ScriptFunctionCall::call() can return an empty JSValue if the watchdo…

…g timer fires, callers should check for this https://bugs.webkit.org/show_bug.cgi?id=165875 Reviewed by Devin Rousso. ScriptFunctionCall::call() may return empty JSValue from several places, the callers now check for emptiness first before accessing the value. Unfortunately, I don't have a reliable repro which could be converted to a layout test like the one in 11d211b even though the symptoms are similar. * Source/JavaScriptCore/inspector/InjectedScript.cpp: (Inspector::InjectedScript::wrapObject const): (Inspector::InjectedScript::wrapJSONString const): (Inspector::InjectedScript::wrapTable const): (Inspector::InjectedScript::previewValue const): (Inspector::InjectedScript::createCommandLineAPIObject const): Canonical link: https://commits.webkit.org/270739@main
WebKit · Nov 15, 2023 · a4eed62 · a4eed62
1 parent 6695e0a
commit a4eed62
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 10 deletions.
diff --git a/Source/JavaScriptCore/inspector/InjectedScript.cpp b/Source/JavaScriptCore/inspector/InjectedScript.cpp
@@ -286,7 +286,7 @@ RefPtr<Protocol::Runtime::RemoteObject> InjectedScript::wrapObject(JSC::JSValue
     wrapFunction.appendArgument(generatePreview);
 
     auto callResult = callFunctionWithEvalEnabled(wrapFunction);
-    if (!callResult)
+    if (!callResult || !callResult.value())
         return nullptr;
 
     auto resultValue = toInspectorValue(globalObject(), callResult.value());
@@ -309,7 +309,7 @@ RefPtr<Protocol::Runtime::RemoteObject> InjectedScript::wrapJSONString(const Str
     wrapFunction.appendArgument(generatePreview);
 
     auto callResult = callFunctionWithEvalEnabled(wrapFunction);
-    if (!callResult)
+    if (!callResult || !callResult.value())
         return nullptr;
 
     if (callResult.value().isNull())
@@ -338,7 +338,7 @@ RefPtr<Protocol::Runtime::RemoteObject> InjectedScript::wrapTable(JSC::JSValue t
         wrapFunction.appendArgument(columns);
 
     auto callResult = callFunctionWithEvalEnabled(wrapFunction);
-    if (!callResult)
+    if (!callResult || !callResult.value())
         return nullptr;
 
     auto resultValue = toInspectorValue(globalObject(), callResult.value());
@@ -359,7 +359,7 @@ RefPtr<Protocol::Runtime::ObjectPreview> InjectedScript::previewValue(JSC::JSVal
     wrapFunction.appendArgument(value);
 
     auto callResult = callFunctionWithEvalEnabled(wrapFunction);
-    if (!callResult)
+    if (!callResult || !callResult.value())
         return nullptr;
 
     auto resultValue = toInspectorValue(globalObject(), callResult.value());
@@ -411,7 +411,7 @@ JSC::JSValue InjectedScript::findObjectById(const String& objectId) const
 
     auto callResult = callFunctionWithEvalEnabled(function);
     ASSERT(callResult);
-    if (!callResult)
+    if (!callResult || !callResult.value())
         return { };
     return callResult.value();
 }
@@ -449,7 +449,7 @@ JSC::JSObject* InjectedScript::createCommandLineAPIObject(JSC::JSValue callFrame
 
     auto callResult = callFunctionWithEvalEnabled(function);
     ASSERT(callResult);
-    return callResult ? asObject(callResult.value()) : nullptr;
+    return callResult && callResult.value() ? asObject(callResult.value()) : nullptr;
 }
 
 JSC::JSValue InjectedScript::arrayFromVector(Vector<JSC::JSValue>&& vector)

diff --git a/Source/JavaScriptCore/inspector/InjectedScriptBase.cpp b/Source/JavaScriptCore/inspector/InjectedScriptBase.cpp
@@ -196,10 +196,8 @@ void InjectedScriptBase::makeAsyncCall(ScriptFunctionCall& function, AsyncCallCa
     function.appendArgument(JSC::JSValue(jsFunction));
 
     auto result = callFunctionWithEvalEnabled(function);
-    ASSERT_UNUSED(result, result.value().isUndefined());
-
-    ASSERT(result);
-    if (!result) {
+    ASSERT_UNUSED(result, result && result.value() && result.value().isUndefined());
+    if (!result || !result.value()) {
         // Since `callback` is moved above, we can't call it if there's an exception while trying to
         // execute the `JSNativeStdFunction` inside InjectedScriptSource.js.
         jsFunction->function()(globalObject, nullptr);

diff --git a/Source/JavaScriptCore/inspector/InjectedScriptModule.cpp b/Source/JavaScriptCore/inspector/InjectedScriptModule.cpp
@@ -76,6 +76,10 @@ void InjectedScriptModule::ensureInjected(InjectedScriptManager* injectedScriptM
         WTFLogAlways("Error when calling 'hasInjectedModule' for '%s': %s (%d:%d)\n", name().utf8().data(), error->value().toWTFString(injectedScript.globalObject()).utf8().data(), line, column);
         RELEASE_ASSERT_NOT_REACHED();
     }
+    if (!hasInjectedModuleResult.value()) {
+        WTFLogAlways("VM is terminated when calling 'injectModule' for '%s'\n", name().utf8().data());
+        RELEASE_ASSERT_NOT_REACHED();
+    }
     if (!hasInjectedModuleResult.value().isBoolean() || !hasInjectedModuleResult.value().asBoolean()) {
         ScriptFunctionCall function(injectedScript.globalObject(), injectedScript.injectedScriptObject(), "injectModule"_s, injectedScriptManager->inspectorEnvironment().functionCallHandler());
         function.appendArgument(name());