RESOLVED FIXED 83353
[Chromium] Web Inspector: getEventListeners(window) crashes on NTP 
https://bugs.webkit.org/show_bug.cgi?id=83353
Summary [Chromium] Web Inspector: getEventListeners(window) crashes on NTP
Yury Semikhatsky
Reported 2012-04-06 00:52:54 PDT
1. Open DevTools on the new tab page 2. Type getEventListeners(window) in the console Result: inspected page crashes.
Attachments
Patch (3.33 KB, patch)
2012-04-06 04:50 PDT, Andrey Kosyakov 		pfeldman: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Yury Semikhatsky
Comment 1 2012-04-06 01:12:48 PDT
# # Fatal error in ../../v8/src/objects-inl.h, line 1484 # CHECK(index < GetInternalFieldCount() && index >= 0) failed # ==== Stack trace ============================================ Security context: 0xd2f79e1f631 <String[15]: chrome://newtab> 1: getEventListeners [0x9090fb04121 <undefined>:690] (this=0x39c191f29b41 <a CommandLineAPIImpl>#0#,node=0x9090fb6bff1 <JS Global Object>#1#) 3: getEventListeners(aka bound) [0x9090fb04121 <undefined>:37] (this=0x39c191f414d1 <a CommandLineAPI>#2#) 4: arguments adaptor frame: 1->0 5: /* anonymous */ [0x9090fb04121 <undefined>:2] (this=0x9090fb6bff1 <JS Global Object>#1#) 6: eval [native v8natives.js:170] (this=0x9090fb6bff1 <JS Global Object>#1#,a=0x39c191f477f1 <String[103]\: with ((window && window.console && window.console._commandLineAPI) || {}) {\ngetEventListeners(window)\n}>) 7: _evaluateOn [0x9090fb04121 <undefined>:343] (this=0x39c191f27b31 <JS Object>#3#,evalFunction=0x9090fb68bc9 <JS Function eval>#4#,object=0x9090fb6bff1 <JS Global Object>#1#,expression=0x39c191f477f1 <String[103]\: with ((window && window.console && window.console._commandLineAPI) || {}) {\ngetEventListeners(window)\n}>,isEvalOnCallFrame=0x9090fb04181 <false>,injectCommandLineAPI=0x9090fb04161 <true>) 8: _evaluateAndWrap [0x9090fb04121 <undefined>:316] (this=0x39c191f27b31 <JS Object>#3#,evalFunction=0x9090fb68bc9 <JS Function eval>#4#,object=0x9090fb6bff1 <JS Global Object>#1#,expression=0x39c191f40b99 <String[25]: getEventListeners(window)>,objectGroup=0x39c191f29d09 <String[7]: console>,isEvalOnCallFrame=0x9090fb04181 <false>,injectCommandLineAPI=0x9090fb04161 <true>,returnByValue=0x9090fb04181 <false>) 9: evaluate [0x9090fb04121 <undefined>:267] (this=0x39c191f27b31 <JS Object>#3#,expression=0x39c191f40b99 <String[25]: getEventListeners(window)>,objectGroup=0x39c191f29d09 <String[7]: console>,injectCommandLineAPI=0x9090fb04161 <true>,returnByValue=0x9090fb04181 <false>) ==== Details ================================================ [1]: getEventListeners [0x9090fb04121 <undefined>:690] (this=0x39c191f29b41 <a CommandLineAPIImpl>#0#,node=0x9090fb6bff1 <JS Global Object>#1#) { // expression stack (top to bottom) [02] : 0x32bf1960fe19 <JS Function getEventListeners>#5# [01] : 0x9090fb6bff1 <JS Global Object>#1# [00] : 0x39c191f1fbd9 <an InjectedScriptHost>#6# --------- s o u r c e c o d e --------- function (node)? {? return InjectedScriptHost.getEventListeners(node);? } ----------------------------------------- } [3]: getEventListeners(aka bound) [0x9090fb04121 <undefined>:37] (this=0x39c191f414d1 <a CommandLineAPI>#2#) { // stack-allocated locals var arguments = 0x39c191f47f11 <an Arguments>#7# // expression stack (top to bottom) [03] : 0x39c191f47f89 <JS Array[1]>#8# [02] : 0x39c191f29b41 <a CommandLineAPIImpl>#0# [01] : 0x39c191f29841 <JS Function>#9# --------- s o u r c e c o d e --------- function bound()? {? return func.apply(thisObject, args.concat(Array.prototype.slice.call(arguments, 0)));? } ----------------------------------------- } [4]: arguments adaptor frame: 1->0 { // actual arguments [00] : 0x9090fb6bff1 <JS Global Object>#1# // not passed to callee } [5]: /* anonymous */ [0x9090fb04121 <undefined>:2] (this=0x9090fb6bff1 <JS Global Object>#1#) { // stack-allocated locals var .result = 0x9090fb04121 <undefined> // expression stack (top to bottom) [03] : 0x9090fb6bff1 <JS Global Object>#1# [02] : 0x39c191f414d1 <a CommandLineAPI>#2# [01] : 0x39c191f43eb1 <JS Function bound>#10# --------- s o u r c e c o d e --------- with ((window && window.console && window.console._commandLineAPI) || {}) {?getEventListeners(window)?} ----------------------------------------- } [6]: eval [native v8natives.js:170] (this=0x9090fb6bff1 <JS Global Object>#1#,a=0x39c191f477f1 <String[103]\: with ((window && window.console && window.console._commandLineAPI) || {}) {\ngetEventListeners(window)\n}>) { // stack-allocated locals var b = 0x9090fb6bff1 <JS Global Object>#1# var d = 0x39c191f47e79 <JS Function>#11# var c = 0x9090fb04181 <false> // expression stack (top to bottom) [03] : 0x9090fb6bff1 <JS Global Object>#1# --------- s o u r c e c o d e --------- function eval(a){?if(!(typeof(a)==='string'))return a;??var b=%GlobalReceiver(global);?var c=(global===b);???????if(c){?throw new $EvalError('The "this" value passed to eval must '+?'be the global object from which eval originated');?}??var d=%CompileString(a);?if(!(%_IsFunction(d)))return d;??return %_CallFunct... ----------------------------------------- } [7]: _evaluateOn [0x9090fb04121 <undefined>:343] (this=0x39c191f27b31 <JS Object>#3#,evalFunction=0x9090fb68bc9 <JS Function eval>#4#,object=0x9090fb6bff1 <JS Global Object>#1#,expression=0x39c191f477f1 <String[103]\: with ((window && window.console && window.console._commandLineAPI) || {}) {\ngetEventListeners(window)\n}>,isEvalOnCallFrame=0x9090fb04181 <false>,injectCommandLineAPI=0x9090fb04161 <true>) { // expression stack (top to bottom) [06] : 0x39c191f477f1 <String[103]\: with ((window && window.console && window.console._commandLineAPI) || {}) {\ngetEventListeners(window)\n}> [05] : 0x9090fb6bff1 <JS Global Object>#1# --------- s o u r c e c o d e --------- function (evalFunction, object, expression, isEvalOnCallFrame, injectCommandLineAPI)? {? // Only install command line api object for the time of evaluation.? // Surround the expression in with statements to inject our command line API so that? // the window object properties still tak... ----------------------------------------- } [8]: _evaluateAndWrap [0x9090fb04121 <undefined>:316] (this=0x39c191f27b31 <JS Object>#3#,evalFunction=0x9090fb68bc9 <JS Function eval>#4#,object=0x9090fb6bff1 <JS Global Object>#1#,expression=0x39c191f40b99 <String[25]: getEventListeners(window)>,objectGroup=0x39c191f29d09 <String[7]: console>,isEvalOnCallFrame=0x9090fb04181 <false>,injectCommandLineAPI=0x9090fb04161 <true>,returnByValue=0x9090fb04181 <false>) { // expression stack (top to bottom) [12] : 0x9090fb04161 <true> [11] : 0x9090fb04181 <false> [10] : 0x39c191f477f1 <String[103]\: with ((window && window.console && window.console._commandLineAPI) || {}) {\ngetEventListeners(window)\n}> [09] : 0x9090fb6bff1 <JS Global Object>#1# [08] : 0x9090fb68bc9 <JS Function eval>#4# [07] : 0x39c191f27b31 <JS Object>#3# [06] : 0x39c191f27b31 <JS Object>#3# [05] : 0x39c191f41489 <an Object>#12# --------- s o u r c e c o d e --------- function (evalFunction, object, expression, objectGroup, isEvalOnCallFrame, injectCommandLineAPI, returnByValue)? {? try {? return { wasThrown: false,? result: this._wrapObject(this._evaluateOn(evalFunction, object, expression, isEvalOnCallFrame, injectCommandLineAPI)... ----------------------------------------- } [9]: evaluate [0x9090fb04121 <undefined>:267] (this=0x39c191f27b31 <JS Object>#3#,expression=0x39c191f40b99 <String[25]: getEventListeners(window)>,objectGroup=0x39c191f29d09 <String[7]: console>,injectCommandLineAPI=0x9090fb04161 <true>,returnByValue=0x9090fb04181 <false>) { // expression stack (top to bottom) [07] : 0x9090fb04181 <false> [06] : 0x9090fb04161 <true> [05] : 0x9090fb04181 <false> [04] : 0x39c191f29d09 <String[7]: console> [03] : 0x39c191f40b99 <String[25]: getEventListeners(window)> [02] : 0x9090fb6bff1 <JS Global Object>#1# [01] : 0x9090fb68bc9 <JS Function eval>#4# [00] : 0x39c191f27b31 <JS Object>#3# --------- s o u r c e c o d e --------- function (expression, objectGroup, injectCommandLineAPI, returnByValue)? {? return this._evaluateAndWrap(inspectedWindow.eval, inspectedWindow, expression, objectGroup, false, injectCommandLineAPI, returnByValue);? } ----------------------------------------- } ==== Key ============================================ #0# 0x39c191f29b41: 0x39c191f29b41 <a CommandLineAPIImpl> #1# 0x9090fb6bff1: 0x9090fb6bff1 <JS Global Object> #2# 0x39c191f414d1: 0x39c191f414d1 <a CommandLineAPI> $x: 0x39c191f41871 <JS Function bound>#13# dirxml: 0x39c191f41cf1 <JS Function bound>#14# getEventListeners: 0x39c191f43eb1 <JS Function bound>#10# profile: 0x39c191f42519 <JS Function bound>#15# keys: 0x39c191f41f79 <JS Function bound>#16# inspect: 0x39c191f43299 <JS Function bound>#17# profileEnd: 0x39c191f42831 <JS Function bound>#18# monitorEvents: 0x39c191f42b79 <JS Function bound>#19# copy: 0x39c191f43671 <JS Function bound>#20# clear: 0x39c191f43a79 <JS Function bound>#21# unmonitorEvents: 0x39c191f42ef1 <JS Function bound>#22# $$: 0x39c191f41679 <JS Function bound>#23# values: 0x39c191f42231 <JS Function bound>#24# dir: 0x39c191f41a99 <JS Function bound>#25# #3# 0x39c191f27b31: 0x39c191f27b31 <JS Object> _lastBoundObjectId: 2 _commandLineAPIImpl: 0x39c191f29b41 <a CommandLineAPIImpl>#0# _idToWrappedObject: 0x39c191f27c61 <an Object>#26# _objectGroups: 0x39c191f27e91 <an Object>#27# _idToObjectGroupName: 0x39c191f27d61 <an Object>#28# #4# 0x9090fb68bc9: 0x9090fb68bc9 <JS Function eval> #5# 0x32bf1960fe19: 0x32bf1960fe19 <JS Function getEventListeners> #6# 0x39c191f1fbd9: 0x39c191f1fbd9 <an InjectedScriptHost> #7# 0x39c191f47f11: 0x39c191f47f11 <an Arguments> callee: 0x39c191f43eb1 <JS Function bound>#10# length: 1 #8# 0x39c191f47f89: 0x39c191f47f89 <JS Array[1]> 0: 0x9090fb6bff1 <JS Global Object>#1# #9# 0x39c191f29841: 0x39c191f29841 <JS Function> #10# 0x39c191f43eb1: 0x39c191f43eb1 <JS Function bound> toString: 0x32bf19619991 <JS Function>#29# #11# 0x39c191f47e79: 0x39c191f47e79 <JS Function> #12# 0x39c191f41489: 0x39c191f41489 <an Object> result: 0x9090fb04121 <undefined> wasThrown: 0x9090fb04181 <false> #13# 0x39c191f41871: 0x39c191f41871 <JS Function bound> toString: 0x32bf19619631 <JS Function>#30# #14# 0x39c191f41cf1: 0x39c191f41cf1 <JS Function bound> toString: 0x32bf196196c1 <JS Function>#31# #15# 0x39c191f42519: 0x39c191f42519 <JS Function bound> toString: 0x32bf19619799 <JS Function>#32# #16# 0x39c191f41f79: 0x39c191f41f79 <JS Function bound> toString: 0x32bf19619709 <JS Function>#33# #17# 0x39c191f43299: 0x39c191f43299 <JS Function bound> toString: 0x32bf196198b9 <JS Function>#34# #18# 0x39c191f42831: 0x39c191f42831 <JS Function bound> toString: 0x32bf196197e1 <JS Function>#35# #19# 0x39c191f42b79: 0x39c191f42b79 <JS Function bound> toString: 0x32bf19619829 <JS Function>#36# #20# 0x39c191f43671: 0x39c191f43671 <JS Function bound> toString: 0x32bf19619901 <JS Function>#37# #21# 0x39c191f43a79: 0x39c191f43a79 <JS Function bound> toString: 0x32bf19619949 <JS Function>#38# #22# 0x39c191f42ef1: 0x39c191f42ef1 <JS Function bound> toString: 0x32bf19619871 <JS Function>#39# #23# 0x39c191f41679: 0x39c191f41679 <JS Function bound> toString: 0x32bf196195e9 <JS Function>#40# #24# 0x39c191f42231: 0x39c191f42231 <JS Function bound> toString: 0x32bf19619751 <JS Function>#41# #25# 0x39c191f41a99: 0x39c191f41a99 <JS Function bound> toString: 0x32bf19619679 <JS Function>#42# #26# 0x39c191f27c61: 0x39c191f27c61 <an Object> #27# 0x39c191f27e91: 0x39c191f27e91 <an Object> console: 0x39c191f35e51 <JS Array[1]>#43# #28# 0x39c191f27d61: 0x39c191f27d61 <an Object> #29# 0x32bf19619991: 0x32bf19619991 <JS Function> #30# 0x32bf19619631: 0x32bf19619631 <JS Function> #31# 0x32bf196196c1: 0x32bf196196c1 <JS Function> #32# 0x32bf19619799: 0x32bf19619799 <JS Function> #33# 0x32bf19619709: 0x32bf19619709 <JS Function> #34# 0x32bf196198b9: 0x32bf196198b9 <JS Function> #35# 0x32bf196197e1: 0x32bf196197e1 <JS Function> #36# 0x32bf19619829: 0x32bf19619829 <JS Function> #37# 0x32bf19619901: 0x32bf19619901 <JS Function> #38# 0x32bf19619949: 0x32bf19619949 <JS Function> #39# 0x32bf19619871: 0x32bf19619871 <JS Function> #40# 0x32bf196195e9: 0x32bf196195e9 <JS Function> #41# 0x32bf19619751: 0x32bf19619751 <JS Function> #42# 0x32bf19619679: 0x32bf19619679 <JS Function> #43# 0x39c191f35e51: 0x39c191f35e51 <JS Array[1]> 0: 1 =====================
Yury Semikhatsky
Comment 2 2012-04-06 01:15:50 PDT
(In reply to comment #1) > # > # Fatal error in ../../v8/src/objects-inl.h, line 1484 > # CHECK(index < GetInternalFieldCount() && index >= 0) failed > # It is on Chromium r130915.
Yury Semikhatsky
Comment 3 2012-04-06 01:45:56 PDT
(In reply to comment #2) > It is on Chromium r130915. Also reproducible on tip-of-tree Chromium (r131113).
Andrey Kosyakov
Comment 4 2012-04-06 04:50:12 PDT
Created attachment 136002 [details] Patch
Pavel Feldman
Comment 5 2012-04-06 04:59:38 PDT
Comment on attachment 136002 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=136002&action=review > Source/WebCore/bindings/v8/custom/V8InjectedScriptHostCustom.cpp:222 > + if (!value->IsObject() || !V8Node::HasInstance(value->ToObject())) HasInstance receives value, no need to cast.
Andrey Kosyakov
Comment 6 2012-04-06 05:07:46 PDT
Committed r113426: <http://trac.webkit.org/changeset/113426>
Note You need to log in before you can comment on or make changes to this bug.