23085 2009-01-02 21:26:50 -0800 [jsfunfuzz] Over released ScopeChainNode 2009-01-06 12:34:20 -0800 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Mac OS X 10.5 RESOLVED FIXED InRadar P1 Normal --- 13638 1 oliver oliver ggaren mjs oliver zwarich oldest_to_newest 104214 0 oliver 2009-01-02 21:26:50 -0800 (function(){ try{ with({}) throw this(function(){}) } catch(x) { } })() gc() 104221 1 oliver 2009-01-02 23:27:16 -0800 erk, it turns out this test case doesn't reproduce with all of jsfunfuzz included before it, however i've found another reduction like thing that produces the same crash 104222 2 oliver 2009-01-02 23:41:51 -0800 Okay, here we go: function tryRunning(f){ try{ f() }catch(r){ } } function tryItOut(){ function f() { try { throw ""; } catch(y) { this(function(){}) } finally { } }; v = tryRunning(f) } tryItOut(); gc(); 104223 3 barraclough 2009-01-02 23:49:36 -0800 function f() { try { throw ""; } catch(y) { this(function(){}) } finally { } }; try { f() } catch(r) { } gc(); 104224 4 barraclough 2009-01-03 00:24:40 -0800 ^^ release builds only :-( 104225 5 barraclough 2009-01-03 00:24:46 -0800 try{ (function() { try { throw ""; } catch(y) { throw (function(){}); } finally { } })() }catch(r){ } (function(){})() gc(); 104230 6 oliver 2009-01-03 02:20:27 -0800 The problem is that a scope node is being deleted prematurely, i believe the scope node being removed in the most recent reduction is the activation for the first function. I honestly can't work out how/why the ref counting scheme we use for scopechainnodes works, but i blame it for the badness. 104231 7 zwarich 2009-01-03 02:26:39 -0800 I'll take a look at this. This one hurts. 104498 8 oliver 2009-01-05 15:18:41 -0800 <rdar://problem/6474110> 104570 9 oliver 2009-01-06 08:54:42 -0800 Okay, so the issue is that the finally block is derefing the activation incorrectly 104571 10 oliver 2009-01-06 10:05:11 -0800 Scope chain unwinding creates a ScopeChain to wrap the ScopeChainNode, when the ScopeChain is destroyed it does a full deref of the top node, but it has not necessarily ref'd that node. Basically this is the path to badness * Scope chain is represented as {scope object, ref count} -> next scopechainnode * ScopeChainNode* scopeChain = {someScope, 1}->{activation, 1}->not relevant * ScopeChain sc(scopeChain) => {someScope, 2}->{activation, 1}->not relevant * sc.pop() => {activation, 1}->not relevant * sc.~ScopeChain => {activation, 0}->not relevant So we end up leaking the top of stack, and over releasing whateer is the ToS at the end 104572 11 oliver 2009-01-06 10:08:09 -0800 Ah, whooops, not actually correct, the problem is that ScopeChain refs() the origin ToS, and then derefs() the final ToS. but pop() and deref() have different behaviour -- deref() on a node that was not explicitly ref'd is basically wrong 104600 12 26465 oliver 2009-01-06 12:25:48 -0800 Created attachment 26465 Remove use of ScopeChain for the scope chain unwinding Fixeration 104601 13 26465 zwarich 2009-01-06 12:28:03 -0800 Comment on attachment 26465 Remove use of ScopeChain for the scope chain unwinding r=me 104604 14 oliver 2009-01-06 12:34:20 -0800 Committing to http://svn.webkit.org/repository/webkit/trunk ... M JavaScriptCore/ChangeLog M JavaScriptCore/interpreter/Interpreter.cpp M LayoutTests/ChangeLog M LayoutTests/fast/js/exception-try-finally-scope-error-expected.txt M LayoutTests/fast/js/resources/exception-try-finally-scope-error.js Committed r39660 26465 2009-01-06 12:25:48 -0800 2009-01-06 12:28:03 -0800 Remove use of ScopeChain for the scope chain unwinding scopechain-release.patch text/plain 4369 oliver ZGlmZiAtLWdpdCBhL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZyBiL0phdmFTY3JpcHRDb3JlL0No YW5nZUxvZwppbmRleCBkMDljMzhmLi5iODNmYTliIDEwMDY0NAotLS0gYS9KYXZhU2NyaXB0Q29y ZS9DaGFuZ2VMb2cKKysrIGIvSmF2YVNjcmlwdENvcmUvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMjEg QEAKKzIwMDktMDEtMDYgIE9saXZlciBIdW50ICA8b2xpdmVyQGFwcGxlLmNvbT4KKworICAgICAg ICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICA8aHR0cHM6Ly9idWdzLndl YmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTIzMDg1PiBbanNmdW5mdXp6XSBPdmVyIHJlbGVhc2Vk IFNjb3BlQ2hhaW5Ob2RlCisgICAgICAgIDxyZGFyOi8vcHJvYmxlbS82NDc0MTEwPgorCisgICAg ICAgIFNvIHRoaXMgZGVsaWdodGZ1bCBidWcgd2FzIGNhdXNlZCBieSBvdXIgdW53aW5kIGNvZGUg dXNpbmcgYSBTY29wZUNoYWluIHRvIHBlcmZvcm0KKyAgICAgICAgdGhlIHVud2luZC4gIFRoZSBT Y29wZUNoYWluIHdvdWxkIHJlZiB0aGUgaW5pdGlhbCB0b3Agb2YgdGhlIHNjb3BlIGNoYWluLCB0 aGVuIGRlcmVmCisgICAgICAgIHRoZSByZXN1bHRhbnQgdG9wIG9mIHNjb3BlIGNoYWluLCB3aGlj aCBpcyBpbmNvcnJlY3QuCisKKyAgICAgICAgVGhpcyBwYXRjaCByZW1vdmVzIHRoZSBkZXBlbmRl bmN5IG9uIFNjb3BlQ2hhaW4gZm9yIHRoZSB1bndpbmQsIGFuZCBpJ3ZlIGZpbGVkCisgICAgICAg IDxodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MjMxNDQ+IHRvIGxvb2sg aW50byB0aGUgdW5pbnR1aXRpdmUKKyAgICAgICAgU2NvcGVDaGFpbiBiZWhhdmlvdXIuCisKKyAg ICAgICAgKiBpbnRlcnByZXRlci9JbnRlcnByZXRlci5jcHA6CisgICAgICAgIChKU0M6OkludGVy cHJldGVyOjp0aHJvd0V4Y2VwdGlvbik6CisKIDIwMDktMDEtMDYgIEhvbGdlciBIYW5zIFBldGVy IEZyZXl0aGVyICA8emVja2VAc2VsZmlzaC5vcmc+CiAKICAgICAgICAgUmV2aWV3ZWQgYnkgTk9C T0RZIChTcGVjdWxhdGl2ZSBidWlsZCBmaXgpLgpkaWZmIC0tZ2l0IGEvSmF2YVNjcmlwdENvcmUv aW50ZXJwcmV0ZXIvSW50ZXJwcmV0ZXIuY3BwIGIvSmF2YVNjcmlwdENvcmUvaW50ZXJwcmV0ZXIv SW50ZXJwcmV0ZXIuY3BwCmluZGV4IDZjYTk4ZjIuLmU1ODE2ODMgMTAwNjQ0Ci0tLSBhL0phdmFT Y3JpcHRDb3JlL2ludGVycHJldGVyL0ludGVycHJldGVyLmNwcAorKysgYi9KYXZhU2NyaXB0Q29y ZS9pbnRlcnByZXRlci9JbnRlcnByZXRlci5jcHAKQEAgLTg1MCwxMiArODUwLDEzIEBAIE5FVkVS X0lOTElORSBIYW5kbGVySW5mbyogSW50ZXJwcmV0ZXI6OnRocm93RXhjZXB0aW9uKENhbGxGcmFt ZSomIGNhbGxGcmFtZSwgSlNWCiAKICAgICAvLyBOb3cgdW53aW5kIHRoZSBzY29wZSBjaGFpbiB3 aXRoaW4gdGhlIGV4Y2VwdGlvbiBoYW5kbGVyJ3MgY2FsbCBmcmFtZS4KIAotICAgIFNjb3BlQ2hh aW4gc2MoY2FsbEZyYW1lLT5zY29wZUNoYWluKCkpOworICAgIFNjb3BlQ2hhaW5Ob2RlKiBzY29w ZUNoYWluID0gY2FsbEZyYW1lLT5zY29wZUNoYWluKCk7CisgICAgU2NvcGVDaGFpbiBzYyhzY29w ZUNoYWluKTsKICAgICBpbnQgc2NvcGVEZWx0YSA9IGRlcHRoKGNvZGVCbG9jaywgc2MpIC0gaGFu ZGxlci0+c2NvcGVEZXB0aDsKICAgICBBU1NFUlQoc2NvcGVEZWx0YSA+PSAwKTsKICAgICB3aGls ZSAoc2NvcGVEZWx0YS0tKQotICAgICAgICBzYy5wb3AoKTsKLSAgICBjYWxsRnJhbWUtPnNldFNj b3BlQ2hhaW4oc2Mubm9kZSgpKTsKKyAgICAgICAgc2NvcGVDaGFpbiA9IHNjb3BlQ2hhaW4tPnBv cCgpOworICAgIGNhbGxGcmFtZS0+c2V0U2NvcGVDaGFpbihzY29wZUNoYWluKTsKIAogICAgIHJl dHVybiBoYW5kbGVyOwogfQpkaWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nIGIvTGF5 b3V0VGVzdHMvQ2hhbmdlTG9nCmluZGV4IGVlMDE5MWIuLjZmODk0OGEgMTAwNjQ0Ci0tLSBhL0xh eW91dFRlc3RzL0NoYW5nZUxvZworKysgYi9MYXlvdXRUZXN0cy9DaGFuZ2VMb2cKQEAgLTEsMyAr MSwxNSBAQAorMjAwOS0wMS0wNiAgT2xpdmVyIEh1bnQgIDxvbGl2ZXJAYXBwbGUuY29tPgorCisg ICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIDxodHRwczovL2J1 Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MjMwODU+IFtqc2Z1bmZ1enpdIE92ZXIgcmVs ZWFzZWQgU2NvcGVDaGFpbk5vZGUKKyAgICAgICAgPHJkYXI6Ly9wcm9ibGVtLzY0NzQxMTA+CisK KyAgICAgICAgQWRkIHRlc3QgZm9yIG92ZXIgcmVsZWFzaW5nIHRoZSBzY29wZWNoYWluLgorCisg ICAgICAgICogZmFzdC9qcy9leGNlcHRpb24tdHJ5LWZpbmFsbHktc2NvcGUtZXJyb3ItZXhwZWN0 ZWQudHh0OgorICAgICAgICAqIGZhc3QvanMvcmVzb3VyY2VzL2V4Y2VwdGlvbi10cnktZmluYWxs eS1zY29wZS1lcnJvci5qczoKKwogMjAwOC0wMS0wNSAgRGVhbiBKYWNrc29uICA8ZGlub0BhcHBs ZS5jb20+CiAKICAgICAgICAgUmV2aWV3ZWQgYnkgRGF2aWQgSHlhdHQuCmRpZmYgLS1naXQgYS9M YXlvdXRUZXN0cy9mYXN0L2pzL2V4Y2VwdGlvbi10cnktZmluYWxseS1zY29wZS1lcnJvci1leHBl Y3RlZC50eHQgYi9MYXlvdXRUZXN0cy9mYXN0L2pzL2V4Y2VwdGlvbi10cnktZmluYWxseS1zY29w ZS1lcnJvci1leHBlY3RlZC50eHQKaW5kZXggMGI5YmZhMC4uYjhiMGE5MyAxMDA2NDQKLS0tIGEv TGF5b3V0VGVzdHMvZmFzdC9qcy9leGNlcHRpb24tdHJ5LWZpbmFsbHktc2NvcGUtZXJyb3ItZXhw ZWN0ZWQudHh0CisrKyBiL0xheW91dFRlc3RzL2Zhc3QvanMvZXhjZXB0aW9uLXRyeS1maW5hbGx5 LXNjb3BlLWVycm9yLWV4cGVjdGVkLnR4dApAQCAtMSw0ICsxLDQgQEAKLVRoaXMgdGVzdCBtYWtl cyBzdXJlIHN0YWNrIHVud2luZGluZyB3b3JrcyBjb3JyZWN0bHkgd2hlbiBjb25mcm9udGVkIHdp dGggYSAwLWRlcHRoIHNjb3BlIGNoYWluIHdpdGhvdXQgYW4gYWN0aXZhdGlvbgorVGhpcyB0ZXN0 IG1ha2VzIHN1cmUgc3RhY2sgdW53aW5kaW5nIHdvcmtzIGNvcnJlY3RseSBpbiBjb21iaW5hdGlv biB3aXRoIGR5bmFtaWNhbGx5IGFkZGVkIHNjb3BlcwogCiBPbiBzdWNjZXNzLCB5b3Ugd2lsbCBz ZWUgYSBzZXJpZXMgb2YgIlBBU1MiIG1lc3NhZ2VzLCBmb2xsb3dlZCBieSAiVEVTVCBDT01QTEVU RSIuCiAKZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL2Zhc3QvanMvcmVzb3VyY2VzL2V4Y2VwdGlv bi10cnktZmluYWxseS1zY29wZS1lcnJvci5qcyBiL0xheW91dFRlc3RzL2Zhc3QvanMvcmVzb3Vy Y2VzL2V4Y2VwdGlvbi10cnktZmluYWxseS1zY29wZS1lcnJvci5qcwppbmRleCAwYWQ4ODlmLi44 NjFjYTY4IDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0cy9mYXN0L2pzL3Jlc291cmNlcy9leGNlcHRp b24tdHJ5LWZpbmFsbHktc2NvcGUtZXJyb3IuanMKKysrIGIvTGF5b3V0VGVzdHMvZmFzdC9qcy9y ZXNvdXJjZXMvZXhjZXB0aW9uLXRyeS1maW5hbGx5LXNjb3BlLWVycm9yLmpzCkBAIC0xLDQgKzEs MTQgQEAKLWRlc2NyaXB0aW9uKCdUaGlzIHRlc3QgbWFrZXMgc3VyZSBzdGFjayB1bndpbmRpbmcg d29ya3MgY29ycmVjdGx5IHdoZW4gY29uZnJvbnRlZCB3aXRoIGEgMC1kZXB0aCBzY29wZSBjaGFp biB3aXRob3V0IGFuIGFjdGl2YXRpb24nKTsKK2Rlc2NyaXB0aW9uKCdUaGlzIHRlc3QgbWFrZXMg c3VyZSBzdGFjayB1bndpbmRpbmcgd29ya3MgY29ycmVjdGx5IGluIGNvbWJpbmF0aW9uIHdpdGgg ZHluYW1pY2FsbHkgYWRkZWQgc2NvcGVzJyk7CisKK2Z1bmN0aW9uIGdjKCkKK3sKKyAgICBpZiAo dGhpcy5HQ0NvbnRyb2xsZXIpCisgICAgICAgIEdDQ29udHJvbGxlci5jb2xsZWN0KCk7CisgICAg ZWxzZQorICAgICAgICBmb3IgKHZhciBpID0gMDsgaSA8IDEwMDAwOyArK2kpIC8vIEFsbG9jYXRl IGEgc3VmZmljaWVudCBudW1iZXIgb2Ygb2JqZWN0cyB0byBmb3JjZSBhIEdDLgorICAgICAgICAg ICAgKHt9KTsKK30KKwogdmFyIHJlc3VsdDsKIGZ1bmN0aW9uIHJ1blRlc3QoKSB7CiAgICAgdmFy IHRlc3QgPSAib3V0ZXIgc2NvcGUiOwpAQCAtNyw0ICsxNywyMiBAQCBmdW5jdGlvbiBydW5UZXN0 KCkgewogfQogcnVuVGVzdCgpOwogCit0cnl7CisoZnVuY3Rpb24oKSB7CisgICAgdHJ5IHsKKyAg ICAgICAgdGhyb3cgIiI7CisgICAgfSBjYXRjaCh5KSB7CisgICAgICAgIHRocm93IChmdW5jdGlv bigpe30pOworICAgIH0gZmluYWxseSB7CisgICAgfQorfSkoKQorfWNhdGNoKHIpeworfQorCisv LyBKdXN0IGNsb2JiZXIgYW55IHRlbXBvcmFyaWVzCithPSh7fSk7CithKj1hKmEqYTsKKworZ2Mo KTsKKwogdmFyIHN1Y2Nlc3NmdWxseVBhcnNlZCA9IHRydWU7Cg==