RESOLVED FIXED 157442
Web Inspector: CRASH under JSC::DebuggerCallFrame::thisValue when hitting breakpoint 
https://bugs.webkit.org/show_bug.cgi?id=157442
Summary Web Inspector: CRASH under JSC::DebuggerCallFrame::thisValue when hitting bre...
Joseph Pecoraro
Reported 2016-05-06 19:13:39 PDT
* SUMMARY CRASH under JSC::DebuggerCallFrame::thisValue when hitting breakpoint * STEPS TO REPRODUCE 1. Inspect about:blank 2. Right click in the toolbar and select Inspect Element to open inspector² 3. In inspector²: Do a global search for “class CallFrameView” 4. In inspector²: Set a breakpoint on the first line of the constructor 5. In inspector¹: js> console.count() => Inspector Processes crash * CRASH Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY External Modification Warnings: Debugger attached to process. VM Regions Near 0: --> __TEXT 000000010fd12000-000000010fd14000 [ 8K] r-x/rwx SM=COW /Users/USER/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development Global Trace Buffer (reverse chronological seconds): 390.605015 CFNetwork 0x00007fff93162ddf Explicitly setting CF cookie storage singleton 390.605302 CFNetwork 0x00007fff9319978d Explicitly setting cookie storage singleton Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x00000001133b9cdc JSC::JSCell::structure(JSC::VM&) const + 44 (JSCellInlines.h:107) 1 com.apple.JavaScriptCore 0x00000001134bcdfd JSC::JSCell::methodTable(JSC::VM&) const + 29 (JSCellInlines.h:213) 2 com.apple.JavaScriptCore 0x00000001134bcac2 JSC::JSValue::toThis(JSC::ExecState*, JSC::ECMAMode) const + 82 (JSCJSValueInlines.h:756) 3 com.apple.JavaScriptCore 0x00000001136ff9b4 JSC::DebuggerCallFrame::thisValueForCallFrame(JSC::ExecState*) + 132 (DebuggerCallFrame.cpp:265) 4 com.apple.JavaScriptCore 0x00000001136ff91b JSC::DebuggerCallFrame::thisValue() const + 91 (DebuggerCallFrame.cpp:174) 5 com.apple.JavaScriptCore 0x0000000113e62f54 Inspector::JavaScriptCallFrame::thisValue() const + 36 (JavaScriptCallFrame.h:57) 6 com.apple.JavaScriptCore 0x0000000113e628d1 Inspector::JSJavaScriptCallFrame::thisObject(JSC::ExecState*) const + 33 (JSJavaScriptCallFrame.cpp:175) 7 com.apple.JavaScriptCore 0x0000000113e68906 Inspector::jsJavaScriptCallFrameAttributeThisObject(JSC::ExecState*) + 358 (JSJavaScriptCallFramePrototype.cpp:171) 8 com.apple.JavaScriptCore 0x0000000113f89eda vmEntryToNative + 340 9 com.apple.JavaScriptCore 0x0000000113d282cc JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1164 (Interpreter.cpp:1022) 10 com.apple.JavaScriptCore 0x00000001135fd23e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 190 (CallData.cpp:40) 11 com.apple.JavaScriptCore 0x0000000113c481ed JSC::callGetter(JSC::ExecState*, JSC::JSValue, JSC::JSValue) + 221 (GetterSetter.cpp:85) 12 com.apple.JavaScriptCore 0x000000011413a840 JSC::PropertySlot::functionGetter(JSC::ExecState*) const + 144 (PropertySlot.cpp:33) 13 com.apple.JavaScriptCore 0x00000001134c15c2 JSC::PropertySlot::getValue(JSC::ExecState*, JSC::PropertyName) const + 98 (PropertySlot.h:297) 14 com.apple.JavaScriptCore 0x00000001134c13cb JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const + 91 (JSCJSValueInlines.h:768) 15 com.apple.JavaScriptCore 0x0000000113f800cc llint_slow_path_get_by_id + 236 (LLIntSlowPaths.cpp:569) 16 com.apple.JavaScriptCore 0x0000000113f8ceac llint_entry + 12120 17 com.apple.JavaScriptCore 0x0000000113f90c4e llint_entry + 27898 18 com.apple.JavaScriptCore 0x0000000113f89d3e vmEntryToJavaScript + 334 19 com.apple.JavaScriptCore 0x0000000113d950ea JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 218 (JITCode.cpp:80) 20 com.apple.JavaScriptCore 0x0000000113d2828c JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1100 (Interpreter.cpp:1020) 21 com.apple.JavaScriptCore 0x00000001135fd23e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 190 (CallData.cpp:40) 22 com.apple.JavaScriptCore 0x00000001135fd2a3 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 83 (CallData.cpp:45) 23 com.apple.WebCore 0x00000001177d827b WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 107 (JSMainThreadExecState.h:57) 24 com.apple.WebCore 0x0000000117a6c18d WebCore::functionCallHandlerFromAnyThread(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 109 (JSMainThreadExecState.cpp:44) 25 com.apple.JavaScriptCore 0x000000011418f5be Deprecated::ScriptFunctionCall::call(bool&) + 478 (ScriptFunctionCall.cpp:124) 26 com.apple.JavaScriptCore 0x0000000113c7bfdf Inspector::InjectedScriptBase::callFunctionWithEvalEnabled(Deprecated::ScriptFunctionCall&, bool&) const + 95 (InjectedScriptBase.cpp:80) 27 com.apple.JavaScriptCore 0x0000000113c788f6 Inspector::InjectedScript::wrapCallFrames(JSC::JSValue) const + 310 (InjectedScript.cpp:221) 28 com.apple.JavaScriptCore 0x0000000113ce73bb Inspector::InspectorDebuggerAgent::currentCallFrames(Inspector::InjectedScript const&) + 187 (InspectorDebuggerAgent.cpp:612) 29 com.apple.JavaScriptCore 0x0000000113ce81f5 Inspector::InspectorDebuggerAgent::didPause(JSC::ExecState&, JSC::JSValue, JSC::JSValue) + 821 (InspectorDebuggerAgent.cpp:721)
Attachments
[PATCH] Fix Without Test (837 bytes, patch)
2016-05-06 19:15 PDT, Joseph Pecoraro 		no flags
DetailsFormatted DiffDiff
[PATCH] Proposed Fix (5.26 KB, patch)
2016-05-09 14:32 PDT, Joseph Pecoraro 		saam: review+
DetailsFormatted DiffDiff
[PATCH] For Landing (5.35 KB, patch)
2016-05-09 23:06 PDT, Joseph Pecoraro 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Joseph Pecoraro
Comment 1 2016-05-06 19:13:49 PDT
<rdar://problem/24172015>
Joseph Pecoraro
Comment 2 2016-05-06 19:15:00 PDT
Created attachment 278311 [details] [PATCH] Fix Without Test This fixes the issue and things look alright. But I really need to understand what is going wrong, and ideally write a test so that this won't happen again.
Saam Barati
Comment 3 2016-05-08 17:11:07 PDT
"this" can be JSValue() in a constructor before calling super(). Is that what's happening here?
Joseph Pecoraro
Comment 4 2016-05-09 11:05:33 PDT
(In reply to comment #3) > "this" can be JSValue() in a constructor before calling super(). > Is that what's happening here? Those were my thoughts exactly!
Joseph Pecoraro
Comment 5 2016-05-09 14:32:39 PDT
Created attachment 278439 [details] [PATCH] Proposed Fix
Saam Barati
Comment 6 2016-05-09 15:09:48 PDT
Comment on attachment 278439 [details] [PATCH] Proposed Fix View in context: https://bugs.webkit.org/attachment.cgi?id=278439&action=review r=me > Source/JavaScriptCore/ChangeLog:12 > + When the thisValue is JSValue() return undefined and avoid calling > + toThisValue which would lead to a crash. I think it's worth stating why this was the case in the change log. I.e, we were in a ES6 class constructor
Joseph Pecoraro
Comment 7 2016-05-09 23:06:25 PDT
Created attachment 278479 [details] [PATCH] For Landing
WebKit Commit Bot
Comment 8 2016-05-09 23:35:55 PDT
Comment on attachment 278479 [details] [PATCH] For Landing Clearing flags on attachment: 278479 Committed r200617: <http://trac.webkit.org/changeset/200617>
Note You need to log in before you can comment on or make changes to this bug.