[Webkit-unassigned] [Bug 12216] New: Stack overflow crash in Javascript

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jan 11 15:28:15 PST 2007 

http://bugs.webkit.org/show_bug.cgi?id=12216

           Summary: Stack overflow crash in Javascript
           Product: WebKit
           Version: 420+ (nightly)
          Platform: Macintosh
        OS/Version: Mac OS X 10.4
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: dacarson at gmail.com


In relation to the bug:
http://bugs.webkit.org/show_bug.cgi?id=3743
If I add two more zeros in the for loop below (taken from the test case for the
bug), a stack overflow occurs in the Mark() GC functionality, before it makes
it to the ary.toString() call.

var ary=[0];
for(var i=1; i<1000000; i++)
  ary=[ary, i];

shouldThrow("ary.toString()");

It seems that the mac dumps out at a stack depth of 174580 frames.
Below is a copy of the stack dump with the repeating part removed. The current
stack overflow protection relies on JS going through the method
JSObject::call(). However, as can be seen by the stack dump, it does not go
through it. We can check depth in mark() and throw exception. But it implies we
will never mark the inner objects and they won't be gc later.


#0      0x0053a957 in KJS::JSImmediate::isImmediate at JSImmediate.h:64
#1      0x0053b0af in KJS::JSValue::downcast at value.h:249
#2      0x0053b240 in KJS::JSValue::marked at value.h:357
#3      0x004e458f in KJS::JSObject::mark at object.cpp:122
#4      0x004ba49f in KJS::ArrayInstance::mark at array_object.cpp:278
#5      0x0053b219 in KJS::JSValue::mark at value.h:352
#6      0x004ba4fb in KJS::ArrayInstance::mark at array_object.cpp:283
#7      0x0053b219 in KJS::JSValue::mark at value.h:352
#8      0x004ba4fb in KJS::ArrayInstance::mark at array_object.cpp:283
#9      0x0053b219 in KJS::JSValue::mark at value.h:352
#10     0x004ba4fb in KJS::ArrayInstance::mark at array_object.cpp:283
....
#174509 0x0053b219 in KJS::JSValue::mark at value.h:352
#174510 0x004ba4fb in KJS::ArrayInstance::mark at array_object.cpp:283
#174511 0x0053b219 in KJS::JSValue::mark at value.h:352
#174512 0x004ba4fb in KJS::ArrayInstance::mark at array_object.cpp:283
#174513 0x0053b219 in KJS::JSValue::mark at value.h:352
#174514 0x004ba4fb in KJS::ArrayInstance::mark at array_object.cpp:283
#174515 0x0053b219 in KJS::JSValue::mark at value.h:352
#174516 0x004e7456 in KJS::PropertyMap::mark at property_map.cpp:551
#174517 0x004e45ae in KJS::JSObject::mark at object.cpp:125
#174518 0x012680c7 in KJS::Window::mark at kjs_window.cpp:465
#174519 0x005434ee in KJS::ScopeChain::mark at object.h:596
#174520 0x0052eab4 in KJS::Context::mark at Context.cpp:92
#174521 0x004cb3ae in KJS::Interpreter::mark at interpreter.cpp:657
#174522 0x0124fc10 in KJS::ScriptInterpreter::mark at kjs_binding.cpp:227
#174523 0x004bf45d in KJS::Collector::collect at collector.cpp:474
#174524 0x004bf984 in KJS::Collector::allocate at collector.cpp:123
#174525 0x004f3371 in KJS::JSCell::operator new at value.cpp:41
#174526 0x004baba3 in KJS::ArrayObjectImp::construct at array_object.cpp:960
#174527 0x004dc51f in KJS::ElementNode::evaluate at nodes.cpp:413
#174528 0x004dc38a in KJS::ArrayNode::evaluate at nodes.cpp:438
#174529 0x004dea09 in KJS::AssignResolveNode::evaluate at nodes.cpp:1420
#174530 0x004d836c in KJS::ExprStatementNode::execute at nodes.cpp:1672
#174531 0x004d7484 in KJS::ForNode::execute at nodes.cpp:1819
#174532 0x004d609a in KJS::SourceElementsNode::execute at nodes.cpp:2455
#174533 0x004d489c in KJS::BlockNode::execute at nodes.cpp:1648
#174534 0x004cdec1 in KJS::Interpreter::evaluate at interpreter.cpp:478
#174535 0x01266e9d in WebCore::KJSProxy::evaluate at kjs_proxy.cpp:65
#174536 0x0139d3f5 in WebCore::FrameLoader::executeScript at
FrameLoader.cpp:690
#174537 0x0101dc0a in WebCore::HTMLTokenizer::scriptExecution at
HTMLTokenizer.cpp:501
#174538 0x010203e8 in WebCore::HTMLTokenizer::scriptHandler at
HTMLTokenizer.cpp:451
#174539 0x010208ff in WebCore::HTMLTokenizer::parseSpecial at
HTMLTokenizer.cpp:308
#174540 0x0102277c in WebCore::HTMLTokenizer::parseTag at
HTMLTokenizer.cpp:1228
#174541 0x01022f84 in WebCore::HTMLTokenizer::write at HTMLTokenizer.cpp:1442
#174542 0x01393302 in WebCore::FrameLoader::write at FrameLoader.cpp:891
#174543 0x0139342b in WebCore::FrameLoader::addData at FrameLoader.cpp:1511
#174544 0x010fbf4f in -[WebCoreFrameBridge addData:] at
WebCoreFrameBridge.mm:298
#174545 0x010ff7b6 in -[WebCoreFrameBridge receivedData:textEncodingName:] at
WebCoreFrameBridge.mm:1621
#174546 0x00331db1 in -[WebHTMLRepresentation receivedData:withDataSource:] at
WebHTMLRepresentation.mm:157
#174547 0x0032c2c7 in -[WebDataSource(WebInternal) _receivedData:] at
WebDataSource.mm:175
#174548 0x00394087 in WebFrameLoaderClient::committedLoad at
WebFrameLoaderClient.mm:623
#174549 0x0138fedf in WebCore::FrameLoader::committedLoad at
FrameLoader.cpp:2861
#174550 0x0139f8d1 in WebCore::DocumentLoader::commitLoad at
DocumentLoader.cpp:329
#174551 0x0139f92a in WebCore::DocumentLoader::receivedData at
DocumentLoader.cpp:341
#174552 0x0138f35b in WebCore::FrameLoader::receivedData at
FrameLoader.cpp:1901
#174553 0x01376078 in WebCore::MainResourceLoader::addData at
MainResourceLoaderMac.mm:144
#174554 0x01374e31 in WebCore::ResourceLoader::didReceiveData at
ResourceLoaderMac.mm:225
#174555 0x013763ad in WebCore::MainResourceLoader::didReceiveData at
MainResourceLoaderMac.mm:314
#174556 0x01374a1e in WebCore::ResourceLoader::didReceiveData at
ResourceLoaderMac.mm:385
#174557 0x01383424 in -[WebCoreResourceHandleAsDelegate
connection:didReceiveData:lengthReceived:] at ResourceHandleMac.mm:291
#174558 0x9265eb86 in -[NSURLConnection(NSURLConnectionInternal)
_sendDidReceiveDataCallback]
#174559 0x9265ce67 in -[NSURLConnection(NSURLConnectionInternal)
_sendCallbacks]
#174560 0x9265cb41 in _sendCallbacks
#174561 0x9082afd2 in CFRunLoopRunSpecific
#174562 0x9082ab0e in CFRunLoopRunInMode
#174563 0x9262ddc6 in -[NSRunLoop runMode:beforeDate:]
#174564 0x9267b970 in -[NSRunLoop runUntilDate:]
#174565 0x9352f0c0 in NSCoreDragReceiveProc
#174566 0x917f517d in DoDropMessage
#174567 0x917f633d in CoreDragMessageHandler
#174568 0x90872b7a in __CFMessagePortPerform
#174569 0x9082b66d in CFRunLoopRunSpecific
#174570 0x9082ab0e in CFRunLoopRunInMode
#174571 0x92ddabef in RunCurrentEventLoopInMode
#174572 0x92dda2fd in ReceiveNextEventCommon
#174573 0x92dda154 in BlockUntilNextEventMatchingListInMode
#174574 0x9327f465 in _DPSNextEvent
#174575 0x9327f056 in -[NSApplication
nextEventMatchingMask:untilDate:inMode:dequeue:]
#174576 0x00006cea in ??
#174577 0x93278ddb in -[NSApplication run]
#174578 0x9326cd2f in NSApplicationMain
#174579 0x0005f54a in ??
#174580 0x0005f471 in ??


-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list