Bug 61758 - Freezing a function and its prototype causes browser to crash.
Summary: Freezing a function and its prototype causes browser to crash.
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac (Intel) OS X 10.5
: P2 Major
Assignee: Oliver Hunt
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-05-30 21:09 PDT by Mark S. Miller
Modified: 2011-06-01 12:34 PDT (History)
2 users (show)

See Also:


Attachments
Crash log attached as requested (34.70 KB, text/plain)
2011-05-31 17:09 PDT, Mark S. Miller
no flags Details
Patch (8.73 KB, patch)
2011-05-31 18:25 PDT, Oliver Hunt
ggaren: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mark S. Miller 2011-05-30 21:09:11 PDT
On Version 5.0.5 (5533.21.1, r87697), in a squarefree shell (but consistent with other behavior I've seen), I type in:

function foo(){}
Object.freeze(foo);
Object.freeze(foo.prototype);

I then get a beach ball for a short while only over that Safari, and then that Safari crashes. For the sake of isolating this, I tried rebooting and launching a fresh Safari. Same symptoms.
Comment 1 Alexey Proskuryakov 2011-05-31 15:52:39 PDT
Could you please attach a crash log <http://www.webkit.org/quality/crashlogs.html>?
Comment 2 Mark S. Miller 2011-05-31 17:09:27 PDT
Created attachment 95514 [details]
Crash log attached as requested

After WebKit nightly crashed, I did not get a CrashReporter window. So I followed the instructions at http://www.webkit.org/quality/crashlogs.html as requested to find the attached crash log.
Comment 3 Oliver Hunt 2011-05-31 18:25:43 PDT
Created attachment 95527 [details]
Patch
Comment 4 Geoffrey Garen 2011-06-01 11:05:10 PDT
Comment on attachment 95527 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=95527&action=review

r=me

> Source/JavaScriptCore/runtime/JSFunction.cpp:193
> +    createPrototypeProperty(globalData, scope()->globalObject.get(), this);

It's kind of a shame that "no new properties" actually means "create a lot of properties right now, and none later". In the future, I think it would be nice to still allow host objects to lazily instantiate their properties, even though we forbid user extension of the object.

> Source/JavaScriptCore/runtime/JSObject.cpp:520
> +    if (isExtensible())
> +        preventExtensions(globalData);
>      setStructure(globalData, Structure::sealTransition(globalData, m_structure.get()));
>  }
>  
>  void JSObject::freeze(JSGlobalData& globalData)
>  {
> +    if (isExtensible())
> +        preventExtensions(globalData);

Instead of checking isExtensible() (which preventExtensions already does for us), I think we should check isSealed() and isFrozen() in each function, respectively, and skip the whole operation if it's been done already.
Comment 5 Oliver Hunt 2011-06-01 11:08:34 PDT
Committed r87826: <http://trac.webkit.org/changeset/87826>
Comment 6 Ademar Reis 2011-06-01 12:34:35 PDT
Revision r87826 cherry-picked into qtwebkit-2.2 with commit 638ed3d <http://gitorious.org/webkit/qtwebkit/commit/638ed3d>