[Webkit-unassigned] [Bug 212569] New: JSTests/exceptionFuzz/earley-boyer.js fails with early exception thrown.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat May 30 09:50:43 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=212569

            Bug ID: 212569
           Summary: JSTests/exceptionFuzz/earley-boyer.js fails with early
                    exception thrown.
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mark.lam at apple.com

Here's how I run the test:

$ VM=WebKitBuild/Release && DYLD_FRAMEWORK_PATH=$VM lldb $VM/jsc -- --dumpGeneratedBytecodes=1 --useBaselineJIT=0 --fireExceptionFuzzAt=782 --useDollarVM\=true --useExceptionFuzz\=true JSTests/exceptionFuzz/earley-boyer.js

We get an uncaught exception (which should not happen):

JSC EXCEPTION FUZZ: Throwing fuzz exception with call frame 0x1079fab68, seen in LLIntSlowPaths and return address 0x1078abc71.
Exception: Error: Exception Fuzz
global code at JSTests/exceptionFuzz/earley-boyer.js:46:20
JSC EXCEPTION FUZZ: encountered 782 checks.

This uncaught exception should not happen because the entire source of JSTests/exceptionFuzz/earley-boyer.js is wrapped in a try catch statement.

>From the bytecode dump,

Exception Handlers:
         1: { start: [4031] end: [109677] target: [109745] } catch

The bytecode around 4031 are:

[3953] *new_func          loc6, loc4, 292
[3961] *put_to_scope      loc8, 292, loc6, 2048<ThrowIfNotFound|GlobalProperty|NotInitialization|NotStrictMode>, 0, 0
[3977] *new_func          loc6, loc4, 293
[3985] *put_to_scope      loc8, 293, loc6, 2048<ThrowIfNotFound|GlobalProperty|NotInitialization|NotStrictMode>, 0, 0
[4001] *new_func          loc6, loc4, 294
[4009] *put_to_scope      loc8, 294, loc6, 2048<ThrowIfNotFound|GlobalProperty|NotInitialization|NotStrictMode>, 0, 0
[4025] mov                loc6, Undefined(const0)
[4028] mov                loc6, Undefined(const0)

[4031] *resolve_scope     loc7, loc4, 295, GlobalProperty, 0

[4045] *put_to_scope      loc7, 295, this, 1048576<DoNotThrowIfNotFound|GlobalProperty|Initialization|NotStrictMode>, 0, 0
[4061] *resolve_scope     loc7, loc4, 296, GlobalProperty, 0
[4075] *put_to_scope      loc7, 296, Int32: -1(const1), 1048576<DoNotThrowIfNotFound|GlobalProperty|Initialization|NotStrictMode>, 0, 0

Note all the new_func opcodes that came before 4031.  There's definitely instructions that can throw generated before beginning of the try block.  Need to investigate further which bytecode --fireExceptionFuzzAt=782 corresponds to, but it looks like there maybe a bug here.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200530/d3e14000/attachment.htm>

More information about the webkit-unassigned mailing list