New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 759913 link

Starred by 1 user
Status: Fixed
Owner:
kozyatinskiy@chromium.org
Last visit > 30 days ago
Closed: Sep 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Regression



Sign in to add a comment

Expanding document.all causes crash when execution context is iFrame

Project Member Reported by l...@chromium.org, Aug 29 2017 
What steps will reproduce the problem?
(1) Navigate to a page with an iFrame (e.g. new tab page), open DevTools
(2) Go to Console and set the execution context to the iFrame
(3) Evaluate 'document.all'
(4) Expand the result from document.all

What is the expected result?
No crash

What happens instead?
Crash :(

Narrow bisect to this CL:
https://chromium.googlesource.com/v8/v8/+/c5e9416b1d2e55a4d052e8dcd9848c18e4f3d8a5

Note: there's no crash when I try to expand other arrays, arrays of elements, or elements themselves.  There might be something special about document.all.


Stack trace:

#0 0x7fd744b18df7 base::debug::StackTrace::StackTrace()
#1 0x7fd744b1895f base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7fd744c5a330 <unknown>
#3 0x7fd73fab4dc7 v8::internal::ScopeIterator::ScopeIterator()
#4 0x7fd73fab3f0d v8::internal::DebugScopeIterator::DebugScopeIterator()
#5 0x7fd73fab3d5c v8::debug::ScopeIterator::CreateForFunction()
#6 0x7fd73ff154d4 v8_inspector::V8Debugger::getTargetScopes()
#7 0x7fd73ff15d08 v8_inspector::V8Debugger::internalProperties()
#8 0x7fd73ff2868e v8_inspector::V8RuntimeAgentImpl::getProperties()
#9 0x7fd73feef0aa v8_inspector::protocol::Runtime::DispatcherImpl::getProperties()
#10 0x7fd73fed4d4e v8_inspector::protocol::Console::DispatcherImpl::dispatch()
#11 0x7fd73fecefca v8_inspector::protocol::UberDispatcher::dispatch()
#12 0x7fd73ff22d21 v8_inspector::V8InspectorSessionImpl::dispatchProtocolMessage()
#13 0x7fd73ec8960d blink::InspectorSession::DispatchProtocolMessage()
#14 0x7fd73e9e758b blink::WebDevToolsAgentImpl::DispatchMessageFromFrontend()
#15 0x7fd73e9e73c6 blink::WebDevToolsAgentImpl::DispatchOnInspectorBackend()
#16 0x7fd742ab034d content::DevToolsAgent::OnDispatchOnInspectorBackend()
#17 0x7fd742ab0111 _ZN3IPC8MessageTI48DevToolsAgentMsg_DispatchOnInspectorBackend_MetaNSt3__15tupleIJiiNS2_12basic_stringIcNS2_11char_traitsIcEENS2_9allocatorIcEEEES9_EEEvE8DispatchIN7content13DevToolsAgentESE_vMSE_FviiRKS9_SG_EEEbPKNS_7MessageEPT_PT0_PT1_T2_
#18 0x7fd742aaf5a5 content::DevToolsAgent::OnMessageReceived()
#19 0x7fd742b0f2e0 content::RenderFrameImpl::OnMessageReceived()
#20 0x7fd743ef28f5 IPC::ChannelProxy::Context::OnDispatchMessage()
#21 0x7fd744b1988b base::debug::TaskAnnotator::RunTask()
#22 0x7fd73dc5b163 blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue()
#23 0x7fd73dc58a89 blink::scheduler::TaskQueueManager::DoWork()
#24 0x7fd744b1988b base::debug::TaskAnnotator::RunTask()
#25 0x7fd744b405a8 base::MessageLoop::RunTask()
#26 0x7fd744b40bc2 base::MessageLoop::DeferOrRunPendingTask()
#27 0x7fd744b40f24 base::MessageLoop::DoWork()
#28 0x7fd744b4231a base::MessagePumpDefault::Run()
#29 0x7fd744b68080 base::RunLoop::Run()
#30 0x7fd742b769fa content::RendererMain()
#31 0x7fd742c7ab47 content::RunZygote()
#32 0x7fd742c7bbfd content::ContentMainRunnerImpl::Run()
#33 0x7fd7450369e7 service_manager::Main()
#34 0x7fd742c7a8a2 content::ContentMain()
#35 0x55e26c61839c ChromeMain
#36 0x7fd73c718f45 __libc_start_main
#37 0x55e26c6181ff <unknown>
  r8: 0000000000000001  r9: 0000000000000000 r10: 00007ffc70a1e56a r11: 0000000000000020
 r12: 000015f05dfd60a8 r13: 000015f05d8db688 r14: 000015f05d7b0000 r15: 000019cce0d82309
  di: 0000000000004000  si: 000015f05d89f000  bp: 000015f05d8db6a0  bx: 0000132059caa540
  dx: 000015f05d7b0000  ax: 0000132059c80000  cx: 000015f05d7b0028  sp: 00007ffc70a1e640
  ip: 00007fd73fab4dc7 efl: 0000000000010206 cgf: 0000000000000033 erf: 0000000000000004
 trp: 000000000000000e msk: 0000000000000000 cr2: 0000132059c80038
[end of stack trace]
Project Member

Comment 1 by bugdroid1@chromium.org, Sep 12 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/90eb06b3862d4b717aab1cb753f9a460700ce765

commit 90eb06b3862d4b717aab1cb753f9a460700ce765
Author: Alexey Kozyatinskiy <kozyatinskiy@chromium.org>
Date: Tue Sep 12 19:24:34 2017

[inspector] prepare debug::ScopeIterator for function without context

Some API functions have no context and debug::ScopeIterator::
CreateForFunction is crashing on attempt to get context.

R=jgruber@chromium.org

Bug:  chromium:759913 
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: I0a9861ea2d19bceff97c4394b34a8dda45222b78
Reviewed-on: https://chromium-review.googlesource.com/661789
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47981}
[modify] https://crrev.com/90eb06b3862d4b717aab1cb753f9a460700ce765/src/debug/debug-scope-iterator.cc
[modify] https://crrev.com/90eb06b3862d4b717aab1cb753f9a460700ce765/src/inspector/v8-debugger.cc

Comment 3 by kozyatinskiy@chromium.org, Sep 13 2017

Status: Fixed (was: Assigned)

Sign in to add a comment