No subject
Tue Jan 27 15:54:36 PST 2015
1118 for (int i = 0; i < numFunctions; ++i) {
1119 FunctionExecutable* function = codeBlock->functionDecl(i);
...
...
1122 }
The crash happens in line 1119. After a short debugging it seems that at the moment of the crash the index of the loop is 0 and the value of |numFunctions| is 1. However, since |codeBlock| doesn't contain any functionDeclarations at this point, we crash. One more note that could be important: the crash happens around the 4096th eval execution.
--
You are receiving this mail because:
You are the assignee for the bug.
--1426175814.34dF7.25506
Date: Thu, 12 Mar 2015 08:56:54 -0700
MIME-Version: 1.0
Content-Type: text/html
<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Crash in JSC::Interpreter::execute"
href="https://bugs.webkit.org/show_bug.cgi?id=142625">142625</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Crash in JSC::Interpreter::execute
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>528+ (Nightly build)
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>JavaScriptCore
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>rhodovan.u-szeged@partner.samsung.com
</td>
</tr>
<tr>
<th>CC</th>
<td>fpizlo@apple.com, ggaren@apple.com, msaboff@apple.com, oliver@apple.com
</td>
</tr>
<tr>
<th>Blocks</th>
<td>116980
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=248519" name="attach_248519" title="Test case">attachment 248519</a> <a href="attachment.cgi?id=248519&action=edit" title="Test case">[details]</a></span>
Test case
If you load this with TotT JSC (on Ubuntu 14.04, x86_64):
do
eval("function fuzz() {}");
while(true);
then you will get a crash with the following backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff73de2d9 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
321 *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0 0x00007ffff73de2d9 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
#1 0x00000000004280fa in WTF::CrashOnOverflow::overflowed () at ../../Source/WTF/wtf/CheckedArithmetic.h:78
#2 0x00007ffff6ce7899 in WTF::Vector<JSC::WriteBarrier<JSC::FunctionExecutable>, 0ul, WTF::CrashOnOverflow>::at (this=0x7fffef7f06d0, i=0)
at ../../Source/WTF/wtf/Vector.h:659
#3 0x00007ffff6cdf303 in WTF::Vector<JSC::WriteBarrier<JSC::FunctionExecutable>, 0ul, WTF::CrashOnOverflow>::operator[] (this=0x7fffef7f06d0, i=0)
at ../../Source/WTF/wtf/Vector.h:679
#4 0x00007ffff6dd1ba8 in JSC::CodeBlock::functionDecl (this=0x7fffef7f04d0, index=0) at ../../Source/JavaScriptCore/bytecode/CodeBlock.h:657
#5 0x00007ffff709b0ee in JSC::Interpreter::execute (this=0x7fffefff6000, eval=0x7fffee16fb70, callFrame=0x7fffffffcac0, thisValue=...,
scope=0x7fffee0af970) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:1119
#6 0x00007ffff7096ca1 in JSC::eval (callFrame=0x7fffffffcac0) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:134
#7 0x00007ffff70ce0a9 in JSC::operationCallEval (exec=0x7fffffffcb10, execCallee=0x7fffffffcac0)
at ../../Source/JavaScriptCore/jit/JITOperations.cpp:638
#8 0x00007fffadfffe06 in ?? ()
#9 0x00007fffffffcb10 in ?? ()
#10 0x00007ffff738d751 in llint_entry () from /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18
#11 0x00007ffff7387966 in vmEntryToJavaScript () from /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18
#12 0x00007ffff70be1fb in JSC::JITCode::execute (this=0x7fffefff7900, vm=0x7fffee010000, protoCallFrame=0x7fffffffcd30)
at ../../Source/JavaScriptCore/jit/JITCode.cpp:77
#13 0x00007ffff70997dc in JSC::Interpreter::execute (this=0x7fffefff6000, program=0x7fffee16fc70, callFrame=0x7fffee0af9b0, thisObj=0x7fffee0cfaf0)
at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:855
#14 0x00007ffff72299ca in JSC::evaluate (exec=0x7fffee0af9b0, source=..., thisValue=..., returnedException=0x7fffffffd6b0)
at ../../Source/JavaScriptCore/runtime/Completion.cpp:81
#15 0x000000000042648f in runWithScripts (globalObject=0x7fffee0af970, scripts=..., dump=false) at ../../Source/JavaScriptCore/jsc.cpp:1264
#16 0x00000000004272c4 in jscmain (argc=2, argv=0x7fffffffd928) at ../../Source/JavaScriptCore/jsc.cpp:1481
#17 0x000000000042627a in main (argc=2, argv=0x7fffffffd928) at ../../Source/JavaScriptCore/jsc.cpp:1222
More information about the webkit-unassigned
mailing list