141246 2015-02-04 07:20:11 -0800 Crash in JSC::DFG::StackLayoutPhase::run 2016-08-04 16:26:48 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Linux RESOLVED DUPLICATE 141721 InRadar P2 Normal --- 116980 1 rhodovan.u-szeged webkit-unassigned bfulgham fpizlo ggaren msaboff oliver webkit-bug-importer oldest_to_newest 1066797 0 246031 rhodovan.u-szeged 2015-02-04 07:20:11 -0800 Created attachment 246031 Test case Run the following test in release or debug JSC: function fuzz(arguments) { fuzz(arguments); } fuzz(2); For the first sight it looks like a stack-overflow but according to the backtraces it might be a different issue. Running the test in debug JSC it results in an assertion failure with the following trace: ASSERTION FAILED: usesArguments() ../../Source/JavaScriptCore/bytecode/CodeBlock.h(338) : JSC::VirtualRegister JSC::CodeBlock::argumentsRegister() const Program received signal SIGSEGV, Segmentation fault. 0x00007ffff73e0095 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 321 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff73e0095 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 #1 0x00007ffff6cf54a9 in JSC::CodeBlock::argumentsRegister (this=0x7fffb0649a00) at ../../Source/JavaScriptCore/bytecode/CodeBlock.h:338 #2 0x00007ffff6dfd079 in JSC::DFG::Graph::argumentsRegisterFor (this=0x7fffffff2410, inlineCallFrame=0x7ffff7f92730) at ../../Source/JavaScriptCore/dfg/DFGGraph.h:415 #3 0x00007ffff6fdf182 in JSC::DFG::StackLayoutPhase::run (this=0x7fffffff1e80) at ../../Source/JavaScriptCore/dfg/DFGStackLayoutPhase.cpp:112 #4 0x00007ffff6fe0250 in JSC::DFG::runAndLog<JSC::DFG::StackLayoutPhase> (phase=...) at ../../Source/JavaScriptCore/dfg/DFGPhase.h:77 #5 0x00007ffff6fe00ee in JSC::DFG::runPhase<JSC::DFG::StackLayoutPhase> (graph=...) at ../../Source/JavaScriptCore/dfg/DFGPhase.h:87 #6 0x00007ffff6fde654 in JSC::DFG::performStackLayout (graph=...) at ../../Source/JavaScriptCore/dfg/DFGStackLayoutPhase.cpp:272 #7 0x00007ffff6f2fa8c in JSC::DFG::Plan::compileInThreadImpl (this=0x7ffff7fbdd80, longLivedState=...) at ../../Source/JavaScriptCore/dfg/DFGPlan.cpp:296 #8 0x00007ffff6f2f25c in JSC::DFG::Plan::compileInThread (this=0x7ffff7fbdd80, longLivedState=..., threadData=0x0) at ../../Source/JavaScriptCore/dfg/DFGPlan.cpp:164 #9 0x00007ffff6e7a25d in JSC::DFG::compileImpl (vm=..., codeBlock=0x7fffb0649780, profiledDFGCodeBlock=0x0, mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=0, mustHandleValues=..., callback=...) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:108 #10 0x00007ffff6e7a398 in JSC::DFG::compile (vm=..., codeBlock=0x7fffb0649780, profiledDFGCodeBlock=0x0, mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=0, mustHandleValues=..., passedCallback=...) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:128 #11 0x00007ffff70d75cd in JSC::operationOptimize (exec=0x7fffffff2eb0, bytecodeIndex=0) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:1158 #12 0x00007fffb1662bc5 in ?? () #13 0x0000000000000000 in ?? () The backtrace of the release crash: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff78f4bde in JSC::DFG::StackLayoutPhase::run() () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 (gdb) bt #0 0x00007ffff78f4bde in JSC::DFG::StackLayoutPhase::run() () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #1 0x00007ffff78f4692 in JSC::DFG::performStackLayout(JSC::DFG::Graph&) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #2 0x00007ffff78891eb in JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #3 0x00007ffff78894b6 in JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #4 0x00007ffff78154ac in JSC::DFG::compile(JSC::VM&, JSC::CodeBlock*, JSC::CodeBlock*, JSC::DFG::CompilationMode, unsigned int, JSC::Operands<JSC::JSValue, JSC::OperandValueTraits<JSC::JSValue> > const&, WTF::PassRefPtr<JSC::DeferredCompilationCallback>) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #5 0x00007ffff79a9e27 in operationOptimize () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #6 0x00007fffb2c25b4c in ?? () #7 0x0000000000000000 in ?? () 1068680 1 webkit-bug-importer 2015-02-12 11:32:47 -0800 <rdar://problem/19815551> 1217648 2 bfulgham 2016-08-04 16:26:48 -0700 This may be a duplicate of Bug 141721, and no longer causes a crash in WebKit. *** This bug has been marked as a duplicate of bug 141721 *** 246031 2015-02-04 07:20:11 -0800 2015-02-04 07:20:11 -0800 Test case crash.js application/javascript 59 rhodovan.u-szeged ZnVuY3Rpb24gZnV6eihhcmd1bWVudHMpIHsKICAgIGZ1enooYXJndW1lbnRzKTsKfQpmdXp6KDIp Owo=