Calling window.js object methods with an incompatible receiver causes a hard crash
hamish-milne opened this issue · comments
Repro console commands:
ImageBitmap.prototype.widthImageBitmap.prototype.encode()ImageData.prototype.widthCanvasRenderingContext2D.prototype.getTransform()
etc.
Expected output: Something like
TypeError: Method get ArrayBuffer.prototype.byteLength called on incompatible receiver #<ArrayBuffer>
at ArrayBuffer.get byteLength [as byteLength] (<anonymous>)
Actual output: crash.
(This is presumably because the API wrapper functions don't yet check the result of info.This())
Thanks for the report. This crashes consistently.
==== C stack trace ===============================
v8::base::debug::StackTrace::StackTrace [0x00007FF7F8B08DFB+27]
OnUnhandledException [0x00007FF7F89B7D37+87] (C:\Users\Joao\windowjs\src\fail.cc:31)
UnhandledExceptionFilter [0x00007FFB593AB857+487]
memset [0x00007FFB5B7F51B0+5040]
_C_specific_handler [0x00007FFB5B7DC766+150]
_chkstk [0x00007FFB5B7F20CF+287]
RtlRaiseException [0x00007FFB5B7A1454+1076]
KiUserExceptionDispatcher [0x00007FFB5B7F0BFE+46]
sk_sp::operator-> [0x00007FF7F8A40E59+9] (C:\Users\Joao\windowjs\libraries\skia\include\core\SkRefCnt.h:299)
ImageBitmapApi::width [0x00007FF7F8A41237+23] (C:\Users\Joao\windowjs\src\js_api_canvas.h:319)
ImageBitmapApi::GetWidth [0x00007FF7F8A3AF9E+286] (C:\Users\Joao\windowjs\src\js_api_canvas.cc:2287)
v8::internal::PropertyCallbackArguments::CallAccessorGetter [0x00007FF7F8D180BC+316]
v8::internal::Object::GetPropertyWithAccessor [0x00007FF7F8D170B6+566]
v8::internal::Object::GetProperty [0x00007FF7F8D166E0+240]
v8::internal::LoadIC::Load [0x00007FF7F9286689+2057]
v8::internal::Runtime_LoadNoFeedbackIC_Miss [0x00007FF7F92900EA+314]
Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_NoBuiltinExit [0x00007FF7F9C78AFC+60]
Builtins_LdaNamedPropertyHandler [0x00007FF7F9D0C776+5494]
Builtins_InterpreterEntryTrampoline [0x00007FF7F9BFA422+226]
Builtins_JSEntryTrampoline [0x00007FF7F9BF845C+92]
Builtins_JSEntry [0x00007FF7F9BF805B+219]
v8::internal::Execution::Call [0x00007FF7F8D7A24E+3470]
v8::internal::Execution::CallScript [0x00007FF7F8D7A5EC+252]
v8::Script::Run [0x00007FF7F8B18D66+1366]
v8::Script::Run [0x00007FF7F8B187FD+13]
Js::ExecuteScript [0x00007FF7F89D3F51+1137] (C:\Users\Joao\windowjs\src\js.cc:241)
Main::HandleMessageFromConsoleProcess [0x00007FF7F8A8164B+1531] (C:\Users\Joao\windowjs\src\main.cc:384)
Main::ShowConsole::::operator()::::operator() [0x00007FF7F8A8502A+74] (C:\Users\Joao\windowjs\src\main.cc:285)
std::invoke<lambda at ..\src\main.cc:284:28' &> [0x00007FF7F8A84FD3+19] (C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.30.30705\include\type_traits:1478) std::_Invoker_ret<void,1>::_Call<lambda at ..\src\main.cc:284:28' &> [0x00007FF7F8A84FB3+19] (C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.30.30705\include\functional:652)
std::_Func_impl_no_alloc<`lambda at ..\src\main.cc:284:28',void>::_Do_call [0x00007FF7F8A84E77+23] (C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.30.30705\include\functional:822)
std::_Func_class::operator() [0x00007FF7F8A990F4+68] (C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.30.30705\include\functional:869)
TaskQueue::RunTasks [0x00007FF7F8A981CF+303] (C:\Users\Joao\windowjs\src\task_queue.cc:52)
Main::RunUntilClosed [0x00007FF7F8A7EE51+737] (C:\Users\Joao\windowjs\src\main.cc:171)
main [0x00007FF7F8A7EA62+418] (C:\Users\Joao\windowjs\src\main.cc:41)
__scrt_common_main_seh [0x00007FF7F9D7FA30+268] (d:\a01_work\20\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288)
BaseThreadInitThunk [0x00007FFB5A217034+20]
RtlUserThreadStart [0x00007FFB5B7A2651+33]