154378 2016-02-17 19:51:51 -0800 Crash on SES selftest page when loading the page while WebInspector is open 2020-04-08 16:32:15 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=154350 https://bugs.webkit.org/show_bug.cgi?id=154102 https://bugs.webkit.org/show_bug.cgi?id=200560 https://rawgit.com/tvcutsem/es-lab/master/src/ses/contract.html InRadar P2 Normal --- 1 cdumez cdumez barraclough commit-queue erights ggaren joepeck keith_miller mark.lam msaboff saam webkit-bug-importer oldest_to_newest 1165872 0 cdumez 2016-02-17 19:51:51 -0800 Crash on SES selftest page when loading the page while WebInspector is open: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000010a901f81 JSC::JSObject::getOwnPropertyDescriptor(JSC::ExecState*, JSC::PropertyName, JSC::PropertyDescriptor&) + 449 1 com.apple.JavaScriptCore 0x000000010a9bee88 JSC::objectConstructorGetOwnPropertyDescriptor(JSC::ExecState*, JSC::JSObject*, JSC::Identifier const&) + 72 2 com.apple.JavaScriptCore 0x000000010a9bd336 JSC::objectConstructorGetOwnPropertyDescriptor(JSC::ExecState*) + 550 3 ??? 0x00003a5d9d601028 0 + 64173746688040 4 com.apple.JavaScriptCore 0x000000010a99baeb llint_entry + 23561 5 com.apple.JavaScriptCore 0x000000010a99bb5d llint_entry + 23675 6 com.apple.JavaScriptCore 0x000000010a99baeb llint_entry + 23561 7 com.apple.JavaScriptCore 0x000000010a99baeb llint_entry + 23561 8 com.apple.JavaScriptCore 0x000000010a995cff vmEntryToJavaScript + 299 9 com.apple.JavaScriptCore 0x000000010a88389e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 158 1165875 1 webkit-bug-importer 2016-02-17 19:53:47 -0800 <rdar://problem/24713422> 1165878 2 cdumez 2016-02-17 19:57:54 -0800 Looks like there were 2 checks like this in putDirectInternal: if ((attributes & Accessor) != (currentAttributes & Accessor)) And I only updated one of them :/ 1165889 3 cdumez 2016-02-17 20:58:33 -0800 This time it seems we hit the following assertion in getOwnPropertyDescriptor(): ASSERT(maybeGetterSetter); So we have a slot with CustomAccessor attribute but getDirect() returns no value somehow. |this| is a DebuggerScope and the propertyName is “document”. 1165928 4 cdumez 2016-02-17 22:24:12 -0800 I think the issue is that DebuggerScope::getOwnPropertySlot() does not only return *own* properties. It searches the prototype chain, like JSDOMWindow used to do before r196676. We used to have a check at the top of GetOwnPropertyDescriptor() to return early if getOwnPropertySlot() returned a non-own property but Gavin dropped it in r 196676, assuming the workaround was only needed for JSDOMWindow... We probably need to add the following check back: if (slot.slotBase() != this && slot.slotBase()) { if (!proxy || proxy->target() != slot.slotBase()) return false; } I will verify. 1166044 5 271663 cdumez 2016-02-18 08:47:26 -0800 Created attachment 271663 Patch 1166049 6 271663 mark.lam 2016-02-18 08:56:26 -0800 Comment on attachment 271663 Patch r=me 1166054 7 271663 cdumez 2016-02-18 09:19:30 -0800 Comment on attachment 271663 Patch Clearing flags on attachment: 271663 Committed r196760: <http://trac.webkit.org/changeset/196760> 1166055 8 cdumez 2016-02-18 09:19:35 -0800 All reviewed patches have been landed. Closing bug. 271663 2016-02-18 08:47:26 -0800 2016-02-18 09:19:30 -0800 Patch bug-154378-20160218084707.patch text/plain 2726 cdumez U3VidmVyc2lvbiBSZXZpc2lvbjogMTk2NzM4CmRpZmYgLS1naXQgYS9Tb3VyY2UvSmF2YVNjcmlw dENvcmUvQ2hhbmdlTG9nIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwppbmRleCAw NzlkNzUxZjJiMGEyOWU3NDRkODIwZmY0ODI2ZTliNDQyZTJjM2VmLi5jNjYxYzI5OTM2YjU2NzUw NTZkMmYxZTNmMjVhZTBhZjliOWYwZGQzIDEwMDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENv cmUvQ2hhbmdlTG9nCisrKyBiL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKQEAgLTEs MyArMSwyNyBAQAorMjAxNi0wMi0xOCAgQ2hyaXMgRHVtZXogIDxjZHVtZXpAYXBwbGUuY29tPgor CisgICAgICAgIENyYXNoIG9uIFNFUyBzZWxmdGVzdCBwYWdlIHdoZW4gbG9hZGluZyB0aGUgcGFn ZSB3aGlsZSBXZWJJbnNwZWN0b3IgaXMgb3BlbgorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0 Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTU0Mzc4CisgICAgICAgIDxyZGFyOi8vcHJvYmxlbS8yNDcx MzQyMj4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBE byBhIHBhcnRpYWwgcmV2ZXJ0IG9mIHIxOTY2NzYgc28gdGhhdCBKU09iamVjdDo6Z2V0T3duUHJv cGVydHlEZXNjcmlwdG9yKCkKKyAgICAgICAgcmV0dXJucyBlYXJseSBhZ2FpbiBpZiBpdCBkZXRl Y3RzIHRoYXQgZ2V0T3duUHJvcGVydHlTbG90KCkgcmV0dXJucyBhCisgICAgICAgIG5vbi1vd24g cHJvcGVydHkuIFRoaXMgY2hlY2sgd2FzIHJlbW92ZWQgaW4gcjE5NjY3NiBiZWNhdXNlIHdlIGFz c3VtZWQgdGhhdAorICAgICAgICBvbmx5IEpTRE9NV2luZG93OjpnZXRPd25Qcm9wZXJ0eVNsb3Qo KSBjb3VsZCByZXR1cm4gbm9uLW93biBwcm9wZXJ0aWVzLgorICAgICAgICBIb3dldmVyLCBhcyBp dCB0dXJucyBvdXQsIERlYnVnZ2VyU2NvcGU6OmdldE93blByb3BlcnR5U2xvdCgpIGRvZXMgc28g YXMKKyAgICAgICAgd2VsbC4KKworICAgICAgICBOb3QgaGF2aW5nIHRoZSBjaGVjayB3b3VsZCBs ZWFkIHRvIGNyYXNoZXMgd2hlbiB1c2luZyB0aGUgZGVidWdnZXIgYmVjYXVzZQorICAgICAgICB3 ZSB3b3VsZCBnZXQgYSBzbG90IHdpdGggdGhlIEN1c3RvbUFjY2Vzc29yIGF0dHJpYnV0ZSBidXQg Z2V0RGlyZWN0KCkgd291bGQKKyAgICAgICAgdGhlbiBmYWlsIHRvIHJldHVybiB0aGUgcHJvcGVy dHkgKGJlY2F1c2UgaXQgaXMgbm90IGFuIG93biBwcm9wZXJ0eSkuIFdlCisgICAgICAgIHdvdWxk IHRoZW4gY2FzdCB0aGUgdmFsdWUgcmV0dXJuZWQgYnkgZ2V0RGlyZWN0KCkgdG8gYSBDdXN0b21H ZXR0ZXJTZXR0ZXIqCisgICAgICAgIGFuZCBkZXJlZmVyZW5jZSBpdC4KKworICAgICAgICAqIHJ1 bnRpbWUvSlNPYmplY3QuY3BwOgorICAgICAgICAoSlNDOjpKU09iamVjdDo6Z2V0T3duUHJvcGVy dHlEZXNjcmlwdG9yKToKKwogMjAxNi0wMi0xNyAgQmVuamFtaW4gUG91bGFpbiAgPGJwb3VsYWlu QGFwcGxlLmNvbT4KIAogICAgICAgICBbSlNDXSBBUk02NDogU3VwcG9ydCB0aGUgaW1tZWRpYXRl IGZvcm1hdCB1c2VkIGZvciBiaXQgb3BlcmF0aW9ucyBpbiBBaXIKZGlmZiAtLWdpdCBhL1NvdXJj ZS9KYXZhU2NyaXB0Q29yZS9ydW50aW1lL0pTT2JqZWN0LmNwcCBiL1NvdXJjZS9KYXZhU2NyaXB0 Q29yZS9ydW50aW1lL0pTT2JqZWN0LmNwcAppbmRleCA3MDY0NTkzODJiM2ZlOGJlM2VkNjUwZTYy NmUzNjY0YmJhMDgyZTNiLi4xZTFkMjBlNmE2Y2U5MDA3ODY5MTZhZmI1ODZlNTZlMTNiNzFhMjU0 IDEwMDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvcnVudGltZS9KU09iamVjdC5jcHAK KysrIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL3J1bnRpbWUvSlNPYmplY3QuY3BwCkBAIC0yNTU2 LDYgKzI1NTYsMTUgQEAgYm9vbCBKU09iamVjdDo6Z2V0T3duUHJvcGVydHlEZXNjcmlwdG9yKEV4 ZWNTdGF0ZSogZXhlYywgUHJvcGVydHlOYW1lIHByb3BlcnR5TmEKICAgICBpZiAoIW1ldGhvZFRh YmxlKGV4ZWMtPnZtKCkpLT5nZXRPd25Qcm9wZXJ0eVNsb3QodGhpcywgZXhlYywgcHJvcGVydHlO YW1lLCBzbG90KSkKICAgICAgICAgcmV0dXJuIGZhbHNlOwogCisgICAgLy8gRGVidWdnZXJTY29w ZTo6Z2V0T3duUHJvcGVydHlTbG90KCkgKGFuZCBwb3NzaWJseSBvdGhlcnMpIG1heSByZXR1cm4g YXR0cmlidXRlcyBmcm9tIHRoZSBwcm90b3R5cGUgY2hhaW4KKyAgICAvLyBidXQgZ2V0T3duUHJv cGVydHlEZXNjcmlwdG9yKCkgc2hvdWxkIG9ubHkgd29yayBmb3IgJ293bicgcHJvcGVydGllcyBz byB3ZSBleGl0IGVhcmx5IGlmIHdlIGRldGVjdCB0aGF0CisgICAgLy8gdGhlIHByb3BlcnR5IGlz IG5vdCBhbiBvd24gcHJvcGVydHkuCisgICAgaWYgKHNsb3Quc2xvdEJhc2UoKSAhPSB0aGlzICYm IHNsb3Quc2xvdEJhc2UoKSkgeworICAgICAgICBhdXRvKiBwcm94eSA9IGpzRHluYW1pY0Nhc3Q8 SlNQcm94eSo+KHRoaXMpOworICAgICAgICBpZiAoIXByb3h5IHx8IHByb3h5LT50YXJnZXQoKSAh PSBzbG90LnNsb3RCYXNlKCkpCisgICAgICAgICAgICByZXR1cm4gZmFsc2U7CisgICAgfQorCiAg ICAgaWYgKHNsb3QuaXNBY2Nlc3NvcigpKQogICAgICAgICBkZXNjcmlwdG9yLnNldEFjY2Vzc29y RGVzY3JpcHRvcihzbG90LmdldHRlclNldHRlcigpLCBzbG90LmF0dHJpYnV0ZXMoKSk7CiAgICAg ZWxzZSBpZiAoc2xvdC5hdHRyaWJ1dGVzKCkgJiBDdXN0b21BY2Nlc3Nvcikgewo=