WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
157613
Web Inspector: CRASH getting internal properties of function with no bound arguments causes
https://bugs.webkit.org/show_bug.cgi?id=157613
Summary
Web Inspector: CRASH getting internal properties of function with no bound ar...
Joseph Pecoraro
Reported
2016-05-11 23:39:48 PDT
* SUMMARY CRASH getting internal properties of function with no bound arguments causes. * STEPS TO REPRODUCE 1. js> dir( (function(){}).bind(null) ) 2. Expand function object => CRASH * CRASH DETAILS Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000005 Exception Note: EXC_CORPSE_NOTIFY Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x0000000103dc4367 JSC::JSObject::hasPropertyGeneric(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot::InternalMethodType) const + 1991 (JSObject.h:1206) 1 com.apple.JavaScriptCore 0x00000001038c2908 JSC::CommonSlowPaths::opIn(JSC::ExecState*, JSC::JSValue, JSC::JSValue) + 488 (CommonSlowPaths.h:89) 2 com.apple.JavaScriptCore 0x00000001038b9ca6 slow_path_in + 182 (JSCJSValue.h:514) 3 com.apple.JavaScriptCore 0x0000000103e981ae llint_entry + 20167 4 com.apple.JavaScriptCore 0x0000000103e93104 vmEntryToJavaScript + 299 5 com.apple.JavaScriptCore 0x0000000103d0500e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 158 (JITCode.cpp:81) 6 com.apple.JavaScriptCore 0x0000000103c619a2 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 450 (Interpreter.cpp:1020) 7 com.apple.JavaScriptCore 0x00000001038590c7 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 71 (MarkedBlock.h:235) 8 com.apple.WebCore 0x0000000105022ad0 WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 96 (JSMainThreadExecState.h:57) 9 com.apple.JavaScriptCore 0x0000000103fcf0ec Deprecated::ScriptFunctionCall::call(bool&) + 412 (ScriptFunctionCall.cpp:124) 10 com.apple.JavaScriptCore 0x0000000103bf52a2 Inspector::InjectedScriptBase::callFunctionWithEvalEnabled(Deprecated::ScriptFunctionCall&, bool&) const + 98 (InjectedScriptBase.cpp:80) 11 com.apple.JavaScriptCore 0x0000000103bf53df Inspector::InjectedScriptBase::makeCall(Deprecated::ScriptFunctionCall&, WTF::RefPtr<Inspector::InspectorValue>*) + 79 (InjectedScriptBase.cpp:99) 12 com.apple.JavaScriptCore 0x0000000103bf2d6a Inspector::InjectedScript::getInternalProperties(WTF::String&, WTF::String const&, bool, WTF::RefPtr<Inspector::Protocol::Array<Inspector::Protocol::Runtime::InternalPropertyDescriptor> >*) + 202 (RefPtr.h:71) * LLDB (lldb) f frame #4: 0x000000010cb6fca1 JavaScriptCore`Inspector::JSInjectedScriptHost::getInternalProperties(this=0x00000001277b1c20, exec=0x00007fff571ee550) + 2209 at JSInjectedScriptHost.cpp:286 283 JSArray* array = constructEmptyArray(exec, nullptr, 3); 284 array->putDirectIndex(exec, index++, constructInternalProperty(exec, "targetFunction", boundFunction->targetFunction())); 285 array->putDirectIndex(exec, index++, constructInternalProperty(exec, "boundThis", boundFunction->boundThis())); -> 286 array->putDirectIndex(exec, index++, constructInternalProperty(exec, "boundArgs", boundFunction->boundArgs())); 287 return array; 288 } 289 (lldb) p boundFunction->boundArgs() (JSC::JSArray *) $11 = 0x0000000000000000
Attachments
[PATCH] Proposed Fix
(4.31 KB, patch)
2016-05-11 23:42 PDT
,
Joseph Pecoraro
no flags
Details
Formatted Diff
Diff
[PATCH] Proposed Fix
(4.26 KB, patch)
2016-05-11 23:43 PDT
,
Joseph Pecoraro
no flags
Details
Formatted Diff
Diff
Show Obsolete
(1)
View All
Add attachment
proposed patch, testcase, etc.
Joseph Pecoraro
Comment 1
2016-05-11 23:39:56 PDT
<
rdar://problem/26238754
>
Joseph Pecoraro
Comment 2
2016-05-11 23:42:23 PDT
Created
attachment 278703
[details]
[PATCH] Proposed Fix
Joseph Pecoraro
Comment 3
2016-05-11 23:43:47 PDT
Created
attachment 278704
[details]
[PATCH] Proposed Fix Slightly simplified the test.
WebKit Commit Bot
Comment 4
2016-05-12 00:27:52 PDT
Comment on
attachment 278704
[details]
[PATCH] Proposed Fix Clearing flags on attachment: 278704 Committed
r200746
: <
http://trac.webkit.org/changeset/200746
>
WebKit Commit Bot
Comment 5
2016-05-12 00:27:57 PDT
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug