[Webkit-unassigned] [Bug 157333] New: REGRESSION(r200383): Setting lazily initialized properties across frame boundaries crashes

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue May 3 18:20:37 PDT 2016 

https://bugs.webkit.org/show_bug.cgi?id=157333

            Bug ID: 157333
           Summary: REGRESSION(r200383): Setting lazily initialized
                    properties across frame boundaries crashes
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: joepeck at webkit.org
                CC: fpizlo at apple.com, ggaren at apple.com,
                    keith_miller at apple.com

Created attachment 278051
  --> https://bugs.webkit.org/attachment.cgi?id=278051&action=review
[TEST] Test case

* SUMMARY
Setting lazily initialized properties across frame boundaries crashes.

* TEST
<iframe id="x" src="data:text/html,<p>Hello</p>"></iframe>
<script>window.frames[0].Math = window.Math;</script>

* STEPS TO REPRODUCE
1. Load attached test case
  => CRASH

* NOTES
- Caught when trying to make `console` lazily initialized by test:
LayoutTests/fast/dom/Window/window-lookup-precedence.html

* CRASH SNIPPET
Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   ???                               000000000000000000 0 + 0
1   com.apple.JavaScriptCore          0x00000001059bcc93 JSC::callCustomSetter(JSC::ExecState*, bool (*)(JSC::ExecState*, long long, long long), bool, JSC::JSValue, JSC::JSValue) + 19 (CustomGetterSetter.cpp:43)
2   com.apple.JavaScriptCore          0x0000000105e4d3da JSC::putEntry(JSC::ExecState*, JSC::HashTableValue const*, JSC::JSObject*, JSC::JSObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 138 (Lookup.h:312)
3   com.apple.JavaScriptCore          0x0000000105e4c63a JSC::JSObject::putInlineSlow(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 1194 (JSObject.cpp:573)
4   com.apple.JavaScriptCore          0x0000000105e476ae JSC::JSObject::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 526 (JSObjectInlines.h:81)
5   com.apple.JavaScriptCore          0x0000000105e0e0cf JSC::JSGlobalObject::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 111 (JSGlobalObject.cpp:825)
6   com.apple.WebCore                 0x0000000106ee09fa WebCore::JSDOMWindow::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 90 (JSDOMWindowCustom.cpp:315)
7   com.apple.JavaScriptCore          0x0000000105dbce9a JSC::putByVal(JSC::ExecState*, JSC::JSValue, JSC::JSValue, JSC::JSValue, JSC::ByValInfo*) + 1466 (JSCJSValueInlines.h:840)
8   ???                               0x000039d551e0e7b3 0 + 63588364511155
9   com.apple.JavaScriptCore          0x0000000105f283c2 llint_entry + 23764
10  com.apple.JavaScriptCore          0x0000000105f2250b vmEntryToJavaScript + 299
11  com.apple.JavaScriptCore          0x0000000105d9a74e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 158 (JITCode.cpp:81)
12  com.apple.JavaScriptCore          0x0000000105d51536 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) + 15110 (Interpreter.cpp:960)
13  com.apple.JavaScriptCore          0x00000001059b1f25 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 469 (Completion.cpp:106)
14  com.apple.WebCore                 0x00000001074e9cfe WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*) + 302 (JSMainThreadExecState.h:81)
15  com.apple.WebCore                 0x00000001074efdc7 WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 567 (CurrentScriptIncrementer.h:50)
16  com.apple.WebCore                 0x00000001074ee6fa WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) + 1066 (StdLibExtras.h:370)
17  com.apple.WebCore                 0x0000000106cb5d02 WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) + 338 (ScriptElement.h:59)
18  com.apple.WebCore                 0x0000000106cb5b60 WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) + 48 (HTMLScriptRunner.cpp:189)
19  com.apple.WebCore                 0x0000000106c5358c WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() + 316 (StdLibExtras.h:370)
20  com.apple.WebCore                 0x0000000106c5393d WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) + 669 (HTMLDocumentParser.cpp:234)
21  com.apple.WebCore                 0x0000000106c532c3 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 115 (DocumentParser.h:70)
...

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160504/ecbddb22/attachment-0001.html>

More information about the webkit-unassigned mailing list