[Webkit-unassigned] [Bug 199684] New: Assigning object property twice in a loop breaks JSCore on powerpc64 and s390x

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jul 10 13:58:29 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=199684

            Bug ID: 199684
           Summary: Assigning object property twice in a loop breaks
                    JSCore on powerpc64 and s390x
           Product: WebKit
           Version: Other
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mitya57 at ubuntu.com

Test case with WebKitGTK+:

#include <jsc/jsc.h>

int main() {
    JSCContext *context = jsc_context_new();
    const char *script =
        "for (var i = 0; i < 2; i++) {\n"
        "    var foo = {};\n"
        "    foo.bar = null;\n"
        "}\n"
        "888\n";
    JSCValue *value = jsc_context_evaluate(context, script, -1);
    gint32 value_int = jsc_value_to_int32(value);
    g_message("Value is %d\n", value_int);
    return 0;
}

Expected result: "Value is 888" is printed.

Instead it crashes on powerpc64 (little endian) and s390x. Here is a stacktrace from s390x:

#0  0x000003fffd8739f6 in JSC::LLInt::CLoop::execute(JSC::OpcodeID, void*, JSC::VM*, JSC::ProtoCallFrame*, bool) ()
    at DerivedSources/JavaScriptCore/LLIntAssembly.h:6044
#1  0x000003fffd88dd10 in vmEntryToJavaScript() ()
    at ../Source/JavaScriptCore/llint/LLIntThunks.cpp:108
#2  0x000003fffd85cb44 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) () at ../Source/JavaScriptCore/jit/JITCodeInlines.h:38
#3  0x000003fffd85cb44 in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) ()
    at ../Source/JavaScriptCore/interpreter/Interpreter.cpp:834
#4  0x000003fffd9fac82 in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) ()
    at ../Source/JavaScriptCore/runtime/Completion.cpp:137
#5  0x000003fffd9fae50 in JSC::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
    () at ../Source/JavaScriptCore/runtime/Completion.cpp:153
#6  0x000003fffd649278 in JSEvaluateScript() ()
    at ../Source/JavaScriptCore/API/JSBase.cpp:70
#7  0x000003fffd613910 in evaluateScriptInContext() ()
    at ../Source/JavaScriptCore/API/glib/JSCContext.cpp:824
#8  0x000003fffd614e2a in jsc_context_evaluate_with_source_uri() ()
    at ../Source/JavaScriptCore/API/glib/JSCContext.cpp:847
#9  0x000003fffd614efa in jsc_context_evaluate() ()
    at ../Source/JavaScriptCore/API/glib/JSCContext.cpp:817
#10 0x0000000100000936 in main () at test_jscore.c:12

This stacktrace is from Debian unstable, WebKitGTK version is 2.24.3.

According to our CI logs, it regressed somewhere between 2.23.91 and 2.23.92.

See https://bugs.debian.org/931807 for my original report that has a more complicate test case.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190710/58eaf727/attachment.html>

More information about the webkit-unassigned mailing list