144293 2015-04-27 16:42:53 -0700 FTL failed to initialize arguments.callee on the slow path as well as the fast path 2015-04-27 21:46:19 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 mark.lam fpizlo basile_clement benjamin fpizlo ggaren mark.lam mmirman msaboff saam webkit-bug-importer oldest_to_newest 1089267 0 mark.lam 2015-04-27 16:42:53 -0700 Here's the test case: === BEGIN === function foo(e) { if (e) { arguments[0]--; return arguments.callee.apply(this, arguments); } } try { for (var i = 0; i < 10000; i++) foo(1); } catch (e) { print("ERROR: " + e); } === END === Run it in a debug build of jsc like so: $ JSC_enableConcurrentJIT=0 DYLD_FRAMEWORK_PATH=WebKitBuild/Debug/ WebKitBuild/Debug/jsc test.js And you'll get this crash trace: (lldb) bt * thread #1: tid = 0x61fc1a, 0x0000000100a80cda JavaScriptCore`WTFCrash + 42 at Assertions.cpp:321, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef) frame #0: 0x0000000100a80cda JavaScriptCore`WTFCrash + 42 at Assertions.cpp:321 * frame #1: 0x000000010069dd3b JavaScriptCore`JSC::PropertySlot::setValue(this=0x00007fff5fbfdd78, slotBase=0x0000000104250500, attributes=4, value=JSValue at 0x00007fff5fbfdaa8) + 91 at PropertySlot.h:127 frame #2: 0x00000001006e430e JavaScriptCore`JSC::GenericArguments<JSC::DirectArguments>::getOwnPropertySlot(object=0x0000000104250500, exec=0x00007fff5fbfde80, ident=PropertyName at 0x00007fff5fbfdb90, slot=0x00007fff5fbfdd78) + 334 at GenericArgumentsInlines.h:46 frame #3: 0x000000010009ee67 JavaScriptCore`JSC::JSObject::fastGetOwnPropertySlot(this=0x0000000104250500, exec=0x00007fff5fbfde80, vm=0x0000000104010000, structure=0x0000000104034db0, propertyName=PropertyName at 0x00007fff5fbfdbf0, slot=0x00007fff5fbfdd78) + 167 at JSObject.h:1257 frame #4: 0x000000010009ebdc JavaScriptCore`JSC::JSObject::getPropertySlot(this=0x0000000104250500, exec=0x00007fff5fbfde80, propertyName=PropertyName at 0x00007fff5fbfdca0, slot=0x00007fff5fbfdd78) + 156 at JSObject.h:1269 frame #5: 0x00000001000a21a8 JavaScriptCore`JSC::JSValue::getPropertySlot(this=0x00007fff5fbfddb0, exec=0x00007fff5fbfde80, propertyName=PropertyName at 0x00007fff5fbfdd00, slot=0x00007fff5fbfdd78) const + 232 at JSCJSValueInlines.h:719 frame #6: 0x000000010067adb2 JavaScriptCore`operationGetByIdOptimize(exec=0x00007fff5fbfde80, stubInfo=0x0000000105fed4b0, base=4364502272, uid=0x0000000105ff3a40) + 162 at JITOperations.cpp:188 frame #7: 0x00003242ffa035c0 frame #8: 0x00003242ffa02529 From frame 2: (lldb) fr sel 2 frame #2: 0x00000001006e430e JavaScriptCore`JSC::GenericArguments<JSC::DirectArguments>::getOwnPropertySlot(object=0x0000000104250500, exec=0x00007fff5fbfde80, ident=PropertyName at 0x00007fff5fbfdb90, slot=0x00007fff5fbfdd78) + 334 at GenericArgumentsInlines.h:46 43 return true; 44 } 45 if (ident == vm.propertyNames->callee) { -> 46 slot.setValue(thisObject, DontEnum, thisObject->callee().get()); 47 return true; 48 } 49 if (ident == vm.propertyNames->iteratorSymbol) { (lldb) p thisObject (JSC::DirectArguments *) $0 = 0x0000000104250500 (lldb) p thisObject->callee() (JSC::WriteBarrier<JSC::JSFunction>) $1 = { JSC::WriteBarrierBase<JSC::JSFunction> = { m_cell = 0x0000000000000000 } } 1089268 1 mark.lam 2015-04-27 16:43:55 -0700 <rdar://problem/20702553> 1089390 2 251822 fpizlo 2015-04-27 21:35:36 -0700 Created attachment 251822 the patch 1089393 3 251822 mark.lam 2015-04-27 21:37:16 -0700 Comment on attachment 251822 the patch r=me 1089396 4 fpizlo 2015-04-27 21:46:19 -0700 Landed in http://trac.webkit.org/changeset/183453 251822 2015-04-27 21:35:36 -0700 2015-04-27 21:37:16 -0700 the patch blah.patch text/plain 2648 fpizlo SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTgzNDUxKQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE4IEBA CisyMDE1LTA0LTI3ICBGaWxpcCBQaXpsbyAgPGZwaXpsb0BhcHBsZS5jb20+CisKKyAgICAgICAg RlRMIGZhaWxlZCB0byBpbml0aWFsaXplIGFyZ3VtZW50cy5jYWxsZWUgb24gdGhlIHNsb3cgcGF0 aCBhcyB3ZWxsIGFzIHRoZSBmYXN0IHBhdGgKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5v cmcvc2hvd19idWcuY2dpP2lkPTE0NDI5MworCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAo T09QUyEpLgorICAgICAgICAKKyAgICAgICAgVGhlIHNsb3cgcGF0aCBkb2Vzbid0IGZ1bGx5IGlu aXRpYWxpemUgRGlyZWN0QXJndW1lbnRzIC0gaXQgbGVhdmVzIGNhbGxlZSBibGFuay4gU28sIHdl IG5lZWQKKyAgICAgICAgdG8gaW5pdGlhbGl6ZSB0aGUgY2FsbGVlIG9uIHRoZSBjb21tb24gcGF0 aCBhZnRlciB0aGUgZmFzdCBhbmQgc2xvdyBwYXRoLgorCisgICAgICAgICogZnRsL0ZUTExvd2Vy REZHVG9MTFZNLmNwcDoKKyAgICAgICAgKEpTQzo6RlRMOjpMb3dlckRGR1RvTExWTTo6Y29tcGls ZUNyZWF0ZURpcmVjdEFyZ3VtZW50cyk6CisgICAgICAgICogdGVzdHMvc3RyZXNzL2FyZ3VtZW50 cy1jYWxsZWUtdW5pbml0aWFsaXplZC5qczogQWRkZWQuCisgICAgICAgIChmb28pOgorCiAyMDE1 LTA0LTI3ICBCZW5qYW1pbiBQb3VsYWluICA8YnBvdWxhaW5AYXBwbGUuY29tPgogCiAgICAgICAg IFtKU0NdIEFkZCBzdXBwb3J0IGZvciB0eXBlZCBhcnJheXMgdG8gdGhlIEFycmF5IHByb2ZpbGlu ZwpJbmRleDogU291cmNlL0phdmFTY3JpcHRDb3JlL2Z0bC9GVExMb3dlckRGR1RvTExWTS5jcHAK PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL2Z0bC9GVExMb3dlckRGR1RvTExW TS5jcHAJKHJldmlzaW9uIDE4MzQ0OSkKKysrIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9mdGwvRlRM TG93ZXJERkdUb0xMVk0uY3BwCSh3b3JraW5nIGNvcHkpCkBAIC0zMDEwLDcgKzMwMTAsNiBAQCBw cml2YXRlOgogICAgICAgICBtX291dC5zdG9yZTMyKGxlbmd0aC52YWx1ZSwgZmFzdE9iamVjdCwg bV9oZWFwcy5EaXJlY3RBcmd1bWVudHNfbGVuZ3RoKTsKICAgICAgICAgbV9vdXQuc3RvcmUzMiht X291dC5jb25zdEludDMyKG1pbkNhcGFjaXR5KSwgZmFzdE9iamVjdCwgbV9oZWFwcy5EaXJlY3RB cmd1bWVudHNfbWluQ2FwYWNpdHkpOwogICAgICAgICBtX291dC5zdG9yZVB0cihtX291dC5pbnRQ dHJaZXJvLCBmYXN0T2JqZWN0LCBtX2hlYXBzLkRpcmVjdEFyZ3VtZW50c19vdmVycmlkZXMpOwot ICAgICAgICBtX291dC5zdG9yZVB0cihnZXRDdXJyZW50Q2FsbGVlKCksIGZhc3RPYmplY3QsIG1f aGVhcHMuRGlyZWN0QXJndW1lbnRzX2NhbGxlZSk7CiAgICAgICAgIAogICAgICAgICBWYWx1ZUZy b21CbG9jayBmYXN0UmVzdWx0ID0gbV9vdXQuYW5jaG9yKGZhc3RPYmplY3QpOwogICAgICAgICBt X291dC5qdW1wKGNvbnRpbnVhdGlvbik7CkBAIC0zMDI0LDYgKzMwMjMsOCBAQCBwcml2YXRlOgog ICAgICAgICAKICAgICAgICAgbV9vdXQuYXBwZW5kVG8oY29udGludWF0aW9uLCBsYXN0TmV4dCk7 CiAgICAgICAgIExWYWx1ZSByZXN1bHQgPSBtX291dC5waGkobV9vdXQuaW50UHRyLCBmYXN0UmVz dWx0LCBzbG93UmVzdWx0KTsKKworICAgICAgICBtX291dC5zdG9yZVB0cihnZXRDdXJyZW50Q2Fs bGVlKCksIHJlc3VsdCwgbV9oZWFwcy5EaXJlY3RBcmd1bWVudHNfY2FsbGVlKTsKICAgICAgICAg CiAgICAgICAgIGlmIChsZW5ndGguaXNLbm93bikgewogICAgICAgICAgICAgVmlydHVhbFJlZ2lz dGVyIHN0YXJ0ID0gQXNzZW1ibHlIZWxwZXJzOjphcmd1bWVudHNTdGFydChtX25vZGUtPm9yaWdp bi5zZW1hbnRpYyk7CkluZGV4OiBTb3VyY2UvSmF2YVNjcmlwdENvcmUvdGVzdHMvc3RyZXNzL2Fy Z3VtZW50cy1jYWxsZWUtdW5pbml0aWFsaXplZC5qcwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvSmF2 YVNjcmlwdENvcmUvdGVzdHMvc3RyZXNzL2FyZ3VtZW50cy1jYWxsZWUtdW5pbml0aWFsaXplZC5q cwkocmV2aXNpb24gMCkKKysrIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS90ZXN0cy9zdHJlc3MvYXJn dW1lbnRzLWNhbGxlZS11bmluaXRpYWxpemVkLmpzCSh3b3JraW5nIGNvcHkpCkBAIC0wLDAgKzEs MTEgQEAKK2Z1bmN0aW9uIGZvbyhlKSB7CisgICAgaWYgKGUpIHsKKyAgICAgICAgYXJndW1lbnRz WzBdLS07CisgICAgICAgIHJldHVybiBhcmd1bWVudHMuY2FsbGVlLmFwcGx5KHRoaXMsIGFyZ3Vt ZW50cyk7CisgICAgfQorfQorbm9JbmxpbmUoZm9vKTsKKworZm9yICh2YXIgaSA9IDA7IGkgPCAx MDAwMDsgaSsrKQorICAgIGZvbygxKTsKKwo=