[Webkit-unassigned] [Bug 16800] REGRESSION: stack overflow crash in regress-96526-002.js

Tue Jul 29 15:20:33 PDT 2008

https://bugs.webkit.org/show_bug.cgi?id=16800

------- Comment #2 from chrisb at adobe.com  2008-07-29 15:20 PDT -------
After debugging this for a while, a squirrel fix enabled build, I don't think
this bug is windows specific.  Post squirrel fish, this bug still occurs
because the CodeGenerator uses recursion to walk the parse tree to generate the
byte code.

I can think of three ways to fix this bug:
#1 Have CodeGenerator::emitNode keep track how many times it has be entered and
emit code to throw an exception ( or fail in some other way ) when it has been
re-entered too many times.
#2 Have the JS parser keep track of the depth of the parse tree treat that as a
syntax error or insert nodes that will cause the CodeGenerator to emit code
that throws an exception.
#3 Change the CodeGenerator to not use plain C++ recursion

#3 is arguably the correct option in the long run, but may involve significant
code changes in the near term, including changing the interface between parse
tree nodes and the CodeGenerator.

This is the stack trace that I'm seeing:
.
.
.
#1437   0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026
#1438   0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166
#1439   0x1a765e7a in KJS::CodeGenerator::emitNode at CodeGenerator.h:175
#1440   0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026
#1441   0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166
#1442   0x1a765e7a in KJS::CodeGenerator::emitNode at CodeGenerator.h:175
#1443   0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026
#1444   0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166
#1445   0x1a765e7a in KJS::CodeGenerator::emitNode at CodeGenerator.h:175
#1446   0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026
#1447   0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166
#1448   0x1a765e7a in KJS::CodeGenerator::emitNode at CodeGenerator.h:175
#1449   0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026
#1450   0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166
#1451   0x1a765e7a in KJS::CodeGenerator::emitNode at CodeGenerator.h:175
#1452   0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026
#1453   0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166
#1454   0x1a765e7a in KJS::CodeGenerator::emitNode at CodeGenerator.h:175
#1455   0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026
#1456   0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166
#1457   0x1a765e7a in KJS::CodeGenerator::emitNode at CodeGenerator.h:175
#1458   0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026
#1459   0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166
#1460   0x1a765e7a in KJS::CodeGenerator::emitNode at CodeGenerator.h:175
#1461   0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026
#1462   0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166
#1463   0x1a765e7a in KJS::CodeGenerator::emitNode at CodeGenerator.h:175
#1464   0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026
#1465   0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166
#1466   0x1a765e7a in KJS::CodeGenerator::emitNode at CodeGenerator.h:175
#1467   0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026
#1468   0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166
#1469   0x1a70867b in KJS::ExprStatementNode::emitCode at nodes.cpp:4861
#1470   0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166
#1471   0x1a707380 in statementListEmitCode at nodes.cpp:4771
#1472   0x1a70aab5 in KJS::EvalNode::emitCode at nodes.cpp:5840
#1473   0x1a6de316 in KJS::CodeGenerator::generate at CodeGenerator.cpp:136
#1474   0x1a7064cf in KJS::EvalNode::generateCode at nodes.cpp:5856
#1475   0x1a77f83d in KJS::EvalNode::code at nodes.h:3202
#1476   0x1a77e397 in KJS::Machine::execute at Machine.cpp:851
#1477   0x1a77f248 in callEval at Machine.cpp:473
#1478   0x1a77cac9 in KJS::Machine::privateExecute at Machine.cpp:2031
#1479   0x1a77ed56 in KJS::Machine::execute at Machine.cpp:776
#1480   0x1a71bb92 in KJS::Interpreter::evaluate at interpreter.cpp:81
#1481   0x1aae1b90 in WebCore::KJSProxy::evaluate at kjs_proxy.cpp:89
#1482   0x1a9a304d in WebCore::FrameLoader::executeScript at
FrameLoader.cpp:819
#1483   0x1a9778a8 in WebCore::HTMLTokenizer::scriptExecution at
HTMLTokenizer.cpp:556
#1484   0x1a978f6c in WebCore::HTMLTokenizer::scriptHandler at
HTMLTokenizer.cpp:489
#1485   0x1a979595 in WebCore::HTMLTokenizer::parseSpecial at
HTMLTokenizer.cpp:334
#1486   0x1a97b60d in WebCore::HTMLTokenizer::parseTag at
HTMLTokenizer.cpp:1514
#1487   0x1a97bfb9 in WebCore::HTMLTokenizer::write at HTMLTokenizer.cpp:1749
#1488   0x1a99b6de in WebCore::FrameLoader::write at FrameLoader.cpp:1070
#1489   0x1a99b7f4 in WebCore::FrameLoader::addData at FrameLoader.cpp:1905
.
.
.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.