126070 2013-12-20 09:15:44 -0800 ASSERTION FAILED: dst != localReg in JSC::PostfixNode::emitResolve 2016-08-03 13:29:56 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified RESOLVED WORKSFORME P2 Normal --- 116980 1 rhodovan.u-szeged webkit-unassigned bfulgham fpizlo loki mhahnenberg oliver rgabor rhodovan.u-szeged oldest_to_newest 961891 0 219763 rhodovan.u-szeged 2013-12-20 09:15:44 -0800 Created attachment 219763 Test case Assertion failure happens if we try to change a const value in the right-hand side of an assignment: function function_0() { const foo; var var_0 = foo++; with(Object) switch (var_0) {} } function_0(); Backtrace: ASSERTION FAILED: dst != localReg /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp(683) : virtual JSC::RegisterID* JSC::PostfixNode::emitResolve(JSC::BytecodeGenerator&, JSC::RegisterID*) 1 0x7ffff74e57b8 WTFCrash 2 0x7ffff708e963 JSC::PostfixNode::emitResolve(JSC::BytecodeGenerator&, JSC::RegisterID*) 3 0x7ffff708f239 JSC::PostfixNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) 4 0x7ffff7065802 JSC::BytecodeGenerator::emitNode(JSC::RegisterID*, JSC::ExpressionNode*) 5 0x7ffff705dffb JSC::BytecodeGenerator::emitNewArray(JSC::RegisterID*, JSC::ElementNode*, unsigned int) 6 0x7ffff708a65a JSC::ArrayNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) 7 0x7ffff7065802 JSC::BytecodeGenerator::emitNode(JSC::RegisterID*, JSC::ExpressionNode*) 8 0x7ffff7093cc2 JSC::ConstDeclNode::emitCodeSingle(JSC::BytecodeGenerator&) 9 0x7ffff7093ede JSC::ConstDeclNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) 10 0x7ffff7065802 JSC::BytecodeGenerator::emitNode(JSC::RegisterID*, JSC::ExpressionNode*) 11 0x7ffff709af81 JSC::BytecodeGenerator::emitNode(JSC::ExpressionNode*) 12 0x7ffff7093f6f JSC::ConstStatementNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) 13 0x7ffff70656ba JSC::BytecodeGenerator::emitNode(JSC::RegisterID*, JSC::StatementNode*) 14 0x7ffff709b425 JSC::SourceElements::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) 15 0x7ffff7093fb4 JSC::BlockNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) 16 0x7ffff70656ba JSC::BytecodeGenerator::emitNode(JSC::RegisterID*, JSC::StatementNode*) 17 0x7ffff709b425 JSC::SourceElements::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) 18 0x7ffff709b524 JSC::ScopeNode::emitStatementsBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) 19 0x7ffff70980c0 JSC::FunctionBodyNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) 20 0x7ffff7056252 JSC::BytecodeGenerator::generate() 21 0x7ffff704d797 22 0x7ffff704e0c4 JSC::UnlinkedFunctionExecutable::codeBlockFor(JSC::VM&, JSC::SourceCode const&, JSC::CodeSpecializationKind, JSC::DebuggerMode, JSC::ProfilerMode, JSC::ParserError&) 23 0x7ffff739a0db JSC::ScriptExecutable::newCodeBlockFor(JSC::CodeSpecializationKind, JSC::JSScope*, JSC::JSObject*&) 24 0x7ffff739a7ad JSC::ScriptExecutable::prepareForExecutionImpl(JSC::ExecState*, JSC::JSScope*, JSC::CodeSpecializationKind) 25 0x7ffff7279f18 JSC::ScriptExecutable::prepareForExecution(JSC::ExecState*, JSC::JSScope*, JSC::CodeSpecializationKind) 26 0x7ffff74ccccf JSC::LLInt::setUpCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*) 27 0x7ffff74cd0fd JSC::LLInt::genericCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind) 28 0x7ffff74c927c 29 0x7ffff74d15b7 Program received signal SIGSEGV, Segmentation fault. 0x00007ffff74e57bd in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:341 341 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff74e57bd in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:341 #1 0x00007ffff708e963 in JSC::PostfixNode::emitResolve (this=0x6711f0, generator=..., dst=0x670d04) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:683 #2 0x00007ffff708f239 in JSC::PostfixNode::emitBytecode (this=0x6711f0, generator=..., dst=0x670d04) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:746 #3 0x00007ffff7065802 in JSC::BytecodeGenerator::emitNode (this=0x674880, dst=0x670d04, n=0x6711f0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:269 #4 0x00007ffff705dffb in JSC::BytecodeGenerator::emitNewArray (this=0x674880, dst=0x670cf8, elements=0x671248, length=0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:1567 #5 0x00007ffff708a65a in JSC::ArrayNode::emitBytecode (this=0x671260, generator=..., dst=0x670cf8) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:178 #6 0x00007ffff7065802 in JSC::BytecodeGenerator::emitNode (this=0x674880, dst=0x670cf8, n=0x671260) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:269 #7 0x00007ffff7093cc2 in JSC::ConstDeclNode::emitCodeSingle (this=0x671288, generator=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1492 #8 0x00007ffff7093ede in JSC::ConstDeclNode::emitBytecode (this=0x671288, generator=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1516 #9 0x00007ffff7065802 in JSC::BytecodeGenerator::emitNode (this=0x674880, dst=0x0, n=0x671288) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:269 #10 0x00007ffff709af81 in JSC::BytecodeGenerator::emitNode (this=0x674880, n=0x671288) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:274 #11 0x00007ffff7093f6f in JSC::ConstStatementNode::emitBytecode (this=0x6712b8, generator=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1526 #12 0x00007ffff70656ba in JSC::BytecodeGenerator::emitNode (this=0x674880, dst=0x6748d8, n=0x6712b8) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:253 #13 0x00007ffff709b425 in JSC::SourceElements::emitBytecode (this=0x6711a8, generator=..., dst=0x6748d8) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1542 #14 0x00007ffff7093fb4 in JSC::BlockNode::emitBytecode (this=0x6713b0, generator=..., dst=0x6748d8) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1561 #15 0x00007ffff70656ba in JSC::BytecodeGenerator::emitNode (this=0x674880, dst=0x6748d8, n=0x6713b0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:253 #16 0x00007ffff709b425 in JSC::SourceElements::emitBytecode (this=0x671190, generator=..., dst=0x6748d8) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1542 #17 0x00007ffff709b524 in JSC::ScopeNode::emitStatementsBytecode (this=0x670b10, generator=..., dst=0x6748d8) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2245 #18 0x00007ffff70980c0 in JSC::FunctionBodyNode::emitBytecode (this=0x670b10, generator=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2281 #19 0x00007ffff7056252 in JSC::BytecodeGenerator::generate (this=0x674880) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:66 #20 0x00007ffff704d797 in JSC::generateFunctionCodeBlock (vm=..., executable=0x7fffa97eff38, source=..., kind=JSC::CodeForCall, debuggerMode=JSC::DebuggerOff, profilerMode=JSC::ProfilerOff, error=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp:66 #21 0x00007ffff704e0c4 in JSC::UnlinkedFunctionExecutable::codeBlockFor (this=0x7fffa97eff38, vm=..., source=..., specializationKind=JSC::CodeForCall, debuggerMode=JSC::DebuggerOff, profilerMode=JSC::ProfilerOff, error=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp:167 #22 0x00007ffff739a0db in JSC::ScriptExecutable::newCodeBlockFor (this=0x7fffa97cfe70, kind=JSC::CodeForCall, scope=0x7fffa997f970, exception=@0x7fffffffc3a8: 0x0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Executable.cpp:213 #23 0x00007ffff739a7ad in JSC::ScriptExecutable::prepareForExecutionImpl (this=0x7fffa97cfe70, exec=0x7fffa9de8f48, scope=0x7fffa997f970, kind=JSC::CodeForCall) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Executable.cpp:295 #24 0x00007ffff7279f18 in JSC::ScriptExecutable::prepareForExecution (this=0x7fffa97cfe70, exec=0x7fffa9de8f48, scope=0x7fffa997f970, kind=JSC::CodeForCall) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Executable.h:386 #25 0x00007ffff74ccccf in JSC::LLInt::setUpCall (execCallee=0x7fffa9de8f48, pc=0x670838, kind=JSC::CodeForCall, calleeAsValue=..., callLinkInfo=0x657e70) ---Type <return> to continue, or q <return> to quit--- at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1046 #26 0x00007ffff74cd0fd in JSC::LLInt::genericCall (exec=0x7fffa9de8f98, pc=0x670838, kind=JSC::CodeForCall) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1093 #27 0x00007ffff74c927c in JSC::LLInt::llint_slow_path_call (exec=0x7fffa9de8f98, pc=0x670838) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1099 #28 0x00007ffff74d15b7 in llint_op_call () from /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.0 #29 0x00007fffaa6298e0 in ?? () #30 0x0000000000651368 in ?? () #31 0x0000000000000000 in ?? () 961910 1 oliver 2013-12-20 10:50:49 -0800 ahhh with statements 1217116 2 bfulgham 2016-08-03 13:29:56 -0700 This issue no longer occurs under GuardMalloc or ASAN as of r204037. If you believe there is still a bug, please reopen this issue with a revised test case. 219763 2013-12-20 09:15:44 -0800 2013-12-20 09:15:44 -0800 Test case crash.js application/javascript 106 rhodovan.u-szeged ZnVuY3Rpb24gZnVuY3Rpb25fMCgpIHsKCWNvbnN0IGZvbzsKCXZhciB2YXJfMCA9IGZvbysrOwoK CXdpdGgoT2JqZWN0KQoJc3dpdGNoICh2YXJfMCkge30KfQoKZnVuY3Rpb25fMCgpOw==