[Webkit-unassigned] [Bug 199684] New: Assigning object property twice in a loop breaks JSCore on powerpc64 and s390x
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jul 10 13:58:29 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=199684
Bug ID: 199684
Summary: Assigning object property twice in a loop breaks
JSCore on powerpc64 and s390x
Product: WebKit
Version: Other
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mitya57 at ubuntu.com
Test case with WebKitGTK+:
#include <jsc/jsc.h>
int main() {
JSCContext *context = jsc_context_new();
const char *script =
"for (var i = 0; i < 2; i++) {\n"
" var foo = {};\n"
" foo.bar = null;\n"
"}\n"
"888\n";
JSCValue *value = jsc_context_evaluate(context, script, -1);
gint32 value_int = jsc_value_to_int32(value);
g_message("Value is %d\n", value_int);
return 0;
}
Expected result: "Value is 888" is printed.
Instead it crashes on powerpc64 (little endian) and s390x. Here is a stacktrace from s390x:
#0 0x000003fffd8739f6 in JSC::LLInt::CLoop::execute(JSC::OpcodeID, void*, JSC::VM*, JSC::ProtoCallFrame*, bool) ()
at DerivedSources/JavaScriptCore/LLIntAssembly.h:6044
#1 0x000003fffd88dd10 in vmEntryToJavaScript() ()
at ../Source/JavaScriptCore/llint/LLIntThunks.cpp:108
#2 0x000003fffd85cb44 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) () at ../Source/JavaScriptCore/jit/JITCodeInlines.h:38
#3 0x000003fffd85cb44 in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) ()
at ../Source/JavaScriptCore/interpreter/Interpreter.cpp:834
#4 0x000003fffd9fac82 in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) ()
at ../Source/JavaScriptCore/runtime/Completion.cpp:137
#5 0x000003fffd9fae50 in JSC::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
() at ../Source/JavaScriptCore/runtime/Completion.cpp:153
#6 0x000003fffd649278 in JSEvaluateScript() ()
at ../Source/JavaScriptCore/API/JSBase.cpp:70
#7 0x000003fffd613910 in evaluateScriptInContext() ()
at ../Source/JavaScriptCore/API/glib/JSCContext.cpp:824
#8 0x000003fffd614e2a in jsc_context_evaluate_with_source_uri() ()
at ../Source/JavaScriptCore/API/glib/JSCContext.cpp:847
#9 0x000003fffd614efa in jsc_context_evaluate() ()
at ../Source/JavaScriptCore/API/glib/JSCContext.cpp:817
#10 0x0000000100000936 in main () at test_jscore.c:12
This stacktrace is from Debian unstable, WebKitGTK version is 2.24.3.
According to our CI logs, it regressed somewhere between 2.23.91 and 2.23.92.
See https://bugs.debian.org/931807 for my original report that has a more complicate test case.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190710/58eaf727/attachment.html>
More information about the webkit-unassigned
mailing list