[Webkit-unassigned] [Bug 140879] New: Crash in JSC::DFG::prepareOSREntry

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jan 26 01:02:27 PST 2015 

https://bugs.webkit.org/show_bug.cgi?id=140879

            Bug ID: 140879
           Summary: Crash in JSC::DFG::prepareOSREntry
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: cwhan.tunz at gmail.com

--------------------------
function g() {
function f() {
g.apply(null, ['']);
}
f().watch(a)
}
(function () {
g.apply(null, null);
})();
--------------------------

If I run this code, It crashes.

Program received signal SIGSEGV, Segmentation fault.
tJSC::DFG::prepareOSREntry (exec=exec at entry=0x7ffeb2308f68, codeBlock=codeBlock at entry=0x7ffff7f52000,
    bytecodeIndex=bytecodeIndex at entry=0) at /development/tunz/javascript/webkit/Source/JavaScriptCore/dfg/DFGOSREntry.cpp:121
121             if (!entry->m_expectedValues.local(local).validate(exec->registers()[local].jsValue())) {
(gdb) bt
#0  JSC::DFG::prepareOSREntry (exec=exec at entry=0x7ffeb2308f68, codeBlock=codeBlock at entry=0x7ffff7f52000,
    bytecodeIndex=bytecodeIndex at entry=0) at /development/tunz/javascript/webkit/Source/JavaScriptCore/dfg/DFGOSREntry.cpp:121
#1  0x00000000006082bf in JSC::cti_optimize (args=0x7fffffffd730)
    at /development/tunz/javascript/webkit/Source/JavaScriptCore/jit/JITStubs.cpp:1991
#2  0x00007fffb2cbb3d6 in ?? ()
#3  0x00007ffe00000000 in ?? ()
#4  0x00007ffe00000000 in ?? ()
#5  0x00007ffff7ed1108 in ?? ()
#6  0x0000000000000000 in ?? ()
(gdb) list
116     #endif
117                     return 0;
118                 }
119                 continue;
120             }
121             if (!entry->m_expectedValues.local(local).validate(exec->registers()[local].jsValue())) {
122     #if ENABLE(JIT_VERBOSE_OSR)
123                 dataLog("    OSR failed because variable ", local, " is ", exec->registers()[local].jsValue(), ", expected ", entry->m_expectedValues.local(local), ".\n");
124     #endif
125                 return 0;

I think it is stack overflow of JIT (DFG).

tested it on QtWebKit Ubuntu 14.04 64bit.

I found this crash with afl-fuzz.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150126/6c219cda/attachment-0002.html>

More information about the webkit-unassigned mailing list