[Webkit-unassigned] [Bug 138543] Assertions in JSC::StackVisitor::Frame::existingArguments() during stack unwinding

Mon Nov 10 16:05:58 PST 2014

https://bugs.webkit.org/show_bug.cgi?id=138543

Geoffrey Garen <ggaren at apple.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #241252|review?, commit-queue?      |review-, commit-queue-
              Flags|                            |

--- Comment #7 from Geoffrey Garen <ggaren at apple.com> ---
Comment on attachment 241252
  --> https://bugs.webkit.org/attachment.cgi?id=241252
Proposed patch.

It feels a bit awkward to program defensively like this just to make the fuzzer happy. Programming like this means that we can't tell the difference between "Something is seriously wrong because the activation object is missing" and "I'm just fuzzing".

Ideally, we would teach the fuzzer not to throw in cases that otherwise couldn't -- for example, in the LLInt, by passing an argument to END() that said "ASSERT there is no exception, and do not fuzz for exceptions".

I guess this patch is an improvement for now, so it's worth doing. Note, though that you missed a spot: Oliver removed the original work-around for fuzzing, probably because he wasn't aware of this special fuzzing behavior.

You should update your comments to specify that we do this only for fuzzing, and also add back the code that Oliver removed in <http://trac.webkit.org/changeset/174226>:

Index: /trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp
===================================================================
--- /trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp    (revision 174225)
+++ /trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp    (revision 174226)
@@ -440,6 +440,4 @@
     CallFrame* callFrame = visitor->callFrame();
     CodeBlock* codeBlock = visitor->codeBlock();
-    JSScope* scope = callFrame->scope();
-
     if (Debugger* debugger = callFrame->vmEntryGlobalObject()->debugger()) {
         ClearExceptionScope scope(&callFrame->vm());
@@ -456,13 +454,4 @@
         RELEASE_ASSERT(!visitor->isInlinedFrame());
 #endif
-        lexicalEnvironment = callFrame->uncheckedActivation();
-        // Protect against the lexical environment not being created, or the variable still being
-        // initialized to Undefined inside op_enter.
-        if (lexicalEnvironment && lexicalEnvironment.isCell()) {
-            JSLexicalEnvironment* activationObject = jsCast<JSLexicalEnvironment*>(lexicalEnvironment);
-            // Protect against throwing exceptions after tear-off.
-            if (!activationObject->isTornOff())
-                activationObject->tearOff(*scope->vm());
-        }
     }

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20141111/f80051c9/attachment-0002.html>
