[Webkit-unassigned] [Bug 131682] New: Reproducible crash in JavaScriptCore: JSObjectMakeArray()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Apr 15 11:23:21 PDT 2014 

https://bugs.webkit.org/show_bug.cgi?id=131682

           Summary: Reproducible crash in JavaScriptCore:
                    JSObjectMakeArray()
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Macintosh Intel
        OS/Version: Mac OS X 10.9
            Status: NEW
          Severity: Critical
          Priority: P1
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: AlexanderMeissner at gmx.net


Reproducible crash in JavaScriptCore:
JS_EXPORT JSObjectRef JSObjectMakeArray(JSContextRef ctx, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception) CF_AVAILABLE(10_6, 7_0);

The attached source code crashes every time the same way.
No JS exception is thrown and there are serval ways to manipulate when it crashes, but it always crashes in JSObjectMakeArray().
I'm not sure if I'm doing something fundamentally wrong or if it really is a bug in JavaScriptCore its self.
The circumstances which are needed to reproduce the crash are very odd and I randomly came across this bug by implementing a linear algebra JS interface for a separate project.


Call stack:
#0    0x00000001018d7057 in JSC::StructureIDTable::get(unsigned int) [inlined] at WebKit/Source/JavaScriptCore/runtime/StructureIDTable.h:86
#1    0x00000001018d7050 in JSC::JSCell::structure(JSC::VM&) const [inlined] at WebKit/Source/JavaScriptCore/runtime/JSCellInlines.h:104
#2    0x00000001018d7050 in JSC::JSCell::methodTable() const [inlined] at WebKit/Source/JavaScriptCore/runtime/JSCellInlines.h:191
#3    0x00000001018d7036 in toJS(JSC::ExecState*, OpaqueJSValue const*) [inlined] at WebKit/Source/JavaScriptCore/API/APICast.h:81
#4    0x00000001018d702e in JSObjectMakeArray at WebKit/Source/JavaScriptCore/API/JSObjectRef.cpp:178


Tested r167020: One built by my self and also the JavaScriptCore.framework of WebKit nightly
MacBook Pro Retina, Mid 2012, 64-Bit, MacOS 10.8.5 and another one (identical hardware) but with MacOS 10.9


All of the following ways stop the test from crashing or change the iteration it crashes:

1. context = JSGlobalContextCreate(NULL); //instead of JSClassCreate(&kJSClassDefinitionEmpty)

2. not adding the property "test" to the contexts global object

3. using stack memory instead of heap for the valueArray passed to JSObjectMakeArray() like:
JSValueRef valueArray[4];
or
JSValueRef* valueArray = (JSValueRef*)alloca(sizeof(JSValueRef)*4);

4. adding another than 3 or 4 properties to the vector instances
0 properties: All Iterations
1 property: All Iterations
2 properties: All Iterations
3 properties: 326 Iterations
4 properties: 285 Iterations
5 properties: All Iterations
6 properties: All Iterations

5. Not passing a JSClassRef to:
JSObjectRef instance = JSObjectMake(context, NULL, NULL);

6. Creating less than 4 instances of the vector class in one iteration:
0 to 3 instances per iteration: All Iterations
4 instances per iteration: 326 Iterations
5 instances per iteration: 575 Iterations
6 instances per iteration: 217 Iterations
7 instances per iteration: 186 Iterations
8 instances per iteration: 163 Iterations

7. Adjusting the argumentCount parameter of JSObjectMakeArray() to the actual count of instances per iteration changes the behavior too

But not a single one of them is a work around as I need the complete functionality of JavaScriptCore.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list