[Webkit-unassigned] [Bug 154403] ASSERT on SES selftest page when loading the page while WebInspector is open in debug builds

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Feb 18 11:59:49 PST 2016 

https://bugs.webkit.org/show_bug.cgi?id=154403

--- Comment #5 from Joseph Pecoraro <joepeck at webkit.org> ---
This exception is thrown by user code.

It seems like the page's code overrides `Object.prototype.__proto__`. InjectedScript, traversing the prototype chain using __proto__, encounters an error it doesn't expect caused by this code throwing.

Here is where the TypeError is defined:

>  /**
>   * Repairs both getter and setter. If either are vulnerable, I don't
>   * care if the other seemed to pass the test. Better to make them
>   * both safe.
>   */
>  function repair_UNDERBAR_PROTO_accessors_USE_GLOBAL() {
>    var gopd = Object.getOwnPropertyDescriptor;
>
>    var oldDesc = gopd(Object.prototype, '__proto__');
>    var oldGetter = oldDesc.get;
>    var oldSetter = oldDesc.set;
>    function newGetter() {
>      if (this === null || this === void 0) {
>        throw new TypeError('Cannot convert null or undefined to object');
>      } else {
>        return oldGetter.call(this);
>      }
>    }
>    function newSetter(newProto) {
>      if (this === null || this === void 0) {
>        throw new TypeError('Cannot convert null or undefined to object');
>      } else {
>        oldSetter.call(this, newProto);
>      }
>    }
>    Object.defineProperty(Object.prototype, '__proto__', {
>      get: oldGetter ? newGetter : void 0,
>      set: oldSetter ? newSetter : void 0
>    });
>  }

And here is code that exercises it with a description (there is code exercising the getter and setter)

>  /**
>   * Detects https://bugs.webkit.org/show_bug.cgi?id=141865
>   *
>   * <p>On Safari 7.0.5 (9537.77.4), the getter of the
>   * Object.prototype.__proto__ property, if applied to undefined,
>   * acts like a sloppy function would, coercing the undefined to the
>   * global object and returning the global object's [[Prototype]].
>   */
>  function test_UNDERBAR_PROTO_GETTER_USES_GLOBAL() {
>    var gopd = Object.getOwnPropertyDescriptor;
>    var getProto = Object.getPrototypeOf;
>
>    var desc = gopd(Object.prototype, '__proto__');
>    if (!desc) { return false; }
>    var getter = desc.get;
>    if (!getter) { return false; }
>    var globalProto = void 0;
>    try {
>      globalProto = getter();
>    } catch (ex) {
>      if (ex instanceof TypeError && globalProto === void 0) {
>          return false;
>      }
>      return 'unexpected error: ' + ex;
>    }
>    if (getProto(global) === globalProto) { return true; }
>    return 'unexpected global.__proto__: ' + globalProto;
>  }

That said, I did not investigate what code in InjectedScriptSource encounters this.

I do think moving InjectedScriptSource to a builtin, and using @Object. at getPrototypeOf() instead of __proto__ would probably solve this.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160218/fcac747a/attachment.html>

More information about the webkit-unassigned mailing list