No subject


Tue Jan 27 15:54:36 PST 2015 

1118            for (int i = 0; i < numFunctions; ++i) {
1119                FunctionExecutable* function = codeBlock->functionDecl(i);
...
...
1122            }

The crash happens in line 1119. After a short debugging it seems that at the moment of the crash the index of the loop is 0 and the value of |numFunctions| is 1. However, since |codeBlock| doesn't contain any functionDeclarations at this point, we crash. One more note that could be important: the crash happens around the 4096th eval execution.

-- 
You are receiving this mail because:
You are the assignee for the bug.
--1426175814.34dF7.25506
Date: Thu, 12 Mar 2015 08:56:54 -0700
MIME-Version: 1.0
Content-Type: text/html

<html>
    <head>
      <base href="https://bugs.webkit.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Crash in JSC::Interpreter::execute"
   href="https://bugs.webkit.org/show_bug.cgi?id=142625">142625</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Crash in JSC::Interpreter::execute
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>Unclassified
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>WebKit
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>528+ (Nightly build)
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>PC
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>Normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P2
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>JavaScriptCore
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>webkit-unassigned&#64;lists.webkit.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>rhodovan.u-szeged&#64;partner.samsung.com
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>fpizlo&#64;apple.com, ggaren&#64;apple.com, msaboff&#64;apple.com, oliver&#64;apple.com
          </td>
        </tr>

        <tr>
          <th>Blocks</th>
          <td>116980
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=248519" name="attach_248519" title="Test case">attachment 248519</a> <a href="attachment.cgi?id=248519&amp;action=edit" title="Test case">[details]</a></span>
Test case

If you load this with TotT JSC (on Ubuntu 14.04, x86_64):

do 
    eval(&quot;function fuzz() {}&quot;);
while(true);


then you will get a crash with the following backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff73de2d9 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
321        *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff73de2d9 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
#1  0x00000000004280fa in WTF::CrashOnOverflow::overflowed () at ../../Source/WTF/wtf/CheckedArithmetic.h:78
#2  0x00007ffff6ce7899 in WTF::Vector&lt;JSC::WriteBarrier&lt;JSC::FunctionExecutable&gt;, 0ul, WTF::CrashOnOverflow&gt;::at (this=0x7fffef7f06d0, i=0)
    at ../../Source/WTF/wtf/Vector.h:659
#3  0x00007ffff6cdf303 in WTF::Vector&lt;JSC::WriteBarrier&lt;JSC::FunctionExecutable&gt;, 0ul, WTF::CrashOnOverflow&gt;::operator[] (this=0x7fffef7f06d0, i=0)
    at ../../Source/WTF/wtf/Vector.h:679
#4  0x00007ffff6dd1ba8 in JSC::CodeBlock::functionDecl (this=0x7fffef7f04d0, index=0) at ../../Source/JavaScriptCore/bytecode/CodeBlock.h:657
#5  0x00007ffff709b0ee in JSC::Interpreter::execute (this=0x7fffefff6000, eval=0x7fffee16fb70, callFrame=0x7fffffffcac0, thisValue=..., 
    scope=0x7fffee0af970) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:1119
#6  0x00007ffff7096ca1 in JSC::eval (callFrame=0x7fffffffcac0) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:134
#7  0x00007ffff70ce0a9 in JSC::operationCallEval (exec=0x7fffffffcb10, execCallee=0x7fffffffcac0)
    at ../../Source/JavaScriptCore/jit/JITOperations.cpp:638
#8  0x00007fffadfffe06 in ?? ()
#9  0x00007fffffffcb10 in ?? ()
#10 0x00007ffff738d751 in llint_entry () from /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18
#11 0x00007ffff7387966 in vmEntryToJavaScript () from /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18
#12 0x00007ffff70be1fb in JSC::JITCode::execute (this=0x7fffefff7900, vm=0x7fffee010000, protoCallFrame=0x7fffffffcd30)
    at ../../Source/JavaScriptCore/jit/JITCode.cpp:77
#13 0x00007ffff70997dc in JSC::Interpreter::execute (this=0x7fffefff6000, program=0x7fffee16fc70, callFrame=0x7fffee0af9b0, thisObj=0x7fffee0cfaf0)
    at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:855
#14 0x00007ffff72299ca in JSC::evaluate (exec=0x7fffee0af9b0, source=..., thisValue=..., returnedException=0x7fffffffd6b0)
    at ../../Source/JavaScriptCore/runtime/Completion.cpp:81
#15 0x000000000042648f in runWithScripts (globalObject=0x7fffee0af970, scripts=..., dump=false) at ../../Source/JavaScriptCore/jsc.cpp:1264
#16 0x00000000004272c4 in jscmain (argc=2, argv=0x7fffffffd928) at ../../Source/JavaScriptCore/jsc.cpp:1481
#17 0x000000000042627a in main (argc=2, argv=0x7fffffffd928) at ../../Source/JavaScriptCore/jsc.cpp:1222

More information about the webkit-unassigned mailing list