[webkit-changes] [WebKit/WebKit] e1d780: Web Inspector: Deeply nested console logging can c...

Mon Jul 31 11:00:06 PDT 2023

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: e1d780dcb545a6a90b4ae0909c29b5c70d95a922
      https://github.com/WebKit/WebKit/commit/e1d780dcb545a6a90b4ae0909c29b5c70d95a922
  Author: Patrick Angle <pangle at apple.com>
  Date:   2023-07-31 (Mon, 31 Jul 2023)

  Changed paths:
    M Source/JavaScriptCore/inspector/ScriptCallStack.cpp
    M Source/JavaScriptCore/inspector/agents/InspectorConsoleAgent.cpp

  Log Message:
  -----------
  Web Inspector: Deeply nested console logging can cause ConsoleMessage to be destroyed while we are still trying to log it
https://bugs.webkit.org/show_bug.cgi?id=256932
rdar://108063640

Reviewed by Mark Lam.

InspectorConsoleAgent has been incorrectly managing the lifetime of each ConsoleMessage by moving messages into a vector
of messages before we have passed those messages on to the frontend. This means that a console message that causes
another console message to be logged may eventually cause our original message to be dropped from the vector if this
occurs deeply enough. At that point, when we unwind back to the original message, it has been destroyed while we are
trying to send it to the frontend, which results in a bad time because we are still inside a function on the
ConsoleMessage that tries to access its own member variables like m_arguments, and fails because the message object
itself has been destroyed, taking its members with it.

This also fixes a subtle message inversion in the backlog of messages and what is logged to the console when Web
Inspector is open, since the message is sent to the frontend after all other processing, but we were previously adding
the message to the vector of past messages before that processing (which may in turn cause more logging before the
actual logging we called in to perform) to occur.

A second minor issue is that ScriptCallStack is incorrectly asserting in its constructor, which preventing investigation
of this issue initially. The call stack should be less than __or equal to__ the max call stack, not just less than.

* Source/JavaScriptCore/inspector/ConsoleMessage.cpp:
(Inspector::ConsoleMessage::addToFrontend):
* Source/JavaScriptCore/inspector/InjectedScript.cpp:
(Inspector::InjectedScript::wrapObject const):
(Inspector::InjectedScript::wrapTable const):
* Source/JavaScriptCore/inspector/ScriptCallStack.cpp:
(Inspector::ScriptCallStack::ScriptCallStack):
* Source/JavaScriptCore/inspector/agents/InspectorConsoleAgent.cpp:
(Inspector::InspectorConsoleAgent::addConsoleMessage):
* Source/WebCore/page/PageConsoleClient.cpp:
(WebCore::PageConsoleClient::messageWithTypeAndLevel):

Originally-landed-as: 259548.777 at safari-7615-branch (e74d4b07ad38). rdar://108063640
Canonical link: https://commits.webkit.org/266438@main