[Webkit-unassigned] [Bug 196853] New: null pointer dereference in JSC::Symbol::Symbol.cpp
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Apr 12 00:12:28 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=196853
Bug ID: 196853
Summary: null pointer dereference in JSC::Symbol::Symbol.cpp
Product: WebKit
Version: WebKit Local Build
Hardware: PC
OS: macOS 10.14
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: vulbugs at gmail.com
0. Git log
commit 2b5c08548956d8183b1c152486f0d297f078326d (HEAD -> master, origin/master, origin/HEAD)
1. JS code
---
var str1 = new Date().toLocaleString()
const str2 = str1.padEnd(2147483647, "AAAAA");
function foo() {
'use strict'
var arr1 = [str2];
Symbol(...arr1);
}
new Promise(foo);
---
2. Debug log
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x10)
frame #0: 0x0000000100039bfc jsc`WTF::StringImpl::bufferOwnership(this=0x0000000000000000) const at StringImpl.h:487:83
484 ALWAYS_INLINE static StringStats& stringStats() { return m_stringStats; }
485 #endif
486
-> 487 BufferOwnership bufferOwnership() const { return static_cast<BufferOwnership>(m_hashAndFlags & s_hashMaskBufferOwnership); }
488
489 template<typename T> static size_t headerSize() { return tailOffset<T>(); }
490
Target 0: (jsc) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x10)
* frame #0: 0x0000000100039bfc jsc`WTF::StringImpl::bufferOwnership(this=0x0000000000000000) const at StringImpl.h:487:83
frame #1: 0x0000000101b5b093 JavaScriptCore`WTF::SymbolImpl::create(rep=0x0000000000000000) at SymbolImpl.cpp:47:27
frame #2: 0x000000010150eb03 JavaScriptCore`JSC::PrivateName::PrivateName(this=0x00000001090b00d8, (null)=Description, description=0x00007ffeefbfd290) at PrivateName.h:47:17
frame #3: 0x0000000101505773 JavaScriptCore`JSC::PrivateName::PrivateName(this=0x00000001090b00d8, (null)=Description, description=0x00007ffeefbfd290) at PrivateName.h:48:5
frame #4: 0x00000001017b1863 JavaScriptCore`JSC::Symbol::Symbol(this=0x00000001090b00d0, vm=0x0000000108d00000, string=0x00007ffeefbfd290) at Symbol.cpp:46:7
frame #5: 0x00000001017b1895 JavaScriptCore`JSC::Symbol::Symbol(this=0x00000001090b00d0, vm=0x0000000108d00000, string=0x00007ffeefbfd290) at Symbol.cpp:47:1
frame #6: 0x00000001017b1f62 JavaScriptCore`JSC::Symbol::create(exec=0x00007ffeefbfd300, description=0x0000000109088560) at Symbol.cpp:123:67
frame #7: 0x00000001017b2186 JavaScriptCore`JSC::callSymbol(exec=0x00007ffeefbfd300) at SymbolConstructor.cpp:85:28
frame #8: 0x0000439ca5a01027
frame #9: 0x00000001012e425e JavaScriptCore`llint_entry + 80823
frame #10: 0x00000001012e37f1 JavaScriptCore`llint_entry + 78154
frame #11: 0x00000001012d0440 JavaScriptCore`vmEntryToJavaScript + 273
frame #12: 0x00000001011cbed7 JavaScriptCore`JSC::JITCode::execute(this=0x0000000108cbda28, vm=0x0000000108d00000, protoCallFrame=0x00007ffeefbfd640) at JITCodeInlines.h:38:38
frame #13: 0x00000001011cc50d JavaScriptCore`JSC::Interpreter::executeCall(this=0x0000000108cfe180, callFrame=0x00007ffeefbfda30, function=0x00000001090cbe10, callType=JS, callData=0x00007ffeefbfd8d8, thisValue=JSValue @ 0x00007ffeefbfd770, args=0x00007ffeefbfd840) at Interpreter.cpp:904:81
frame #14: 0x00000001014b1dac JavaScriptCore`JSC::call(exec=0x00007ffeefbfda30, functionObject=JSValue @ 0x00007ffeefbfd7f0, callType=JS, callData=0x00007ffeefbfd8d8, thisValue=JSValue @ 0x00007ffeefbfd7e8, args=0x00007ffeefbfd840) at CallData.cpp:59:28
frame #15: 0x0000000101666500 JavaScriptCore`JSC::JSPromise::initialize(this=0x00000001090bc1c0, exec=0x00007ffeefbfda30, globalObject=0x00000001090e4000, executor=JSValue @ 0x00007ffeefbfd908) at JSPromise.cpp:74:5
frame #16: 0x000000010167a55a JavaScriptCore`JSC::constructPromise(exec=0x00007ffeefbfda30) at JSPromiseConstructor.cpp:117:14
frame #17: 0x0000439ca5a010c7
frame #18: 0x00000001012e4013 JavaScriptCore`llint_entry + 80236
frame #19: 0x00000001012d0440 JavaScriptCore`vmEntryToJavaScript + 273
frame #20: 0x00000001011cbed7 JavaScriptCore`JSC::JITCode::execute(this=0x0000000108cb9440, vm=0x0000000108d00000, protoCallFrame=0x00007ffeefbfdd98) at JITCodeInlines.h:38:38
frame #21: 0x00000001011cb4e0 JavaScriptCore`JSC::Interpreter::executeProgram(this=0x0000000108cfe180, source=0x00007ffeefbff460, callFrame=0x00000001090e4048, thisObj=0x00000001090e8260) at Interpreter.cpp:845:51
frame #22: 0x0000000101505fd5 JavaScriptCore`JSC::evaluate(exec=0x00000001090e4048, source=0x00007ffeefbff460, thisValue=JSValue @ 0x00007ffeefbff320, returnedException=0x00007ffeefbff480) at Completion.cpp:141:38
frame #23: 0x00000001000515f6 jsc`runWithOptions(globalObject=0x00000001090e4000, options=0x00007ffeefbff950, success=0x00007ffeefbff83b) at jsc.cpp:2632:35
frame #24: 0x00000001000275dc jsc`jscmain(this=0x00007ffeefbff940, vm=0x0000000108d00000, globalObject=0x00000001090e4000, success=0x00007ffeefbff83b)::$_4::operator()(JSC::VM&, GlobalObject*, bool&) const at jsc.cpp:3103:13
frame #25: 0x000000010000783f jsc`int runJSC<jscmain(int, char**)::$_4>(options=0x00007ffeefbff950, isWorker=false, func=0x00007ffeefbff940)::$_4 const&) at jsc.cpp:2961:9
frame #26: 0x00000001000065f3 jsc`jscmain(argc=2, argv=0x00007ffeefbff9f8) at jsc.cpp:3096:18
frame #27: 0x000000010000656e jsc`main(argc=2, argv=0x00007ffeefbff9f8) at jsc.cpp:2456:15
frame #28: 0x00007fff688ee3d5 libdyld.dylib`start + 1
frame #29: 0x00007fff688ee3d5 libdyld.dylib`start + 1
(lldb) b Symbol.cpp:118
Breakpoint 1: where = JavaScriptCore`JSC::Symbol::create(JSC::ExecState*, JSC::JSString*) + 16 at Symbol.cpp:121:14, address = 0x00000001017b1f00
(lldb) r
There is a running process, kill it and restart?: [Y/n]
Process 36253 exited with status = 9 (0x00000009)
Process 36257 launched: '/Users/debug/Documents/Browsers/WebKit/WebKitBuild/Debug/bin/jsc' (x86_64)
Process 36257 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
frame #0: 0x00000001017b1f00 JavaScriptCore`JSC::Symbol::create(exec=0x00007ffeefbfd300, description=0x0000000109588560) at Symbol.cpp:121:14
118
119 Symbol* Symbol::create(ExecState* exec, JSString* description)
120 {
-> 121 VM& vm = exec->vm();
122 String desc = description->value(exec);
123 Symbol* symbol = new (NotNull, allocateCell<Symbol>(vm.heap)) Symbol(vm, desc);
124 symbol->finishCreation(vm);
Target 0: (jsc) stopped.
(lldb) n
Process 36257 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x00000001017b1f0d JavaScriptCore`JSC::Symbol::create(exec=0x00007ffeefbfd300, description=0x0000000109588560) at Symbol.cpp:122:19
119 Symbol* Symbol::create(ExecState* exec, JSString* description)
120 {
121 VM& vm = exec->vm();
-> 122 String desc = description->value(exec);
123 Symbol* symbol = new (NotNull, allocateCell<Symbol>(vm.heap)) Symbol(vm, desc);
124 symbol->finishCreation(vm);
125 return symbol;
Target 0: (jsc) stopped.
(lldb) s
Process 36257 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step in
frame #0: 0x0000000100003da8 jsc`JSC::JSString::value(this=0x0000000109588560, exec=0x00007ffeefbfd300) const at JSString.h:764:9
761 inline const String& JSString::value(ExecState* exec) const
762 {
763 if (validateDFGDoesGC)
-> 764 RELEASE_ASSERT(vm()->heap.expectDoesGC());
765 if (isRope())
766 return static_cast<const JSRopeString*>(this)->resolveRope(exec);
767 return valueInternal();
Target 0: (jsc) stopped.
(lldb) n
Process 36257 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x0000000100003e13 jsc`JSC::JSString::value(this=0x0000000109588560, exec=0x00007ffeefbfd300) const at JSString.h:765:9
762 {
763 if (validateDFGDoesGC)
764 RELEASE_ASSERT(vm()->heap.expectDoesGC());
-> 765 if (isRope())
766 return static_cast<const JSRopeString*>(this)->resolveRope(exec);
767 return valueInternal();
768 }
Target 0: (jsc) stopped.
(lldb) n
Process 36257 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x0000000100003e29 jsc`JSC::JSString::value(this=0x0000000109588560, exec=0x00007ffeefbfd300) const at JSString.h:766:16
763 if (validateDFGDoesGC)
764 RELEASE_ASSERT(vm()->heap.expectDoesGC());
765 if (isRope())
-> 766 return static_cast<const JSRopeString*>(this)->resolveRope(exec);
767 return valueInternal();
768 }
769
Target 0: (jsc) stopped.
(lldb) s
Process 36257 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step in
frame #0: 0x0000000101691e04 JavaScriptCore`JSC::JSRopeString::resolveRope(this=0x0000000109588560, nullOrExecForOOM=0x00007ffeefbfd300) const at JSString.cpp:332:36
329
330 const String& JSRopeString::resolveRope(ExecState* nullOrExecForOOM) const
331 {
-> 332 return resolveRopeWithFunction(nullOrExecForOOM, [] (Ref<StringImpl>&& newImpl) {
333 return WTFMove(newImpl);
334 });
335 }
Target 0: (jsc) stopped.
(lldb) s
Process 36257 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step in
frame #0: 0x0000000101691e42 JavaScriptCore`WTF::String const& JSC::JSRopeString::resolveRopeWithFunction<JSC::JSRopeString::resolveRope(JSC::ExecState*) const::$_4>(this=0x0000000109588560, nullOrExecForOOM=0x00007ffeefbfd300, function=0x00007ffeefbfd218) const::$_4&&) const at JSString.cpp:293:5
290 template<typename Function>
291 const String& JSRopeString::resolveRopeWithFunction(ExecState* nullOrExecForOOM, Function&& function) const
292 {
-> 293 ASSERT(isRope());
294
295 VM& vm = *this->vm();
296 if (isSubstring()) {
Target 0: (jsc) stopped.
(lldb) n
Process 36257 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x0000000101691ea4 JavaScriptCore`WTF::String const& JSC::JSRopeString::resolveRopeWithFunction<JSC::JSRopeString::resolveRope(JSC::ExecState*) const::$_4>(this=0x0000000109588560, nullOrExecForOOM=0x00007ffeefbfd300, function=0x00007ffeefbfd218) const::$_4&&) const at JSString.cpp:295:21
292 {
293 ASSERT(isRope());
294
-> 295 VM& vm = *this->vm();
296 if (isSubstring()) {
297 ASSERT(!substringBase()->isRope());
298 auto newImpl = substringBase()->valueInternal().substringSharingImpl(substringOffset(), length());
Target 0: (jsc) stopped.
(lldb) l 295
295 VM& vm = *this->vm();
296 if (isSubstring()) {
297 ASSERT(!substringBase()->isRope());
298 auto newImpl = substringBase()->valueInternal().substringSharingImpl(substringOffset(), length());
299 convertToNonRope(function(newImpl.releaseImpl().releaseNonNull()));
300 return valueInternal();
301 }
302
303 if (is8Bit()) {
304 LChar* buffer;
(lldb) n
Process 36257 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x0000000101691eb7 JavaScriptCore`WTF::String const& JSC::JSRopeString::resolveRopeWithFunction<JSC::JSRopeString::resolveRope(JSC::ExecState*) const::$_4>(this=0x0000000109588560, nullOrExecForOOM=0x00007ffeefbfd300, function=0x00007ffeefbfd218) const::$_4&&) const at JSString.cpp:296:9
293 ASSERT(isRope());
294
295 VM& vm = *this->vm();
-> 296 if (isSubstring()) {
297 ASSERT(!substringBase()->isRope());
298 auto newImpl = substringBase()->valueInternal().substringSharingImpl(substringOffset(), length());
299 convertToNonRope(function(newImpl.releaseImpl().releaseNonNull()));
Target 0: (jsc) stopped.
(lldb) n
Process 36257 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x0000000101692033 JavaScriptCore`WTF::String const& JSC::JSRopeString::resolveRopeWithFunction<JSC::JSRopeString::resolveRope(JSC::ExecState*) const::$_4>(this=0x0000000109588560, nullOrExecForOOM=0x00007ffeefbfd300, function=0x00007ffeefbfd218) const::$_4&&) const at JSString.cpp:303:9
300 return valueInternal();
301 }
302
-> 303 if (is8Bit()) {
304 LChar* buffer;
305 auto newImpl = StringImpl::tryCreateUninitialized(length(), buffer);
306 if (!newImpl) {
Target 0: (jsc) stopped.
(lldb) n
Process 36257 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x0000000101692173 JavaScriptCore`WTF::String const& JSC::JSRopeString::resolveRopeWithFunction<JSC::JSRopeString::resolveRope(JSC::ExecState*) const::$_4>(this=0x0000000109588560, nullOrExecForOOM=0x00007ffeefbfd300, function=0x00007ffeefbfd218) const::$_4&&) const at JSString.cpp:318:55
315 }
316
317 UChar* buffer;
-> 318 auto newImpl = StringImpl::tryCreateUninitialized(length(), buffer);
319 if (!newImpl) {
320 outOfMemory(nullOrExecForOOM);
321 return nullString();
Target 0: (jsc) stopped.
(lldb) s
Process 36257 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step in
frame #0: 0x0000000100038ba0 jsc`JSC::JSRopeString::length(this=0x0000000109588560) const at JSString.h:434:16
431
432 inline unsigned length() const
433 {
-> 434 return m_compactFibers.length();
435 }
436
437 private:
Target 0: (jsc) stopped.
(lldb) n
Process 36257 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010169217f JavaScriptCore`WTF::String const& JSC::JSRopeString::resolveRopeWithFunction<JSC::JSRopeString::resolveRope(JSC::ExecState*) const::$_4>(this=0x0000000109588560, nullOrExecForOOM=0x00007ffeefbfd300, function=0x00007ffeefbfd218) const::$_4&&) const at JSString.cpp:318:20
315 }
316
317 UChar* buffer;
-> 318 auto newImpl = StringImpl::tryCreateUninitialized(length(), buffer);
319 if (!newImpl) {
320 outOfMemory(nullOrExecForOOM);
321 return nullString();
Target 0: (jsc) stopped.
(lldb) p length()
(unsigned int) $0 = 2147483647
(lldb) s
Process 36257 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step in
frame #0: 0x000000010000de62 jsc`WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> > WTF::StringImpl::tryCreateUninitialized<unsigned short>(length=2147483647, output=0x00007ffeefbfd178) at StringImpl.h:969:10
966
967 template<typename CharacterType> ALWAYS_INLINE RefPtr<StringImpl> StringImpl::tryCreateUninitialized(unsigned length, CharacterType*& output)
968 {
-> 969 if (!length) {
970 output = nullptr;
971 return empty();
972 }
Target 0: (jsc) stopped.
(lldb) n
Process 36257 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010000de95 jsc`WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> > WTF::StringImpl::tryCreateUninitialized<unsigned short>(length=2147483647, output=0x00007ffeefbfd178) at StringImpl.h:974:9
971 return empty();
972 }
973
-> 974 if (length > maxInternalLength<CharacterType>()) {
975 output = nullptr;
976 return nullptr;
977 }
Target 0: (jsc) stopped.
(lldb) n
Process 36257 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010000deb4 jsc`WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> > WTF::StringImpl::tryCreateUninitialized<unsigned short>(length=2147483647, output=0x00007ffeefbfd178) at StringImpl.h:975:9
972 }
973
974 if (length > maxInternalLength<CharacterType>()) {
-> 975 output = nullptr;
976 return nullptr;
977 }
978 StringImpl* result;
Target 0: (jsc) stopped.
(lldb) n
Process 36257 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010000debf jsc`WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> > WTF::StringImpl::tryCreateUninitialized<unsigned short>(length=2147483647, output=0x00007ffeefbfd178) at StringImpl.h:976:16
973
974 if (length > maxInternalLength<CharacterType>()) {
975 output = nullptr;
-> 976 return nullptr;
977 }
978 StringImpl* result;
979 if (!tryFastMalloc(allocationSize<CharacterType>(length)).getValue(result)) {
Target 0: (jsc) stopped.
(lldb) n
Process 36257 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010000df6c jsc`WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> > WTF::StringImpl::tryCreateUninitialized<unsigned short>(length=2147483647, output=0x00007ffeefbfd178) at StringImpl.h:986:1
983 output = result->tailPointer<CharacterType>();
984
985 return constructInternal<CharacterType>(*result, length);
-> 986 }
987
988 template<typename CharacterType, size_t inlineCapacity, typename OverflowHandler, size_t minCapacity>
989 inline Ref<StringImpl> StringImpl::adopt(Vector<CharacterType, inlineCapacity, OverflowHandler, minCapacity>&& vector)
Target 0: (jsc) stopped.
(lldb) n
Process 36257 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x0000000101692194 JavaScriptCore`WTF::String const& JSC::JSRopeString::resolveRopeWithFunction<JSC::JSRopeString::resolveRope(JSC::ExecState*) const::$_4>(this=0x0000000109588560, nullOrExecForOOM=0x00007ffeefbfd300, function=0x00007ffeefbfd218) const::$_4&&) const at JSString.cpp:319:9
316
317 UChar* buffer;
318 auto newImpl = StringImpl::tryCreateUninitialized(length(), buffer);
-> 319 if (!newImpl) {
320 outOfMemory(nullOrExecForOOM);
321 return nullString();
322 }
Target 0: (jsc) stopped.
(lldb) n
Process 36257 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x00000001016921ad JavaScriptCore`WTF::String const& JSC::JSRopeString::resolveRopeWithFunction<JSC::JSRopeString::resolveRope(JSC::ExecState*) const::$_4>(this=0x0000000109588560, nullOrExecForOOM=0x00007ffeefbfd300, function=0x00007ffeefbfd218) const::$_4&&) const at JSString.cpp:320:21
317 UChar* buffer;
318 auto newImpl = StringImpl::tryCreateUninitialized(length(), buffer);
319 if (!newImpl) {
-> 320 outOfMemory(nullOrExecForOOM);
321 return nullString();
322 }
323 vm.heap.reportExtraMemoryAllocated(newImpl->cost());
Target 0: (jsc) stopped.
(lldb) n
Process 36257 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x00000001016921bd JavaScriptCore`WTF::String const& JSC::JSRopeString::resolveRopeWithFunction<JSC::JSRopeString::resolveRope(JSC::ExecState*) const::$_4>(this=0x0000000109588560, nullOrExecForOOM=0x00007ffeefbfd300, function=0x00007ffeefbfd218) const::$_4&&) const at JSString.cpp:321:16
318 auto newImpl = StringImpl::tryCreateUninitialized(length(), buffer);
319 if (!newImpl) {
320 outOfMemory(nullOrExecForOOM);
-> 321 return nullString();
322 }
323 vm.heap.reportExtraMemoryAllocated(newImpl->cost());
324
Target 0: (jsc) stopped.
(lldb) n
Process 36257 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x00000001016922b6 JavaScriptCore`WTF::String const& JSC::JSRopeString::resolveRopeWithFunction<JSC::JSRopeString::resolveRope(JSC::ExecState*) const::$_4>(this=0x0000000109588560, nullOrExecForOOM=0x00007ffeefbfd300, function=0x00007ffeefbfd218) const::$_4&&) const at JSString.cpp:328:1
325 resolveRopeInternal16NoSubstring(buffer);
326 convertToNonRope(function(newImpl.releaseNonNull()));
327 return valueInternal();
-> 328 }
329
330 const String& JSRopeString::resolveRope(ExecState* nullOrExecForOOM) const
331 {
Target 0: (jsc) stopped.
(lldb) n
Process 36257 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x0000000101691e11 JavaScriptCore`JSC::JSRopeString::resolveRope(this=0x0000000109588560, nullOrExecForOOM=0x00007ffeefbfd300) const at JSString.cpp:332:5
329
330 const String& JSRopeString::resolveRope(ExecState* nullOrExecForOOM) const
331 {
-> 332 return resolveRopeWithFunction(nullOrExecForOOM, [] (Ref<StringImpl>&& newImpl) {
333 return WTFMove(newImpl);
334 });
335 }
Target 0: (jsc) stopped.
(lldb) n
Process 36257 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x0000000100003e39 jsc`JSC::JSString::value(this=0x0000000109588560, exec=0x00007ffeefbfd300) const at JSString.h:766:9
763 if (validateDFGDoesGC)
764 RELEASE_ASSERT(vm()->heap.expectDoesGC());
765 if (isRope())
-> 766 return static_cast<const JSRopeString*>(this)->resolveRope(exec);
767 return valueInternal();
768 }
769
Target 0: (jsc) stopped.
(lldb) n
Process 36257 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x0000000100003e4f jsc`JSC::JSString::value(this=0x0000000109588560, exec=0x00007ffeefbfd300) const at JSString.h:768:1
765 if (isRope())
766 return static_cast<const JSRopeString*>(this)->resolveRope(exec);
767 return valueInternal();
-> 768 }
769
770 inline const String& JSString::tryGetValue(bool allocationAllowed) const
771 {
Target 0: (jsc) stopped.
(lldb) n
Process 36257 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x00000001017b1f1a JavaScriptCore`JSC::Symbol::create(exec=0x00007ffeefbfd300, description=0x0000000109588560) at Symbol.cpp:122:19
119 Symbol* Symbol::create(ExecState* exec, JSString* description)
120 {
121 VM& vm = exec->vm();
-> 122 String desc = description->value(exec);
123 Symbol* symbol = new (NotNull, allocateCell<Symbol>(vm.heap)) Symbol(vm, desc);
124 symbol->finishCreation(vm);
125 return symbol;
Target 0: (jsc) stopped.
(lldb) p desc
(WTF::String) $1 = {
m_impl = {
m_ptr = 0x0000000109588560
}
}
(lldb) n
Process 36257 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x00000001017b1f2d JavaScriptCore`JSC::Symbol::create(exec=0x00007ffeefbfd300, description=0x0000000109588560) at Symbol.cpp:123:57
120 {
121 VM& vm = exec->vm();
122 String desc = description->value(exec);
-> 123 Symbol* symbol = new (NotNull, allocateCell<Symbol>(vm.heap)) Symbol(vm, desc);
124 symbol->finishCreation(vm);
125 return symbol;
126 }
Target 0: (jsc) stopped.
(lldb) p desc
(WTF::String) $2 = {
m_impl = {
m_ptr = 0x0000000000000000
}
}
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190412/118d18e0/attachment-0001.html>
More information about the webkit-unassigned
mailing list