpp:33)
13  com.apple.JavaScriptCore      	0x00000001134c15c2 JSC::PropertySlot::getValue(JSC::ExecState*, JSC::PropertyName) const + 98 (PropertySlot.h:297)
14  com.apple.JavaScriptCore      	0x00000001134c13cb JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const + 91 (JSCJSValueInlines.h:768)
15  com.apple.JavaScriptCore      	0x0000000113f800cc llint_slow_path_get_by_id + 236 (LLIntSlowPaths.cpp:569)
16  com.apple.JavaScriptCore      	0x0000000113f8ceac llint_entry + 12120
17  com.apple.JavaScriptCore      	0x0000000113f90c4e llint_entry + 27898
18  com.apple.JavaScriptCore      	0x0000000113f89d3e vmEntryToJavaScript + 334
19  com.apple.JavaScriptCore      	0x0000000113d950ea JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 218 (JITCode.cpp:80)
20  com.apple.JavaScriptCore      	0x0000000113d2828c JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1100 (Interpreter.cpp:1020)
21  com.apple.JavaScriptCore      	0x00000001135fd23e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 190 (CallData.cpp:40)
22  com.apple.JavaScriptCore      	0x00000001135fd2a3 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 83 (CallData.cpp:45)
23  com.apple.WebCore             	0x00000001177d827b WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 107 (JSMainThreadExecState.h:57)
24  com.apple.WebCore             	0x0000000117a6c18d WebCore::functionCallHandlerFromAnyThread(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 109 (JSMainThreadExecState.cpp:44)
25  com.apple.JavaScriptCore      	0x000000011418f5be Deprecated::ScriptFunctionCall::call(bool&) + 478 (ScriptFunctionCall.cpp:124)
26  com.apple.JavaScriptCore      	0x0000000113c7bfdf Inspector::InjectedScriptBase::callFunctionWithEvalEnabled(Deprecated::ScriptFunctionCall&, bool&) const + 95 (InjectedScriptBase.cpp:80)
27  com.apple.JavaScriptCore      	0x0000000113c788f6 Inspector::InjectedScript::wrapCallFrames(JSC::JSValue) const + 310 (InjectedScript.cpp:221)
28  com.apple.JavaScriptCore      	0x0000000113ce73bb Inspector::InspectorDebuggerAgent::currentCallFrames(Inspector::InjectedScript const&) + 187 (InspectorDebuggerAgent.cpp:612)
29  com.apple.JavaScriptCore      	0x0000000113ce81f5 Inspector::InspectorDebuggerAgent::didPause(JSC::ExecState&, JSC::JSValue, JSC::JSValue) + 821 (InspectorDebuggerAgent.cpp:721)
Comment 1 Joseph Pecoraro 2016-05-06 19:13:49 PDT 
<rdar://problem/24172015>
Comment 2 Joseph Pecoraro 2016-05-06 19:15:00 PDT 
Created attachment 278311 [details]
[PATCH] Fix Without Test

This fixes the issue and things look alright. But I really need to understand what is going wrong, and ideally write a test so that this won't happen again.
Comment 3 Saam Barati 2016-05-08 17:11:07 PDT 
"this" can be JSValue() in a constructor before calling super().
Is that what's happening here?
Comment 4 Joseph Pecoraro 2016-05-09 11:05:33 PDT 
(In reply to comment #3)
> "this" can be JSValue() in a constructor before calling super().
> Is that what's happening here?

Those were my thoughts exactly!
Comment 5 Joseph Pecoraro 2016-05-09 14:32:39 PDT 
Created attachment 278439 [details]
[PATCH] Proposed Fix
Comment 6 Saam Barati 2016-05-09 15:09:48 PDT 
Comment on attachment 278439 [details]
[PATCH] Proposed Fix

View in context: https://bugs.webkit.org/attachment.cgi?id=278439&action=review

r=me

> Source/JavaScriptCore/ChangeLog:12
> +        When the thisValue is JSValue() return undefined and avoid calling
> +        toThisValue which would lead to a crash.

I think it's worth stating why this was the case in the change log. I.e, we were in a ES6 class constructor
Comment 7 Joseph Pecoraro 2016-05-09 23:06:25 PDT 
Created attachment 278479 [details]
[PATCH] For Landing
Comment 8 WebKit Commit Bot 2016-05-09 23:35:55 PDT 
Comment on attachment 278479 [details]
[PATCH] For Landing

Clearing flags on attachment: 278479

Committed r200617: <http://trac.webkit.org/changeset/200617>