<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Crash in JSC::BytecodeGenerator::emitComplexPopScopes"
href="https://bugs.webkit.org/show_bug.cgi?id=149804">149804</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Crash in JSC::BytecodeGenerator::emitComplexPopScopes
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>WebKit Local Build
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>OS</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>JavaScriptCore
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>rhodovan.u-szeged@partner.samsung.com
</td>
</tr>
<tr>
<th>CC</th>
<td>fpizlo@apple.com, ggaren@apple.com, sam@webkit.org
</td>
</tr>
<tr>
<th>Blocks</th>
<td>116980
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=262430" name="attach_262430" title="Test">attachment 262430</a> <a href="attachment.cgi?id=262430&action=edit" title="Test">[details]</a></span>
Test
Running this test with release jsc results in an overflow crash:
function f_0(){
for(var v_0 in [10]){
try {
for(var v_1 in [10])
return;
} finally {}
}
}
for(var v_2 in f_0()) {}
In debug it causes an assertion failure:
ASSERTION FAILED: size <= m_size
../../Source/WTF/wtf/Vector.h(1024) : void WTF::Vector<T, inlineCapacity, OverflowHandler, minCapacity>::shrink(size_t) [with T = std::unique_ptr<JSC::ForInContext>; long unsigned int inlineCapacity = 0ul; OverflowHandler = WTF::CrashOnOverflow; long unsigned int minCapacity = 16ul; size_t = long unsigned int]
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff717a8b0 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
321 *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0 0x00007ffff717a8b0 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
#1 0x00007ffff69933da in WTF::Vector<std::unique_ptr<JSC::ForInContext, std::default_delete<JSC::ForInContext> >, 0ul, WTF::CrashOnOverflow, 16ul>::shrink (this=0x7ffff0c82f50, size=1) at ../../Source/WTF/wtf/Vector.h:1024
#2 0x00007ffff69823ee in JSC::BytecodeGenerator::emitComplexPopScopes (this=0x7ffff0c82c80, scope=0x7ffff0ef77a4, topScope=0x7ffff0ed9400, bottomScope=0x7ffff0ed93c0) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:3164
#3 0x00007ffff6982d7e in JSC::BytecodeGenerator::emitPopScopes (this=0x7ffff0c82c80, scope=0x7ffff0ef77a4, targetScopeDepth=0) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:3253
#4 0x00007ffff69c9228 in JSC::ReturnNode::emitBytecode (this=0x7ffff0c502b0, generator=..., dst=0x0) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2581
#5 0x00007ffff698c40f in JSC::BytecodeGenerator::emitNodeInTailPosition (this=0x7ffff0c82c80, dst=0x7ffff0c82cf0, n=0x7ffff0c502b0) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:375
#6 0x00007ffff698c30d in JSC::BytecodeGenerator::emitNode (this=0x7ffff0c82c80, dst=0x7ffff0c82cf0, n=0x7ffff0c502b0) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:364
#7 0x00007ffff69c719f in JSC::ForInNode::emitMultiLoopBytecode (this=0x7ffff0c50330, generator=..., dst=0x7ffff0c82cf0) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2353
#8 0x00007ffff69c81fd in JSC::ForInNode::emitBytecode (this=0x7ffff0c50330, generator=..., dst=0x7ffff0c82cf0) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2451
#9 0x00007ffff698c40f in JSC::BytecodeGenerator::emitNodeInTailPosition (this=0x7ffff0c82c80, dst=0x7ffff0c82cf0, n=0x7ffff0c50330) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:375
#10 0x00007ffff69d06ca in JSC::SourceElements::emitBytecode (this=0x7ffff0c50190, generator=..., dst=0x7ffff0c82cf0) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1961
#11 0x00007ffff69c49a0 in JSC::BlockNode::emitBytecode (this=0x7ffff0c503c8, generator=..., dst=0x7ffff0c82cf0) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1981
#12 0x00007ffff698c40f in JSC::BytecodeGenerator::emitNodeInTailPosition (this=0x7ffff0c82c80, dst=0x7ffff0c82cf0, n=0x7ffff0c503c8) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:375
#13 0x00007ffff698c30d in JSC::BytecodeGenerator::emitNode (this=0x7ffff0c82c80, dst=0x7ffff0c82cf0, n=0x7ffff0c503c8) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:364
#14 0x00007ffff69ca9b8 in JSC::TryNode::emitBytecode (this=0x7ffff0c50498, generator=..., dst=0x7ffff0c82cf0) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2833
#15 0x00007ffff698c40f in JSC::BytecodeGenerator::emitNodeInTailPosition (this=0x7ffff0c82c80, dst=0x7ffff0c82cf0, n=0x7ffff0c50498) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:375
#16 0x00007ffff69d06ca in JSC::SourceElements::emitBytecode (this=0x7ffff0c50180, generator=..., dst=0x7ffff0c82cf0) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1961
#17 0x00007ffff69c49a0 in JSC::BlockNode::emitBytecode (this=0x7ffff0c50518, generator=..., dst=0x7ffff0c82cf0) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1981
#18 0x00007ffff698c40f in JSC::BytecodeGenerator::emitNodeInTailPosition (this=0x7ffff0c82c80, dst=0x7ffff0c82cf0, n=0x7ffff0c50518) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:375
#19 0x00007ffff698c30d in JSC::BytecodeGenerator::emitNode (this=0x7ffff0c82c80, dst=0x7ffff0c82cf0, n=0x7ffff0c50518) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:364
#20 0x00007ffff69c719f in JSC::ForInNode::emitMultiLoopBytecode (this=0x7ffff0c505b0, generator=..., dst=0x7ffff0c82cf0) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2353
#21 0x00007ffff69c81fd in JSC::ForInNode::emitBytecode (this=0x7ffff0c505b0, generator=..., dst=0x7ffff0c82cf0) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2451
#22 0x00007ffff698c40f in JSC::BytecodeGenerator::emitNodeInTailPosition (this=0x7ffff0c82c80, dst=0x7ffff0c82cf0, n=0x7ffff0c505b0) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:375
#23 0x00007ffff69d06ca in JSC::SourceElements::emitBytecode (this=0x7ffff0c50060, generator=..., dst=0x7ffff0c82cf0) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1961
#24 0x00007ffff69c49a0 in JSC::BlockNode::emitBytecode (this=0x7ffff0c50648, generator=..., dst=0x7ffff0c82cf0) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1981
#25 0x00007ffff698c40f in JSC::BytecodeGenerator::emitNodeInTailPosition (this=0x7ffff0c82c80, dst=0x7ffff0c82cf0, n=0x7ffff0c50648) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:375
#26 0x00007ffff69d06ca in JSC::SourceElements::emitBytecode (this=0x7ffff0c50050, generator=..., dst=0x7ffff0c82cf0) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1961
#27 0x00007ffff69d07b0 in JSC::ScopeNode::emitStatementsBytecode (this=0x7ffff0ed3000, generator=..., dst=0x7ffff0c82cf0) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2899
#28 0x00007ffff69cb651 in JSC::FunctionNode::emitBytecode (this=0x7ffff0ed3000, generator=...) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2960
#29 0x00007ffff696fa07 in JSC::BytecodeGenerator::generate (this=0x7ffff0c82c80) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:98
#30 0x00007ffff6967360 in JSC::generateUnlinkedFunctionCodeBlock (vm=..., executable=0x7ffff0c76c00, source=..., kind=JSC::CodeForCall, debuggerMode=JSC::DebuggerOff, profilerMode=JSC::ProfilerOff, functionKind=JSC::UnlinkedNormalFunction, error=..., isArrowFunction=false) at ../../Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp:72
#31 0x00007ffff69680a5 in JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor (this=0x7ffff0c76c00, vm=..., source=..., specializationKind=JSC::CodeForCall, debuggerMode=JSC::DebuggerOff, profilerMode=JSC::ProfilerOff, error=..., isArrowFunction=false) at ../../Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp:199
#32 0x00007ffff6f81e60 in JSC::ScriptExecutable::newCodeBlockFor (this=0x7ffff0c76b00, kind=JSC::CodeForCall, function=0x7ffff0c649a0, scope=0x7ffff0c57fc0, exception=@0x7fffffffc3f8: 0x0) at ../../Source/JavaScriptCore/runtime/Executable.cpp:263
#33 0x00007ffff6f8294a in JSC::ScriptExecutable::prepareForExecutionImpl (this=0x7ffff0c76b00, exec=0x7fffffffc620, function=0x7ffff0c649a0, scope=0x7ffff0c57fc0, kind=JSC::CodeForCall) at ../../Source/JavaScriptCore/runtime/Executable.cpp:353
#34 0x00007ffff6d8c16e in JSC::ScriptExecutable::prepareForExecution (this=0x7ffff0c76b00, exec=0x7fffffffc620, function=0x7ffff0c649a0, scope=0x7ffff0c57fc0, kind=JSC::CodeForCall) at ../../Source/JavaScriptCore/runtime/Executable.h:386
#35 0x00007ffff711d6da in JSC::LLInt::setUpCall (execCallee=0x7fffffffc620, pc=0x7ffff0c2b830, kind=JSC::CodeForCall, calleeAsValue=..., callLinkInfo=0x7ffff0fd7528) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1158
#36 0x00007ffff711db06 in JSC::LLInt::genericCall (exec=0x7fffffffc690, pc=0x7ffff0c2b830, kind=JSC::CodeForCall) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1220
#37 0x00007ffff711ad93 in JSC::LLInt::llint_slow_path_call (exec=0x7fffffffc690, pc=0x7ffff0c2b830) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1226
#38 0x00007ffff712403c in llint_entry () from webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18
#39 0x00007ffff711e3ab in vmEntryToJavaScript () from webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18
#40 0x00007ffff6db9054 in JSC::JITCode::execute (this=0x7ffff0fd7550, vm=0x7ffff0c02000, protoCallFrame=0x7fffffffc870) at ../../Source/JavaScriptCore/jit/JITCode.cpp:80
#41 0x00007ffff6d89072 in JSC::Interpreter::execute (this=0x7ffff0ff6000, program=0x7ffff0c6a000, callFrame=0x7ffff0c3f740, thisObj=0x7ffff0c4a640) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:961
#42 0x00007ffff6f61c80 in JSC::evaluate (exec=0x7ffff0c3f740, source=..., thisValue=..., returnedException=...) at ../../Source/JavaScriptCore/runtime/Completion.cpp:104
#43 0x00000000004370c0 in runWithScripts (globalObject=0x7ffff0c3f700, scripts=..., dump=false, module=false) at ../../Source/JavaScriptCore/jsc.cpp:1667
#44 0x0000000000437ebf in jscmain (argc=2, argv=0x7fffffffd588) at ../../Source/JavaScriptCore/jsc.cpp:1893
#45 0x00000000004369c9 in main (argc=2, argv=0x7fffffffd588) at ../../Source/JavaScriptCore/jsc.cpp:1592</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>