[Webkit-unassigned] [Bug 124508] New: Crash in JSC::Label::bind
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Nov 18 08:32:17 PST 2013
https://bugs.webkit.org/show_bug.cgi?id=124508
Summary: Crash in JSC::Label::bind
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: reni at webkit.org
Blocks: 116980
Created an attachment (id=217201)
--> (https://bugs.webkit.org/attachment.cgi?id=217201&action=review)
Test case
The test below crashes on x86_64 Ubuntu 12.04. It is seems like a recursive loop, but we shouldn't even step into the switch, since var_1 is undeclared. I can reproduce it both with EFL and NIX builds.
function function_0() {
switch (var_1) {
case "foo":
switch (var_1) {
case "foo":
switch (var_1) {
case "foo":
switch (var_1) {
case var_1:
try {} catch (e_0) {
break;
} finally {
switch (var_1) {
case "foo":
label_2:
for (;;)
label_3:
for (;;)
continue label_3;
}
}
}
}
}
}
}
function_0();
===============================================
The backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff70ab520 in JSC::Label::bind (this=0x0, opcode=157, offset=158)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/Label.h:55
55 if (m_location == invalidLocation) {
(gdb) bt
#0 0x00007ffff70ab520 in JSC::Label::bind (this=0x0, opcode=157, offset=158)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/Label.h:55
#1 0x00007ffff70a0935 in JSC::BytecodeGenerator::emitJump (this=0x673c00, target=0x0)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:695
#2 0x00007ffff70db2c0 in JSC::BreakNode::emitBytecode (this=0x670548, generator=...)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1900
#3 0x00007ffff70ac827 in JSC::BytecodeGenerator::emitNode (this=0x673c00, dst=0x673c58, n=0x670548)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:240
#4 0x00007ffff70e02d5 in JSC::SourceElements::emitBytecode (this=0x670530, generator=..., dst=0x673c58)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1504
#5 0x00007ffff70d8fb0 in JSC::BlockNode::emitBytecode (this=0x670590, generator=..., dst=0x673c58)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1523
#6 0x00007ffff70ac827 in JSC::BytecodeGenerator::emitNode (this=0x673c00, dst=0x673c58, n=0x670590)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:240
#7 0x00007ffff70dc967 in JSC::TryNode::emitBytecode (this=0x670808, generator=..., dst=0x673c58)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2175
#8 0x00007ffff70ac827 in JSC::BytecodeGenerator::emitNode (this=0x673c00, dst=0x673c58, n=0x670808)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:240
#9 0x00007ffff70e02d5 in JSC::SourceElements::emitBytecode (this=0x6704f8, generator=..., dst=0x673c58)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1504
#10 0x00007ffff70e038c in JSC::CaseClauseNode::emitBytecode (this=0x670840, generator=..., dst=0x673c58)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1942
#11 0x00007ffff70dc05a in JSC::CaseBlockNode::emitBytecodeForBlock (this=0x670860, generator=..., switchExpression=0x673770, dst=0x673c58)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2075
#12 0x00007ffff70dc3f6 in JSC::SwitchNode::emitBytecode (this=0x670878, generator=..., dst=0x673c58)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2106
#13 0x00007ffff70ac827 in JSC::BytecodeGenerator::emitNode (this=0x673c00, dst=0x673c58, n=0x670878)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:240
#14 0x00007ffff70e02d5 in JSC::SourceElements::emitBytecode (this=0x670480, generator=..., dst=0x673c58)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1504
#15 0x00007ffff70e038c in JSC::CaseClauseNode::emitBytecode (this=0x6708a0, generator=..., dst=0x673c58)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1942
#16 0x00007ffff70dc05a in JSC::CaseBlockNode::emitBytecodeForBlock (this=0x6708c0, generator=..., switchExpression=0x673758, dst=0x673c58)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2075
#17 0x00007ffff70dc3f6 in JSC::SwitchNode::emitBytecode (this=0x6708d8, generator=..., dst=0x673c58)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2106
#18 0x00007ffff70ac827 in JSC::BytecodeGenerator::emitNode (this=0x673c00, dst=0x673c58, n=0x6708d8)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:240
#19 0x00007ffff70e02d5 in JSC::SourceElements::emitBytecode (this=0x670418, generator=..., dst=0x673c58)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1504
#20 0x00007ffff70e038c in JSC::CaseClauseNode::emitBytecode (this=0x670900, generator=..., dst=0x673c58)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1942
#21 0x00007ffff70dc05a in JSC::CaseBlockNode::emitBytecodeForBlock (this=0x670920, generator=..., switchExpression=0x673740, dst=0x673c58)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2075
#22 0x00007ffff70dc3f6 in JSC::SwitchNode::emitBytecode (this=0x670938, generator=..., dst=0x673c58)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2106
#23 0x00007ffff70ac827 in JSC::BytecodeGenerator::emitNode (this=0x673c00, dst=0x673c58, n=0x670938)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:240
#24 0x00007ffff70e02d5 in JSC::SourceElements::emitBytecode (this=0x6703b0, generator=..., dst=0x673c58)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1504
#25 0x00007ffff70e038c in JSC::CaseClauseNode::emitBytecode (this=0x670960, generator=..., dst=0x673c58)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1942
#26 0x00007ffff70dc05a in JSC::CaseBlockNode::emitBytecodeForBlock (this=0x670980, generator=..., switchExpression=0x673728, dst=0x673c58)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2075
---Type <return> to continue, or q <return> to quit---
#27 0x00007ffff70dc3f6 in JSC::SwitchNode::emitBytecode (this=0x670998, generator=..., dst=0x673c58)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2106
#28 0x00007ffff70ac827 in JSC::BytecodeGenerator::emitNode (this=0x673c00, dst=0x673c58, n=0x670998)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:240
#29 0x00007ffff70e02d5 in JSC::SourceElements::emitBytecode (this=0x670348, generator=..., dst=0x673c58)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1504
#30 0x00007ffff70d8fb0 in JSC::BlockNode::emitBytecode (this=0x6709c0, generator=..., dst=0x673c58)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1523
#31 0x00007ffff70ac827 in JSC::BytecodeGenerator::emitNode (this=0x673c00, dst=0x673c58, n=0x6709c0)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:240
#32 0x00007ffff70e02d5 in JSC::SourceElements::emitBytecode (this=0x670330, generator=..., dst=0x673c58)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1504
#33 0x00007ffff70e03d4 in JSC::ScopeNode::emitStatementsBytecode (this=0x6722e0, generator=..., dst=0x673c58)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2206
#34 0x00007ffff70dce86 in JSC::FunctionBodyNode::emitBytecode (this=0x6722e0, generator=...)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2242
#35 0x00007ffff709d41d in JSC::BytecodeGenerator::generate (this=0x673c00)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:65
#36 0x00007ffff7094aa5 in JSC::generateFunctionCodeBlock (vm=..., executable=0x7ffff7f874e0, source=..., kind=JSC::CodeForCall,
debuggerMode=JSC::DebuggerOff, profilerMode=JSC::ProfilerOff, error=...)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp:66
#37 0x00007ffff709531e in JSC::UnlinkedFunctionExecutable::codeBlockFor (this=0x7ffff7f874e0, vm=..., source=...,
specializationKind=JSC::CodeForCall, debuggerMode=JSC::DebuggerOff, profilerMode=JSC::ProfilerOff, error=...)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp:161
#38 0x00007ffff73d32fc in JSC::ScriptExecutable::newCodeBlockFor (this=0x7fffa9a5fe70, kind=JSC::CodeForCall, scope=0x7ffff7f2f970,
exception=@0x7fffffffcc80: 0x0) at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/runtime/Executable.cpp:211
#39 0x00007ffff73d3989 in JSC::ScriptExecutable::prepareForExecutionImpl (this=0x7fffa9a5fe70, exec=0x7fffa9ebff30, scope=0x7ffff7f2f970,
kind=JSC::CodeForCall) at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/runtime/Executable.cpp:293
#40 0x00007ffff72a934c in JSC::ScriptExecutable::prepareForExecution (this=0x7fffa9a5fe70, exec=0x7fffa9ebff30, scope=0x7ffff7f2f970,
kind=JSC::CodeForCall) at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/runtime/Executable.h:415
#41 0x00007ffff74ff7e9 in JSC::LLInt::setUpCall (execCallee=0x7fffa9ebff30, pc=0x6733b0, kind=JSC::CodeForCall, calleeAsValue=...,
callLinkInfo=0x656b30) at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1043
#42 0x00007ffff74ffc08 in JSC::LLInt::genericCall (exec=0x7fffa9ebff78, pc=0x6733b0, kind=JSC::CodeForCall)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1090
#43 0x00007ffff74fc101 in JSC::LLInt::llint_slow_path_call (exec=0x7fffa9ebff78, pc=0x6733b0)
at /home/reni2/data/REPOS/webkit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1096
#44 0x00007ffff7503d7f in llint_op_call () from /home/reni2/data/REPOS/webkit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.0
#45 0x00007fffaa6c2920 in ?? ()
#46 0x00000000006571b8 in ?? ()
#47 0x0000000000000000 in ?? ()
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list