[Bug 25658] Unreproducible crash in Safari at com.apple.JavaScriptCore � JSC::BytecodeGenerator::emitComplexJumpScopes + 468

Fri May 8 19:23:49 PDT 2009

https://bugs.webkit.org/show_bug.cgi?id=25658

------- Comment #1 from ggaren at apple.com  2009-05-08 19:23 PDT -------
4/24/09 3:12 PM Geoff Garen:
Symbolicated:
    0   com.apple.JavaScriptCore        0x95fb1604
JSC::BytecodeGenerator::emitComplexJumpScopes(JSC::Label*,
JSC::ControlFlowContext*, JSC::ControlFlowContext*) + 468
(/SourceCache/JavaScriptCore/JavaScriptCore-5528.15/bytecompiler/BytecodeGenerator.cpp:1576)
    1   com.apple.JavaScriptCore        0x95f8ba6d
JSC::BytecodeGenerator::emitJumpScopes(JSC::Label*, int) + 301
(/SourceCache/JavaScriptCore/JavaScriptCore-5528.15/bytecompiler/BytecodeGenerator.cpp:1594)

5/1/09 12:13 AM Geoff Garen:
BytecodeGenerator.cpp:
        do {
            ASSERT(topScope->isFinallyBlock);
            emitJumpSubroutine(topScope->finallyContext.retAddrDst,
topScope->finallyContext.finallyAddr);
            --topScope;
            if (!topScope->isFinallyBlock) // <-- CRASH
(BytecodeGenerator.cpp:1576)
                break;
        } while (topScope > bottomScope);

5/1/09 12:16 AM Geoff Garen:
Looks like this code is unmodified since its initial merge in
http://trac.webkit.org/changeset/33979.

5/8/09 7:20 PM Geoff Garen:
Another idea: the set of tokens that can cause an emitComplexJumpScopes is
pretty limited. Try writing a fuzzer to create different combinations and
nesting levels regarding those tokens, and see if you can get it to crash.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.