[Webkit-unassigned] [Bug 196728] New: Creating a Typed Array with C Api crashes after GC

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Apr 9 01:48:16 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=196728

            Bug ID: 196728
           Summary: Creating a Typed Array with C Api crashes after GC
           Product: WebKit
           Version: Safari 12
          Hardware: All
                OS: macOS 10.14
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sercan at otsimo.com

Created attachment 367035

  --> https://bugs.webkit.org/attachment.cgi?id=367035&action=review

main.cpp

Hi,
I have following simple application to test creating uint8array inside c++:

// C++ Application

#include <iostream>
#include <JavaScriptCore/JavaScriptCore.h>

static JSValueRef jsprint(JSContextRef ctx, JSObjectRef function, JSObjectRef thisObject, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception){
    if(argumentCount < 1){
        return JSValueMakeUndefined(ctx);
    }
    auto str_copy = JSValueToStringCopy(ctx, arguments[0], exception);
    auto jsSize = JSStringGetMaximumUTF8CStringSize(str_copy);
    char* jsBuffer = (char*)malloc(jsSize);
    JSStringGetUTF8CString(str_copy, jsBuffer, jsSize);
    std::cout << jsBuffer << "\n";
    return JSValueMakeUndefined(ctx);
}

static JSValueRef test1(JSContextRef ctx, JSObjectRef function, JSObjectRef thisObject, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception){
    auto num = JSValueToNumber(ctx,arguments[0],nullptr);
    std::cout << "Test " << num << "\n";

    JSValueRef * res =(JSValueRef*) malloc(sizeof(JSValueRef*) * 100);
    for(auto i = 0; i < 100; i++){
        //
        //
        // Remove following line and everything works. It doesn't change if I put it inside argumentsArrayValues or not.
        auto tarr = JSObjectMakeTypedArray(ctx, kJSTypedArrayTypeUint8Array, 2500 , exception);
        //
        //
        JSValueRef argumentsArrayValues[] = { JSValueMakeNumber(ctx, i) };
        auto rv = JSObjectMakeArray(ctx,
                                    sizeof(argumentsArrayValues) / sizeof(JSValueRef),
                                    argumentsArrayValues,
                                    exception);
        res[i] = rv;
    }

    auto arr = JSObjectMakeArray(ctx, 100, res, exception);
    return arr;
}

int main(int argc, const char * argv[]) {
    auto ctx = JSGlobalContextCreate(nullptr);
    // print function
    auto o1 = JSObjectMakeFunctionWithCallback(ctx, JSStringCreateWithUTF8CString("print"), jsprint);
    JSObjectSetProperty(ctx, JSContextGetGlobalObject(ctx), JSStringCreateWithUTF8CString("print"), o1, 0, nullptr);
    // test
    auto o2 = JSObjectMakeFunctionWithCallback(ctx, JSStringCreateWithUTF8CString("test1"), test1);
    JSObjectSetProperty(ctx, JSContextGetGlobalObject(ctx), JSStringCreateWithUTF8CString("test1"), o2, 0, nullptr);
    auto scr = R"(
    for(let i = 0; i < 10; i++){
        let y = test1(i);
        print(`YYYY: ${i}`);
        for(let o of y){
            print(`${i} ${o.length} ${o[0]}`)
        }
    }
    )";
    auto script = JSStringCreateWithUTF8CString(scr);
    JSEvaluateScript(ctx, script, nullptr, nullptr, 1, nullptr);
    return 0;
}

When I have application with "JSC_logGC=2" environment variable I get following output:
...
...
2 1 99
Test 3
[GC<0x102a00018>: START M 1697kb => EdenCollection, ca=1025.949219kb h=512.974609kb a=0kb hf=0.000 mu=0.700 v=0kb (C:0 M:0 P1:0 P2:0 P3:0) o=0 b=0 i#1:N<CsMsrShDMsm(0)> tp=0.300000ms 16+0 v=146kb (C:59 M:0 P1:8 P2:6 P3:71) o=2 b=0 i#2:N<WsODwDFG Worklists:
Collector: [], Mutator: []> tp=0.300000ms 0+0 v=146kb (C:59 M:0 P1:8 P2:6 P3:71) o=2 b=0 i#3:P<MsrShCsDMsm(0)CbWsODwDFG Worklists:
Collector: [], Mutator: []> => 162kb, p=0.895090ms (max 0.895090), cycle 0.876148ms END]
[GC<0x102a00018>: finalize 0.013370ms]
YYYY: 3
Segmentation fault: 11

If I remove the line "auto tarr = JSObjectMakeTypedArray(ctx, kJSTypedArrayTypeUint8Array, 2500 , exception);" everything works correctly.

LLDB output:

* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x742aef2e8)
    frame #0: 0x00007fff4e02dfbf JavaScriptCore`llint_slow_path_get_by_id + 5119
JavaScriptCore`llint_slow_path_get_by_id:
->  0x7fff4e02dfbf <+5119>: movq   (%rcx,%rax,8), %r13
    0x7fff4e02dfc3 <+5123>: testb  $0x8, 0x6(%r12)
    0x7fff4e02dfc9 <+5129>: jne    0x7fff4e02e118            ; <+5464>
    0x7fff4e02dfcf <+5135>: movq   0x50(%r13), %rax
Target 0: (jscc) stopped.

I have Xcode Version 10.2 (10E125), MacOS 10.14.4 (18E226)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190409/153137e5/attachment-0001.html>

More information about the webkit-unassigned mailing list