RESOLVED DUPLICATE of bug 157045 157333
REGRESSION(r200383): Setting lazily initialized properties across frame boundaries crashes 
https://bugs.webkit.org/show_bug.cgi?id=157333
Summary REGRESSION(r200383): Setting lazily initialized properties across frame bound...
Joseph Pecoraro
Reported 2016-05-03 18:20:37 PDT
Created attachment 278051 [details] [TEST] Test case * SUMMARY Setting lazily initialized properties across frame boundaries crashes. * TEST <iframe id="x" src="data:text/html,<p>Hello</p>"></iframe> <script>window.frames[0].Math = window.Math;</script> * STEPS TO REPRODUCE 1. Load attached test case => CRASH * NOTES - Caught when trying to make `console` lazily initialized by test: LayoutTests/fast/dom/Window/window-lookup-precedence.html * CRASH SNIPPET Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 ??? 000000000000000000 0 + 0 1 com.apple.JavaScriptCore 0x00000001059bcc93 JSC::callCustomSetter(JSC::ExecState*, bool (*)(JSC::ExecState*, long long, long long), bool, JSC::JSValue, JSC::JSValue) + 19 (CustomGetterSetter.cpp:43) 2 com.apple.JavaScriptCore 0x0000000105e4d3da JSC::putEntry(JSC::ExecState*, JSC::HashTableValue const*, JSC::JSObject*, JSC::JSObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 138 (Lookup.h:312) 3 com.apple.JavaScriptCore 0x0000000105e4c63a JSC::JSObject::putInlineSlow(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 1194 (JSObject.cpp:573) 4 com.apple.JavaScriptCore 0x0000000105e476ae JSC::JSObject::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 526 (JSObjectInlines.h:81) 5 com.apple.JavaScriptCore 0x0000000105e0e0cf JSC::JSGlobalObject::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 111 (JSGlobalObject.cpp:825) 6 com.apple.WebCore 0x0000000106ee09fa WebCore::JSDOMWindow::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 90 (JSDOMWindowCustom.cpp:315) 7 com.apple.JavaScriptCore 0x0000000105dbce9a JSC::putByVal(JSC::ExecState*, JSC::JSValue, JSC::JSValue, JSC::JSValue, JSC::ByValInfo*) + 1466 (JSCJSValueInlines.h:840) 8 ??? 0x000039d551e0e7b3 0 + 63588364511155 9 com.apple.JavaScriptCore 0x0000000105f283c2 llint_entry + 23764 10 com.apple.JavaScriptCore 0x0000000105f2250b vmEntryToJavaScript + 299 11 com.apple.JavaScriptCore 0x0000000105d9a74e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 158 (JITCode.cpp:81) 12 com.apple.JavaScriptCore 0x0000000105d51536 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) + 15110 (Interpreter.cpp:960) 13 com.apple.JavaScriptCore 0x00000001059b1f25 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 469 (Completion.cpp:106) 14 com.apple.WebCore 0x00000001074e9cfe WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*) + 302 (JSMainThreadExecState.h:81) 15 com.apple.WebCore 0x00000001074efdc7 WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 567 (CurrentScriptIncrementer.h:50) 16 com.apple.WebCore 0x00000001074ee6fa WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) + 1066 (StdLibExtras.h:370) 17 com.apple.WebCore 0x0000000106cb5d02 WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) + 338 (ScriptElement.h:59) 18 com.apple.WebCore 0x0000000106cb5b60 WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) + 48 (HTMLScriptRunner.cpp:189) 19 com.apple.WebCore 0x0000000106c5358c WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() + 316 (StdLibExtras.h:370) 20 com.apple.WebCore 0x0000000106c5393d WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) + 669 (HTMLDocumentParser.cpp:234) 21 com.apple.WebCore 0x0000000106c532c3 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 115 (DocumentParser.h:70) ...
Attachments
[TEST] Test case (113 bytes, text/html)
2016-05-03 18:20 PDT, Joseph Pecoraro 		no flags
Details
the patch (4.91 KB, patch)
2016-05-03 20:54 PDT, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2016-05-03 19:25:17 PDT
Crazy! I can take a look.
Filip Pizlo
Comment 2 2016-05-03 20:22:15 PDT
Wow, this is a huge omission in the original patch. Luckily, it's easy to fix. Basically, I forgot to thread the new hashtable attributes through putEntry. I didn't realize that putEntry had to also know about all of the attributes.
Filip Pizlo
Comment 3 2016-05-03 20:54:42 PDT
Created attachment 278063 [details] the patch
WebKit Commit Bot
Comment 4 2016-05-03 22:00:32 PDT
Comment on attachment 278063 [details] the patch Clearing flags on attachment: 278063 Committed r200406: <http://trac.webkit.org/changeset/200406>
WebKit Commit Bot
Comment 5 2016-05-03 22:00:36 PDT
All reviewed patches have been landed. Closing bug.
Chris Dumez
Comment 6 2016-05-04 08:47:45 PDT
Reverted r200383 and r200406 for reason: Seems to have caused crashes on iOS / ARMv7s Committed r200416: <http://trac.webkit.org/changeset/200416>
Filip Pizlo
Comment 7 2016-05-04 13:02:40 PDT
*** This bug has been marked as a duplicate of bug 157045 ***
Note You need to log in before you can comment on or make changes to this bug.