[Webkit-unassigned] [Bug 124886] New: Crash in JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseUnaryExpression<JSC::ASTBuilder>(JSC::ASTBuilder&)
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Nov 26 04:16:25 PST 2013
https://bugs.webkit.org/show_bug.cgi?id=124886
Summary: Crash in JSC::ASTBuilder::Expression
JSC::Parser<JSC::Lexer<unsigned char>
>::parseUnaryExpression<JSC::ASTBuilder>(JSC::ASTBuild
er&)
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: reni at webkit.org
Blocks: 116980
Created an attachment (id=217872)
--> (https://bugs.webkit.org/attachment.cgi?id=217872&action=review)
Test case
The following short expression makes release WebKit crash and causes an assertion failure in the debug version:
1 % +;
====================================
Release backtrace:
1 0x684a5d
2 0x6875f4
3 0x689030
4 0x68b036
5 0x68f43f
6 0x6e7655
7 0x6eaaf0
8 0x452a37
9 0x43ed98
10 0x5bddc0
11 0x43609e
12 0x40c599 jscmain(int, char**)
13 0x40651b main
14 0x7ffff5aef76d __libc_start_main
15 0x406591
Program received signal SIGSEGV, Segmentation fault.
0x0000000000821e49 in WTFCrash ()
(gdb) bt
#0 0x0000000000821e49 in WTFCrash ()
#1 0x0000000000684a5d in JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseAssignmentExpression<JSC::ASTBuilder>(JSC::ASTBuilder&)
()
#2 0x00000000006875f4 in JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) ()
#3 0x0000000000689030 in JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseExpressionStatement<JSC::ASTBuilder>(JSC::ASTBuilder&) ()
#4 0x000000000068b036 in JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseStatement<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::Identifier const*&, unsigned int*) ()
#5 0x000000000068f43f in JSC::Parser<JSC::Lexer<unsigned char> >::parseInner() ()
#6 0x00000000006e7655 in WTF::PassRefPtr<JSC::ProgramNode> JSC::parse<JSC::ProgramNode>(JSC::VM*, JSC::SourceCode const&, JSC::FunctionParameters*, JSC::Identifier const&, JSC::JSParserStrictness, JSC::JSParserMode, JSC::ParserError&, JSC::JSTextPosition*) [clone .constprop.127] ()
#7 0x00000000006eaaf0 in JSC::UnlinkedProgramCodeBlock* JSC::CodeCache::getGlobalCodeBlock<JSC::UnlinkedProgramCodeBlock, JSC::ProgramExecutable>(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserStrictness, JSC::DebuggerMode, JSC::ProfilerMode, JSC::ParserError&) ()
#8 0x0000000000452a37 in JSC::JSGlobalObject::createProgramCodeBlock(JSC::ExecState*, JSC::ProgramExecutable*, JSC::JSObject**) ()
#9 0x000000000043ed98 in JSC::ProgramExecutable::initializeGlobalProperties(JSC::VM&, JSC::ExecState*, JSC::JSScope*) ()
#10 0x00000000005bddc0 in JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) ()
#11 0x000000000043609e in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) ()
#12 0x000000000040c599 in jscmain(int, char**) ()
#13 0x000000000040651b in main ()
====================================
Debug backtrace:
SHOULD NEVER BE REACHED
/home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp(2163) : const char* JSC::operatorString(bool, unsigned int)
1 0x7ffff7508504 WTFCrash
2 0x7ffff73088a3
3 0x7ffff734f45d JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseUnaryExpression<JSC::ASTBuilder>(JSC::ASTBuilder&)
4 0x7ffff734b96b JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseBinaryExpression<JSC::ASTBuilder>(JSC::ASTBuilder&)
5 0x7ffff734399d JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseConditionalExpression<JSC::ASTBuilder>(JSC::ASTBuilder&)
6 0x7ffff7339887 JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseAssignmentExpression<JSC::ASTBuilder>(JSC::ASTBuilder&)
7 0x7ffff732e679 JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseExpression<JSC::ASTBuilder>(JSC::ASTBuilder&)
8 0x7ffff73259fd JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseExpressionStatement<JSC::ASTBuilder>(JSC::ASTBuilder&)
9 0x7ffff731dfb9 JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseStatement<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::Identifier const*&, unsigned int*)
10 0x7ffff731b450 JSC::ASTBuilder::SourceElements JSC::Parser<JSC::Lexer<unsigned char> >::parseSourceElements<(JSC::SourceElementsMode)0, JSC::ASTBuilder>(JSC::ASTBuilder&)
11 0x7ffff7315019 JSC::Parser<JSC::Lexer<unsigned char> >::parseInner()
12 0x7ffff702d35f WTF::PassRefPtr<JSC::ProgramNode> JSC::Parser<JSC::Lexer<unsigned char> >::parse<JSC::ProgramNode>(JSC::ParserError&)
13 0x7ffff702cf69 WTF::PassRefPtr<JSC::ProgramNode> JSC::parse<JSC::ProgramNode>(JSC::VM*, JSC::SourceCode const&, JSC::FunctionParameters*, JSC::Identifier const&, JSC::JSParserStrictness, JSC::JSParserMode, JSC::ParserError&, JSC::JSTextPosition*)
14 0x7ffff73bc20a JSC::UnlinkedProgramCodeBlock* JSC::CodeCache::getGlobalCodeBlock<JSC::UnlinkedProgramCodeBlock, JSC::ProgramExecutable>(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserStrictness, JSC::DebuggerMode, JSC::ProfilerMode, JSC::ParserError&)
15 0x7ffff73ba873 JSC::CodeCache::getProgramCodeBlock(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserStrictness, JSC::DebuggerMode, JSC::ProfilerMode, JSC::ParserError&)
16 0x7ffff7401ebd JSC::JSGlobalObject::createProgramCodeBlock(JSC::ExecState*, JSC::ProgramExecutable*, JSC::JSObject**)
17 0x7ffff73d4065 JSC::ProgramExecutable::initializeGlobalProperties(JSC::VM&, JSC::ExecState*, JSC::JSScope*)
18 0x7ffff72a0386 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*)
19 0x7ffff73c7324 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*)
20 0x4163a0
21 0x41716f jscmain(int, char**)
22 0x41618c main
23 0x7ffff5b8d76d __libc_start_main
24 0x414c99
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7508509 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:341
341 *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0 0x00007ffff7508509 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:341
#1 0x00007ffff73088a3 in JSC::operatorString (prefix=true, tok=39250) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:2163
#2 0x00007ffff734f45d in JSC::Parser<JSC::Lexer<unsigned char> >::parseUnaryExpression<JSC::ASTBuilder> (this=0x7fffffffadc0, context=...)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:2208
#3 0x00007ffff734b96b in JSC::Parser<JSC::Lexer<unsigned char> >::parseBinaryExpression<JSC::ASTBuilder> (this=0x7fffffffadc0, context=...)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:1639
#4 0x00007ffff734399d in JSC::Parser<JSC::Lexer<unsigned char> >::parseConditionalExpression<JSC::ASTBuilder> (this=0x7fffffffadc0, context=...)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:1599
#5 0x00007ffff7339887 in JSC::Parser<JSC::Lexer<unsigned char> >::parseAssignmentExpression<JSC::ASTBuilder> (this=0x7fffffffadc0, context=...)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:1533
#6 0x00007ffff732e679 in JSC::Parser<JSC::Lexer<unsigned char> >::parseExpression<JSC::ASTBuilder> (this=0x7fffffffadc0, context=...)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:1496
#7 0x00007ffff73259fd in JSC::Parser<JSC::Lexer<unsigned char> >::parseExpressionStatement<JSC::ASTBuilder> (this=0x7fffffffadc0, context=...)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:1401
#8 0x00007ffff731dfb9 in JSC::Parser<JSC::Lexer<unsigned char> >::parseStatement<JSC::ASTBuilder> (this=0x7fffffffadc0, context=...,
directive=@0x7fffffffa498: 0x0, directiveLiteralLength=0x7fffffffa4b4) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:1135
#9 0x00007ffff731b450 in JSC::Parser<JSC::Lexer<unsigned char> >::parseSourceElements<(JSC::SourceElementsMode)0, JSC::ASTBuilder> (this=0x7fffffffadc0,
context=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:300
#10 0x00007ffff7315019 in JSC::Parser<JSC::Lexer<unsigned char> >::parseInner (this=0x7fffffffadc0)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:247
#11 0x00007ffff702d35f in JSC::Parser<JSC::Lexer<unsigned char> >::parse<JSC::ProgramNode> (this=0x7fffffffadc0, error=...)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.h:887
#12 0x00007ffff702cf69 in JSC::parse<JSC::ProgramNode> (vm=0x6464e0, source=..., parameters=0x0, name=..., strictness=JSC::JSParseNormal,
parserMode=JSC::JSParseProgramCode, error=..., positionBeforeLastNewline=0x0)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.h:957
#13 0x00007ffff73bc20a in JSC::CodeCache::getGlobalCodeBlock<JSC::UnlinkedProgramCodeBlock, JSC::ProgramExecutable> (this=0x657340, vm=...,
executable=0x7fffa992fef0, source=..., strictness=JSC::JSParseNormal, debuggerMode=JSC::DebuggerOff, profilerMode=JSC::ProfilerOff, error=...)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/CodeCache.cpp:95
#14 0x00007ffff73ba873 in JSC::CodeCache::getProgramCodeBlock (this=0x657340, vm=..., executable=0x7fffa992fef0, source=..., strictness=JSC::JSParseNormal,
debuggerMode=JSC::DebuggerOff, profilerMode=JSC::ProfilerOff, error=...)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/CodeCache.cpp:129
#15 0x00007ffff7401ebd in JSC::JSGlobalObject::createProgramCodeBlock (this=0x7fffa99ff970, callFrame=0x7fffa99ff9b0, executable=0x7fffa992fef0,
exception=0x7fffffffc660) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/JSGlobalObject.cpp:731
#16 0x00007ffff73d4065 in JSC::ProgramExecutable::initializeGlobalProperties (this=0x7fffa992fef0, vm=..., callFrame=0x7fffa99ff9b0, scope=0x7fffa99ff970)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Executable.cpp:463
#17 0x00007ffff72a0386 in JSC::Interpreter::execute (this=0x6573d0, program=0x7fffa992fef0, callFrame=0x7fffa99ff9b0, thisObj=0x7fffa98cfeb0)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/Interpreter.cpp:850
#18 0x00007ffff73c7324 in JSC::evaluate (exec=0x7fffa99ff9b0, source=..., thisValue=..., returnedException=0x7fffffffdbb0)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Completion.cpp:83
#19 0x00000000004163a0 in runWithScripts (globalObject=0x7fffa99ff970, scripts=..., dump=false)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jsc.cpp:646
#20 0x000000000041716f in jscmain (argc=2, argv=0x7fffffffde58) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jsc.cpp:863
#21 0x000000000041618c in main (argc=2, argv=0x7fffffffde58) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jsc.cpp:604
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list