[Webkit-unassigned] [Bug 138543] New: Assertions in JSC::StackVisitor::Frame::existingArguments() during stack unwinding

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Nov 9 06:23:17 PST 2014 

https://bugs.webkit.org/show_bug.cgi?id=138543

            Bug ID: 138543
           Summary: Assertions in
                    JSC::StackVisitor::Frame::existingArguments() during
                    stack unwinding
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: akiss at inf.u-szeged.hu
                CC: fpizlo at apple.com, mark.lam at apple.com, oliver at apple.com

When running jsc tests, exceptionFuzz/earley-boyer.js fails sporadically (experienced both on x86_64 and ARM64). The following 2 commands reproduce the assertions reliably, however:

WebKitBuild/Debug/bin/jsc --enableExceptionFuzz=true --fireExceptionFuzzAt=15006 Source/JavaScriptCore/tests/exceptionFuzz/earley-boyer.js
JSC EXCEPTION FUZZ: Throwing fuzz exception with call frame 0x7ffffe28dc00, seen in CommonSlowPaths and return address 0x11cc168.
ASSERTION FAILED: isCell()
../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h(494) : JSC::JSCell* JSC::JSValue::asCell() const
1   0x7f7dd496754c /home/akiss/devel/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x1e) [0x7f7dd496754c]
2   0x42e53d WebKitBuild/Debug/bin/jsc(_ZNK3JSC7JSValue6asCellEv+0x3d) [0x42e53d]
3   0x42c4a1 WebKitBuild/Debug/bin/jsc(_ZN3JSC8asObjectENS_7JSValueE+0x18) [0x42c4a1]
4   0x7f7dd45c7d9c /home/akiss/devel/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC12asActivationENS_7JSValueE+0x21) [0x7f7dd45c7d9c]
5   0x7f7dd45c7e0e /home/akiss/devel/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZNK3JSC8Register18lexicalEnvironmentEv+0x20) [0x7f7dd45c7e0e]
6   0x7f7dd45c7635 /home/akiss/devel/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZNK3JSC9ExecState18lexicalEnvironmentEv+0x8f) [0x7f7dd45c7635]
7   0x7f7dd45d3d6a /home/akiss/devel/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC12StackVisitor5Frame17existingArgumentsEv+0xe8) [0x7f7dd45d3d6a]

WebKitBuild/Debug/bin/jsc --enableExceptionFuzz=true --fireExceptionFuzzAt=15009 Source/JavaScriptCore/tests/exceptionFuzz/earley-boyer.js
JSC EXCEPTION FUZZ: Throwing fuzz exception with call frame 0x7fff9e8dab50, seen in CommonSlowPaths and return address 0x1d959d0.
ASSERTION FAILED: from.isCell() && from.asCell()->JSCell::inherits(std::remove_pointer<To>::type::info())
../../Source/JavaScriptCore/runtime/JSCell.h(249) : To JSC::jsCast(JSC::JSValue) [with To = JSC::Arguments*]
1   0x7f662090057e /home/akiss/devel/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrashWithSecurityImplication+0x1e) [0x7f662090057e]
2   0x7f662056d918 /home/akiss/devel/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC6jsCastIPNS_9ArgumentsEEET_NS_7JSValueE+0x6a) [0x7f662056d918]
3   0x7f662056cd84 /home/akiss/devel/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC12StackVisitor5Frame17existingArgumentsEv+0x102) [0x7f662056cd84]

It turns out that ExceptionFuzz fires in a function containing an op_create_lexical_environment followed by an op_create_arguments, when either the lexicalEnvironment or the unmodifiedArgumentsRegister in the lexicalEnvironment is not set up yet. The function that ExceptionFuzz is firing at is:

BgL_nboyerzd2benchmarkzd2#CMhDdb:[0x1e8e610->0x7f50e98bad70, %sNoneFunctionCall, 223]: 223 m_instructions; 1784 bytes; 1 parameter(s); 24 callee register(s); 7 variable(s); 3 captured var(s) (from r-3 to r-5, inclusive); uses arguments, in r-4, r-3; lexical environment in r-1
[   0] enter             
[   1] get_scope         arg-3
[   3] create_lexical_environment loc0
[   5] init_lazy_reg     loc3
[   7] init_lazy_reg     loc2
[   9] create_arguments  loc3
[  11] put_to_scope      loc0, arguments(@id0), loc3, 3<ThrowIfNotFound|LocalClosureVar>, <structure>, -4
[  18] put_to_scope      loc0, arguments(@id0), loc2, 3<ThrowIfNotFound|LocalClosureVar>, <structure>, -3

And the lines in existingArguments() causing the assertions are:

    if (codeBlock()->needsActivation())
        return jsCast<Arguments*>(callFrame()->lexicalEnvironment()->registerAt(unmodifiedArgumentsRegister(reg).offset()).get());

If an exception is raised in op_enter or in op_get_scope then, although codeBlock()->needsActivation() is true, callFrame()->lexicalEnvironment() fails since the environment is undefined. If an exception is raised before the first put_to_scope then jsCast<Arguments*> fails since the unmodifiedArgumentsRegister of the lexicalEnvironment is undefined.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20141109/8fbc1fc4/attachment-0002.html>

More information about the webkit-unassigned mailing list