<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW - ASSERT on SES selftest page when loading the page while WebInspector is open in debug builds"
href="https://bugs.webkit.org/show_bug.cgi?id=154403#c5">Comment # 5</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW - ASSERT on SES selftest page when loading the page while WebInspector is open in debug builds"
href="https://bugs.webkit.org/show_bug.cgi?id=154403">bug 154403</a>
from <span class="vcard"><a class="email" href="mailto:joepeck@webkit.org" title="Joseph Pecoraro <joepeck@webkit.org>"> <span class="fn">Joseph Pecoraro</span></a>
</span></b>
<pre>This exception is thrown by user code.
It seems like the page's code overrides `Object.prototype.__proto__`. InjectedScript, traversing the prototype chain using __proto__, encounters an error it doesn't expect caused by this code throwing.
Here is where the TypeError is defined:
<span class="quote">> /**
> * Repairs both getter and setter. If either are vulnerable, I don't
> * care if the other seemed to pass the test. Better to make them
> * both safe.
> */
> function repair_UNDERBAR_PROTO_accessors_USE_GLOBAL() {
> var gopd = Object.getOwnPropertyDescriptor;</span >
>
<span class="quote">> var oldDesc = gopd(Object.prototype, '__proto__');
> var oldGetter = oldDesc.get;
> var oldSetter = oldDesc.set;
> function newGetter() {
> if (this === null || this === void 0) {
> throw new TypeError('Cannot convert null or undefined to object');
> } else {
> return oldGetter.call(this);
> }
> }
> function newSetter(newProto) {
> if (this === null || this === void 0) {
> throw new TypeError('Cannot convert null or undefined to object');
> } else {
> oldSetter.call(this, newProto);
> }
> }
> Object.defineProperty(Object.prototype, '__proto__', {
> get: oldGetter ? newGetter : void 0,
> set: oldSetter ? newSetter : void 0
> });
> }</span >
And here is code that exercises it with a description (there is code exercising the getter and setter)
<span class="quote">> /**
> * Detects <a class="bz_bug_link
bz_status_REOPENED "
title="REOPENED"
href="show_bug.cgi?id=141865">https://bugs.webkit.org/show_bug.cgi?id=141865</a>
> *
> * <p>On Safari 7.0.5 (9537.77.4), the getter of the
> * Object.prototype.__proto__ property, if applied to undefined,
> * acts like a sloppy function would, coercing the undefined to the
> * global object and returning the global object's [[Prototype]].
> */
> function test_UNDERBAR_PROTO_GETTER_USES_GLOBAL() {
> var gopd = Object.getOwnPropertyDescriptor;
> var getProto = Object.getPrototypeOf;</span >
>
<span class="quote">> var desc = gopd(Object.prototype, '__proto__');
> if (!desc) { return false; }
> var getter = desc.get;
> if (!getter) { return false; }
> var globalProto = void 0;
> try {
> globalProto = getter();
> } catch (ex) {
> if (ex instanceof TypeError && globalProto === void 0) {
> return false;
> }
> return 'unexpected error: ' + ex;
> }
> if (getProto(global) === globalProto) { return true; }
> return 'unexpected global.__proto__: ' + globalProto;
> }</span >
That said, I did not investigate what code in InjectedScriptSource encounters this.
I do think moving InjectedScriptSource to a builtin, and using @Object.@getPrototypeOf() instead of __proto__ would probably solve this.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>