[Webkit-unassigned] [Bug 149804] New: Crash in JSC::BytecodeGenerator::emitComplexPopScopes

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Oct 5 06:35:24 PDT 2015 

https://bugs.webkit.org/show_bug.cgi?id=149804

            Bug ID: 149804
           Summary: Crash in JSC::BytecodeGenerator::emitComplexPopScopes
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: rhodovan.u-szeged at partner.samsung.com
                CC: fpizlo at apple.com, ggaren at apple.com, sam at webkit.org
            Blocks: 116980

Created attachment 262430
  --> https://bugs.webkit.org/attachment.cgi?id=262430&action=review
Test

Running this test with release jsc results in an overflow crash:

function f_0(){ 
    for(var v_0 in [10]){
        try {
            for(var v_1 in [10])
                return;
        } finally {}
    }
}

for(var v_2 in f_0()) {}


In debug it causes an assertion failure:

ASSERTION FAILED: size <= m_size
../../Source/WTF/wtf/Vector.h(1024) : void WTF::Vector<T, inlineCapacity, OverflowHandler, minCapacity>::shrink(size_t) [with T = std::unique_ptr<JSC::ForInContext>; long unsigned int inlineCapacity = 0ul; OverflowHandler = WTF::CrashOnOverflow; long unsigned int minCapacity = 16ul; size_t = long unsigned int]

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff717a8b0 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
321     *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff717a8b0 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
#1  0x00007ffff69933da in WTF::Vector<std::unique_ptr<JSC::ForInContext, std::default_delete<JSC::ForInContext> >, 0ul, WTF::CrashOnOverflow, 16ul>::shrink (this=0x7ffff0c82f50, size=1) at ../../Source/WTF/wtf/Vector.h:1024
#2  0x00007ffff69823ee in JSC::BytecodeGenerator::emitComplexPopScopes (this=0x7ffff0c82c80, scope=0x7ffff0ef77a4, topScope=0x7ffff0ed9400, bottomScope=0x7ffff0ed93c0) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:3164
#3  0x00007ffff6982d7e in JSC::BytecodeGenerator::emitPopScopes (this=0x7ffff0c82c80, scope=0x7ffff0ef77a4, targetScopeDepth=0) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:3253
#4  0x00007ffff69c9228 in JSC::ReturnNode::emitBytecode (this=0x7ffff0c502b0, generator=..., dst=0x0) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2581
#5  0x00007ffff698c40f in JSC::BytecodeGenerator::emitNodeInTailPosition (this=0x7ffff0c82c80, dst=0x7ffff0c82cf0, n=0x7ffff0c502b0) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:375
#6  0x00007ffff698c30d in JSC::BytecodeGenerator::emitNode (this=0x7ffff0c82c80, dst=0x7ffff0c82cf0, n=0x7ffff0c502b0) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:364
#7  0x00007ffff69c719f in JSC::ForInNode::emitMultiLoopBytecode (this=0x7ffff0c50330, generator=..., dst=0x7ffff0c82cf0) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2353
#8  0x00007ffff69c81fd in JSC::ForInNode::emitBytecode (this=0x7ffff0c50330, generator=..., dst=0x7ffff0c82cf0) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2451
#9  0x00007ffff698c40f in JSC::BytecodeGenerator::emitNodeInTailPosition (this=0x7ffff0c82c80, dst=0x7ffff0c82cf0, n=0x7ffff0c50330) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:375
#10 0x00007ffff69d06ca in JSC::SourceElements::emitBytecode (this=0x7ffff0c50190, generator=..., dst=0x7ffff0c82cf0) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1961
#11 0x00007ffff69c49a0 in JSC::BlockNode::emitBytecode (this=0x7ffff0c503c8, generator=..., dst=0x7ffff0c82cf0) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1981
#12 0x00007ffff698c40f in JSC::BytecodeGenerator::emitNodeInTailPosition (this=0x7ffff0c82c80, dst=0x7ffff0c82cf0, n=0x7ffff0c503c8) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:375
#13 0x00007ffff698c30d in JSC::BytecodeGenerator::emitNode (this=0x7ffff0c82c80, dst=0x7ffff0c82cf0, n=0x7ffff0c503c8) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:364
#14 0x00007ffff69ca9b8 in JSC::TryNode::emitBytecode (this=0x7ffff0c50498, generator=..., dst=0x7ffff0c82cf0) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2833
#15 0x00007ffff698c40f in JSC::BytecodeGenerator::emitNodeInTailPosition (this=0x7ffff0c82c80, dst=0x7ffff0c82cf0, n=0x7ffff0c50498) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:375
#16 0x00007ffff69d06ca in JSC::SourceElements::emitBytecode (this=0x7ffff0c50180, generator=..., dst=0x7ffff0c82cf0) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1961
#17 0x00007ffff69c49a0 in JSC::BlockNode::emitBytecode (this=0x7ffff0c50518, generator=..., dst=0x7ffff0c82cf0) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1981
#18 0x00007ffff698c40f in JSC::BytecodeGenerator::emitNodeInTailPosition (this=0x7ffff0c82c80, dst=0x7ffff0c82cf0, n=0x7ffff0c50518) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:375
#19 0x00007ffff698c30d in JSC::BytecodeGenerator::emitNode (this=0x7ffff0c82c80, dst=0x7ffff0c82cf0, n=0x7ffff0c50518) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:364
#20 0x00007ffff69c719f in JSC::ForInNode::emitMultiLoopBytecode (this=0x7ffff0c505b0, generator=..., dst=0x7ffff0c82cf0) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2353
#21 0x00007ffff69c81fd in JSC::ForInNode::emitBytecode (this=0x7ffff0c505b0, generator=..., dst=0x7ffff0c82cf0) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2451
#22 0x00007ffff698c40f in JSC::BytecodeGenerator::emitNodeInTailPosition (this=0x7ffff0c82c80, dst=0x7ffff0c82cf0, n=0x7ffff0c505b0) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:375
#23 0x00007ffff69d06ca in JSC::SourceElements::emitBytecode (this=0x7ffff0c50060, generator=..., dst=0x7ffff0c82cf0) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1961
#24 0x00007ffff69c49a0 in JSC::BlockNode::emitBytecode (this=0x7ffff0c50648, generator=..., dst=0x7ffff0c82cf0) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1981
#25 0x00007ffff698c40f in JSC::BytecodeGenerator::emitNodeInTailPosition (this=0x7ffff0c82c80, dst=0x7ffff0c82cf0, n=0x7ffff0c50648) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:375
#26 0x00007ffff69d06ca in JSC::SourceElements::emitBytecode (this=0x7ffff0c50050, generator=..., dst=0x7ffff0c82cf0) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1961
#27 0x00007ffff69d07b0 in JSC::ScopeNode::emitStatementsBytecode (this=0x7ffff0ed3000, generator=..., dst=0x7ffff0c82cf0) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2899
#28 0x00007ffff69cb651 in JSC::FunctionNode::emitBytecode (this=0x7ffff0ed3000, generator=...) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2960
#29 0x00007ffff696fa07 in JSC::BytecodeGenerator::generate (this=0x7ffff0c82c80) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:98
#30 0x00007ffff6967360 in JSC::generateUnlinkedFunctionCodeBlock (vm=..., executable=0x7ffff0c76c00, source=..., kind=JSC::CodeForCall, debuggerMode=JSC::DebuggerOff, profilerMode=JSC::ProfilerOff, functionKind=JSC::UnlinkedNormalFunction, error=..., isArrowFunction=false) at ../../Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp:72
#31 0x00007ffff69680a5 in JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor (this=0x7ffff0c76c00, vm=..., source=..., specializationKind=JSC::CodeForCall, debuggerMode=JSC::DebuggerOff, profilerMode=JSC::ProfilerOff, error=..., isArrowFunction=false) at ../../Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp:199
#32 0x00007ffff6f81e60 in JSC::ScriptExecutable::newCodeBlockFor (this=0x7ffff0c76b00, kind=JSC::CodeForCall, function=0x7ffff0c649a0, scope=0x7ffff0c57fc0, exception=@0x7fffffffc3f8: 0x0) at ../../Source/JavaScriptCore/runtime/Executable.cpp:263
#33 0x00007ffff6f8294a in JSC::ScriptExecutable::prepareForExecutionImpl (this=0x7ffff0c76b00, exec=0x7fffffffc620, function=0x7ffff0c649a0, scope=0x7ffff0c57fc0, kind=JSC::CodeForCall) at ../../Source/JavaScriptCore/runtime/Executable.cpp:353
#34 0x00007ffff6d8c16e in JSC::ScriptExecutable::prepareForExecution (this=0x7ffff0c76b00, exec=0x7fffffffc620, function=0x7ffff0c649a0, scope=0x7ffff0c57fc0, kind=JSC::CodeForCall) at ../../Source/JavaScriptCore/runtime/Executable.h:386
#35 0x00007ffff711d6da in JSC::LLInt::setUpCall (execCallee=0x7fffffffc620, pc=0x7ffff0c2b830, kind=JSC::CodeForCall, calleeAsValue=..., callLinkInfo=0x7ffff0fd7528) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1158
#36 0x00007ffff711db06 in JSC::LLInt::genericCall (exec=0x7fffffffc690, pc=0x7ffff0c2b830, kind=JSC::CodeForCall) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1220
#37 0x00007ffff711ad93 in JSC::LLInt::llint_slow_path_call (exec=0x7fffffffc690, pc=0x7ffff0c2b830) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1226
#38 0x00007ffff712403c in llint_entry () from webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18
#39 0x00007ffff711e3ab in vmEntryToJavaScript () from webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18
#40 0x00007ffff6db9054 in JSC::JITCode::execute (this=0x7ffff0fd7550, vm=0x7ffff0c02000, protoCallFrame=0x7fffffffc870) at ../../Source/JavaScriptCore/jit/JITCode.cpp:80
#41 0x00007ffff6d89072 in JSC::Interpreter::execute (this=0x7ffff0ff6000, program=0x7ffff0c6a000, callFrame=0x7ffff0c3f740, thisObj=0x7ffff0c4a640) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:961
#42 0x00007ffff6f61c80 in JSC::evaluate (exec=0x7ffff0c3f740, source=..., thisValue=..., returnedException=...) at ../../Source/JavaScriptCore/runtime/Completion.cpp:104
#43 0x00000000004370c0 in runWithScripts (globalObject=0x7ffff0c3f700, scripts=..., dump=false, module=false) at ../../Source/JavaScriptCore/jsc.cpp:1667
#44 0x0000000000437ebf in jscmain (argc=2, argv=0x7fffffffd588) at ../../Source/JavaScriptCore/jsc.cpp:1893
#45 0x00000000004369c9 in main (argc=2, argv=0x7fffffffd588) at ../../Source/JavaScriptCore/jsc.cpp:1592

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20151005/0387a150/attachment-0001.html>

More information about the webkit-unassigned mailing list