[Webkit-unassigned] [Bug 141028] New: Crash in JSC::DFG::StackLayoutPhase::run

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jan 29 01:38:12 PST 2015 

https://bugs.webkit.org/show_bug.cgi?id=141028

            Bug ID: 141028
           Summary: Crash in JSC::DFG::StackLayoutPhase::run
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Critical
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: cwhan.tunz at gmail.com

---
function f(arguments) {
arguments;
f.apply(null, ['']);
}
f()
---

This code crash. (also in safari)

I think 'arguments' is problem.
it may think 'arguments' as the origin 'arguments' object.

I found it with afl-fuzz.

ASSERTION FAILED: usesArguments()

(gdb) bt
#0  0x00007ffff73d9399 in WTFCrash () at /development/tunz/javascript/webkit/Source/WTF/wtf/Assertions.cpp:321
#1  0x00007ffff6d249fd in JSC::CodeBlock::argumentsRegister (this=0x7ffff7fbcb40)
    at /development/tunz/javascript/webkit/Source/JavaScriptCore/bytecode/CodeBlock.h:344
#2  0x00007ffff6e27d75 in JSC::DFG::Graph::argumentsRegisterFor (this=0x7ffffffef2e0, inlineCallFrame=0x7ffff7f9b5f0)
    at /development/tunz/javascript/webkit/Source/JavaScriptCore/dfg/DFGGraph.h:415
#3  0x00007ffff6ff9880 in JSC::DFG::StackLayoutPhase::run (this=0x7ffffffeed50)
    at /development/tunz/javascript/webkit/Source/JavaScriptCore/dfg/DFGStackLayoutPhase.cpp:112
#4  0x00007ffff6ffa8a2 in JSC::DFG::runAndLog<JSC::DFG::StackLayoutPhase> (phase=...)
    at /development/tunz/javascript/webkit/Source/JavaScriptCore/dfg/DFGPhase.h:77
#5  0x00007ffff6ffa742 in JSC::DFG::runPhase<JSC::DFG::StackLayoutPhase> (graph=...)
    at /development/tunz/javascript/webkit/Source/JavaScriptCore/dfg/DFGPhase.h:87
#6  0x00007ffff6ff8d66 in JSC::DFG::performStackLayout (graph=...)
    at /development/tunz/javascript/webkit/Source/JavaScriptCore/dfg/DFGStackLayoutPhase.cpp:272
#7  0x00007ffff6f4ee5b in JSC::DFG::Plan::compileInThreadImpl (this=0x7ffff7fbc6c0, longLivedState=...)
    at /development/tunz/javascript/webkit/Source/JavaScriptCore/dfg/DFGPlan.cpp:295
#8  0x00007ffff6f4e652 in JSC::DFG::Plan::compileInThread (this=0x7ffff7fbc6c0, longLivedState=..., threadData=0x0)
    at /development/tunz/javascript/webkit/Source/JavaScriptCore/dfg/DFGPlan.cpp:164
#9  0x00007ffff6e9dcb2 in JSC::DFG::compileImpl (vm=..., codeBlock=0x7ffff7fbc900, profiledDFGCodeBlock=0x0,
    mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=0, mustHandleValues=..., callback=...)
    at /development/tunz/javascript/webkit/Source/JavaScriptCore/dfg/DFGDriver.cpp:111
#10 0x00007ffff6e9ddce in JSC::DFG::compile (vm=..., codeBlock=0x7ffff7fbc900, profiledDFGCodeBlock=0x0,
    mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=0, mustHandleValues=..., passedCallback=...)
    at /development/tunz/javascript/webkit/Source/JavaScriptCore/dfg/DFGDriver.cpp:131
#11 0x00007ffff70eb83e in JSC::operationOptimize (exec=0x7ffffffefc90, bytecodeIndex=0)
    at /development/tunz/javascript/webkit/Source/JavaScriptCore/jit/JITOperations.cpp:1196

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150129/65d8a397/attachment-0002.html>

More information about the webkit-unassigned mailing list