RESOLVED FIXED222538
REGRESSION: Object.defineProperties triggering a setter 
https://bugs.webkit.org/show_bug.cgi?id=222538
Summary REGRESSION: Object.defineProperties triggering a setter
Mark S. Miller
Reported 2021-03-01 00:53:18 PST
Created attachment 421790 [details] Screenshot of debugger state caught in buggy behavior See https://github.com/Agoric/SES-shim/pull/592 The SES Demo console, after previously having worked on Safari Technology Preview, suddenly started failing with an infinite recursion. This instrumented variation of the PR in which this started failing catches when `Object.defineProperties` causes a setter to be called. The `Object.defineProperties` is attempting to convert `Array.prototype.toString` from a data property to an accessor property, after `Object.prototype.toString` has been similarly converted. Violating the semantics of `defineProperties`, it causes the setter of the `Object.prototype.toString` accessor property to be called. There follows some screenshots examining this state from within the debugger. This is on Safari Technology Preview Release 121 (Safari 14.2, WebKit 16612.1.4.3)
Attachments
Screenshot of debugger state caught in buggy behavior (561.89 KB, image/png)
2021-03-01 00:53 PST, Mark S. Miller 		no flags
Details
Screenshot of debugger state caught in buggy behavior (8.36 KB, image/png)
2021-03-01 00:54 PST, Mark S. Miller 		no flags
Details
Screenshot of debugger state caught in buggy behavior (496.68 KB, image/png)
2021-03-01 00:54 PST, Mark S. Miller 		no flags
Details
Screenshot of debugger state caught in buggy behavior (547.05 KB, image/png)
2021-03-01 00:55 PST, Mark S. Miller 		no flags
Details
Screenshot of debugger state caught in buggy behavior (417.72 KB, image/png)
2021-03-01 00:55 PST, Mark S. Miller 		no flags
Details
Screenshot of debugger state caught in buggy behavior (435.14 KB, image/png)
2021-03-01 00:56 PST, Mark S. Miller 		no flags
Details
Patch (4.67 KB, patch)
2021-03-01 16:44 PST, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
The call to defineProperties (740.04 KB, image/png)
2021-05-07 15:30 PDT, Mark S. Miller 		no flags
Details
The call to the setter (691.76 KB, image/png)
2021-05-07 15:33 PDT, Mark S. Miller 		no flags
Details
Shows about box and full url (859.02 KB, image/png)
2021-05-07 15:34 PDT, Mark S. Miller 		no flags
Details
Snapshot of built package currently use by page (212.98 KB, text/javascript)
2021-05-07 15:39 PDT, Mark S. Miller 		no flags
Details
snapshot of html page (1.35 KB, text/html)
2021-05-07 15:40 PDT, Mark S. Miller 		no flags
Details
snapshot of demo source used by that page (881 bytes, text/javascript)
2021-05-07 15:42 PDT, Mark S. Miller 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Mark S. Miller
Comment 1 2021-03-01 00:54:28 PST
Created attachment 421791 [details] Screenshot of debugger state caught in buggy behavior
Mark S. Miller
Comment 2 2021-03-01 00:54:53 PST
Created attachment 421792 [details] Screenshot of debugger state caught in buggy behavior
Mark S. Miller
Comment 3 2021-03-01 00:55:18 PST
Created attachment 421793 [details] Screenshot of debugger state caught in buggy behavior
Mark S. Miller
Comment 4 2021-03-01 00:55:45 PST
Created attachment 421794 [details] Screenshot of debugger state caught in buggy behavior
Mark S. Miller
Comment 5 2021-03-01 00:56:07 PST
Created attachment 421795 [details] Screenshot of debugger state caught in buggy behavior
Radar WebKit Bug Importer
Comment 6 2021-03-01 13:46:16 PST
<rdar://problem/74888939>
Yusuke Suzuki
Comment 7 2021-03-01 14:09:39 PST
(In reply to Mark S. Miller from comment #0) > Created attachment 421790 [details] > Screenshot of debugger state caught in buggy behavior > > See https://github.com/Agoric/SES-shim/pull/592 > > The SES Demo console, after previously having worked on Safari Technology > Preview, suddenly started failing with an infinite recursion. This > instrumented variation of the PR in which this started failing catches when > `Object.defineProperties` causes a setter to be called. The > `Object.defineProperties` is attempting to convert > `Array.prototype.toString` from a data property to an accessor property, > after `Object.prototype.toString` has been similarly converted. Violating > the semantics of `defineProperties`, it causes the setter of the > `Object.prototype.toString` accessor property to be called. There follows > some screenshots examining this state from within the debugger. > > This is on Safari Technology Preview > Release 121 (Safari 14.2, WebKit 16612.1.4.3) Thanks for the report! Is there a instruction reproducing this problem?
Mark S. Miller
Comment 8 2021-03-01 15:39:09 PST
> Thanks for the report! Is there a instruction reproducing this problem? Yes. I set aside that PR only for the purpose of demonstrating and reproducing this bug. Do a git clone of the `https://github.com/Agoric/SES-shim/tree/safari-defProps-bug` branch. (The branch corresponding to that PR) cd to packages/ses run any local web browser. I used httpdhere Visit http://localhost:8080/demos/console/ Set the breakpoint shown Refresh the page.
Mark S. Miller
Comment 9 2021-03-01 16:07:18 PST
I omitted a step in my instructions to reproduce. After > cd to packages/ses do a `yarn build` in that directory. You need yarn v1, yes v1, installed. Sorry about that.
Mark S. Miller
Comment 10 2021-03-01 16:09:44 PST
Sigh. Sorry about this. Always hard to remember habits. Before that cd'ing or yarn build, in the root directory of the monorepo, do a `yarn install && yarn build`. Not sure all of that is needed but it is what I've been doing.
Yusuke Suzuki
Comment 11 2021-03-01 16:44:34 PST
Created attachment 421886 [details] Patch
Keith Miller
Comment 12 2021-03-01 16:46:25 PST
Comment on attachment 421886 [details] Patch r=me.
EWS
Comment 13 2021-03-01 18:05:00 PST
Committed r273717: <https://commits.webkit.org/r273717> All reviewed patches have been landed. Closing bug and clearing flags on attachment 421886 [details].
Yusuke Suzuki
Comment 14 2021-03-01 18:33:14 PST
@Mark Thanks! I think the issue is now fixed.
Mark S. Miller
Comment 15 2021-03-01 21:11:10 PST
Awesomely speedy response! I am impressed. Thanks.
Mark S. Miller
Comment 16 2021-05-07 12:57:18 PDT
I have some evidence that this bug happened again under Safari Version 14.1 (16611.1.21.161.3) *in the debugger* with weaker evidence that it did not happen for the same code not under the debugger. Until I know more I'm not reopening. But posting this anyway it case it rings a bell.
Mark S. Miller
Comment 17 2021-05-07 15:26:05 PDT
Yes, the bug is still there in the latest Safari. I now believe that it is intermittent or at least sensitive to conditions I don't understand. But it seems to happen both inside the debugger and normally, so my previous speculation is wrong. I will upload a set of screenshots that make it clear is still happening.
Mark S. Miller
Comment 18 2021-05-07 15:30:03 PDT
Created attachment 428041 [details] The call to defineProperties 1 of 3 To reproduce yourself, visit https://ses-demo.netlify.app/demos/console/ and open the debugger console. You might already see the error message in the console from the page initializing itself. If not, try refreshing. If not, shut down and relaunch the browser. I really have no better formula.
Mark S. Miller
Comment 19 2021-05-07 15:33:09 PDT
Created attachment 428042 [details] The call to the setter At line 5325 is a call to a function named defineProperty. This is actually the defineProperty defined in the first screenshot, which calls defineProperties.
Mark S. Miller
Comment 20 2021-05-07 15:34:34 PDT
Created attachment 428046 [details] Shows about box and full url
Mark S. Miller
Comment 21 2021-05-07 15:36:51 PDT
Since Safari has this bug, I plan to revise our sources to workaround this bug. When I do so, the website at that url will update. So first I'll indicate the current version of out sources.
Mark S. Miller
Comment 22 2021-05-07 15:39:46 PDT
Created attachment 428049 [details] Snapshot of built package currently use by page
Mark S. Miller
Comment 23 2021-05-07 15:40:54 PDT
Created attachment 428050 [details] snapshot of html page
Mark S. Miller
Comment 24 2021-05-07 15:42:49 PDT
Created attachment 428051 [details] snapshot of demo source used by that page
Mark S. Miller
Comment 25 2021-05-07 15:47:44 PDT
https://github.com/endojs/endo/blob/0b289021eee1256c05ceb4d83318165cb6288844/packages/ses/src/enable-property-overrides.js#L87 https://github.com/endojs/endo/blob/0b289021eee1256c05ceb4d83318165cb6288844/packages/ses/src/commons.js#L50 Github permalinks into the actual sources that lockdown.umd.js is built from. These specific links that the infinite recursion ping pongs between.
Mark S. Miller
Comment 26 2021-05-07 15:50:09 PDT
I just now noticed my old reproduction advice at https://bugs.webkit.org/show_bug.cgi?id=222538#c8 I have not tried it, but nothing relevant has changed. I suspect that will also work.
Mark S. Miller
Comment 27 2021-05-07 15:58:48 PDT
Ignore my last statement. The reproduction instructions from #c8 may not work. Relevant things are different. Use the reproduction instructions I gave you today.
Yusuke Suzuki
Comment 28 2021-06-03 00:04:27 PDT
(In reply to Mark S. Miller from comment #27) > Ignore my last statement. The reproduction instructions from #c8 may not > work. Relevant things are different. Use the reproduction instructions I > gave you today. Could you test it on Safari Technology Preview?
Yusuke Suzuki
Comment 29 2021-06-09 21:47:06 PDT
> I have some evidence that this bug happened again under Safari Version 14.1 (16611.1.21.161.3) *in the debugger* with weaker evidence that it did not happen for the same code not under the debugger. Until I know more I'm not reopening. But posting this anyway it case it rings a bell. Safari 14.1 does not include this change. So closing this issue. Please reopen when you reproduced it with Safari Technology Preview :) Thanks!
Note You need to log in before you can comment on or make changes to this bug.