[Webkit-unassigned] [Bug 141246] New: Crash in JSC::DFG::StackLayoutPhase::run

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Feb 4 07:20:11 PST 2015 

https://bugs.webkit.org/show_bug.cgi?id=141246

            Bug ID: 141246
           Summary: Crash in JSC::DFG::StackLayoutPhase::run
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: rhodovan.u-szeged at partner.samsung.com
                CC: ggaren at apple.com, msaboff at apple.com, oliver at apple.com
            Blocks: 116980

Created attachment 246031
  --> https://bugs.webkit.org/attachment.cgi?id=246031&action=review
Test case

Run the following test in release or debug JSC:

function fuzz(arguments) {
    fuzz(arguments);
}
fuzz(2);


For the first sight it looks like a stack-overflow but according to the backtraces it might be a different issue.

Running the test in debug JSC it results in an assertion failure with the following trace:

ASSERTION FAILED: usesArguments()
../../Source/JavaScriptCore/bytecode/CodeBlock.h(338) : JSC::VirtualRegister JSC::CodeBlock::argumentsRegister() const

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff73e0095 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
321        *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff73e0095 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
#1  0x00007ffff6cf54a9 in JSC::CodeBlock::argumentsRegister (this=0x7fffb0649a00) at ../../Source/JavaScriptCore/bytecode/CodeBlock.h:338
#2  0x00007ffff6dfd079 in JSC::DFG::Graph::argumentsRegisterFor (this=0x7fffffff2410, inlineCallFrame=0x7ffff7f92730)
    at ../../Source/JavaScriptCore/dfg/DFGGraph.h:415
#3  0x00007ffff6fdf182 in JSC::DFG::StackLayoutPhase::run (this=0x7fffffff1e80) at ../../Source/JavaScriptCore/dfg/DFGStackLayoutPhase.cpp:112
#4  0x00007ffff6fe0250 in JSC::DFG::runAndLog<JSC::DFG::StackLayoutPhase> (phase=...) at ../../Source/JavaScriptCore/dfg/DFGPhase.h:77
#5  0x00007ffff6fe00ee in JSC::DFG::runPhase<JSC::DFG::StackLayoutPhase> (graph=...) at ../../Source/JavaScriptCore/dfg/DFGPhase.h:87
#6  0x00007ffff6fde654 in JSC::DFG::performStackLayout (graph=...) at ../../Source/JavaScriptCore/dfg/DFGStackLayoutPhase.cpp:272
#7  0x00007ffff6f2fa8c in JSC::DFG::Plan::compileInThreadImpl (this=0x7ffff7fbdd80, longLivedState=...)
    at ../../Source/JavaScriptCore/dfg/DFGPlan.cpp:296
#8  0x00007ffff6f2f25c in JSC::DFG::Plan::compileInThread (this=0x7ffff7fbdd80, longLivedState=..., threadData=0x0)
    at ../../Source/JavaScriptCore/dfg/DFGPlan.cpp:164
#9  0x00007ffff6e7a25d in JSC::DFG::compileImpl (vm=..., codeBlock=0x7fffb0649780, profiledDFGCodeBlock=0x0, mode=JSC::DFG::DFGMode, 
    osrEntryBytecodeIndex=0, mustHandleValues=..., callback=...) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:108
#10 0x00007ffff6e7a398 in JSC::DFG::compile (vm=..., codeBlock=0x7fffb0649780, profiledDFGCodeBlock=0x0, mode=JSC::DFG::DFGMode, 
    osrEntryBytecodeIndex=0, mustHandleValues=..., passedCallback=...) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:128
#11 0x00007ffff70d75cd in JSC::operationOptimize (exec=0x7fffffff2eb0, bytecodeIndex=0) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:1158
#12 0x00007fffb1662bc5 in ?? ()
#13 0x0000000000000000 in ?? ()



The backtrace of the release crash:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff78f4bde in JSC::DFG::StackLayoutPhase::run() () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
(gdb) bt
#0  0x00007ffff78f4bde in JSC::DFG::StackLayoutPhase::run() ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#1  0x00007ffff78f4692 in JSC::DFG::performStackLayout(JSC::DFG::Graph&) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#2  0x00007ffff78891eb in JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#3  0x00007ffff78894b6 in JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#4  0x00007ffff78154ac in JSC::DFG::compile(JSC::VM&, JSC::CodeBlock*, JSC::CodeBlock*, JSC::DFG::CompilationMode, unsigned int, JSC::Operands<JSC::JSValue, JSC::OperandValueTraits<JSC::JSValue> > const&, WTF::PassRefPtr<JSC::DeferredCompilationCallback>) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#5  0x00007ffff79a9e27 in operationOptimize () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#6  0x00007fffb2c25b4c in ?? ()
#7  0x0000000000000000 in ?? ()

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150204/8444b0e4/attachment-0002.html>

More information about the webkit-unassigned mailing list