Bug 113907

Summary: Closure caching causes crash in exception handling
Product: WebKit Reporter: Oliver Hunt <oliver>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: fpizlo
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   

Oliver Hunt
Reported 2013-04-03 16:16:15 PDT
This piece of code crashes, as far as i can tell it appears to be due to CodeBlock::bytecodeOffset(CallFrame, ReturnAddressPtr) returning the bytecodeOffset from a ClosureCallStubRoutine that isn't in the target code block: var value = 0; function f(x) { var result = 0; function g(a) { function throwEventually() { if (value++ > 10000) throw new Error; return 5; } return a * throwEventually(); } for (var i = 0; i < 3; i++) i += g(x); return i; } while (true) f(5)
Attachments
Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2013-04-03 16:18:07 PDT
(In reply to comment #0) > This piece of code crashes, as far as i can tell it appears to be due to CodeBlock::bytecodeOffset(CallFrame, ReturnAddressPtr) returning the bytecodeOffset from a ClosureCallStubRoutine that isn't in the target code block: > var value = 0; > function f(x) { > var result = 0; > function g(a) { > function throwEventually() { > if (value++ > 10000) > throw new Error; > return 5; > } > return a * throwEventually(); > } > for (var i = 0; i < 3; i++) > i += g(x); > return i; > } > > while (true) > f(5) What happens if the closure call cache is cleared while one of the closure calls is still on the stack? Maybe that's what's going on?
Oliver Hunt
Comment 2 2013-04-03 16:21:10 PDT
(In reply to comment #1) > (In reply to comment #0) > > This piece of code crashes, as far as i can tell it appears to be due to CodeBlock::bytecodeOffset(CallFrame, ReturnAddressPtr) returning the bytecodeOffset from a ClosureCallStubRoutine that isn't in the target code block: > > var value = 0; > > function f(x) { > > var result = 0; > > function g(a) { > > function throwEventually() { > > if (value++ > 10000) > > throw new Error; > > return 5; > > } > > return a * throwEventually(); > > } > > for (var i = 0; i < 3; i++) > > i += g(x); > > return i; > > } > > > > while (true) > > f(5) > > What happens if the closure call cache is cleared while one of the closure calls is still on the stack? > > Maybe that's what's going on? Alas the crash i'm getting isn't in the above test case, i had an incorrect tree in my change.
Note You need to log in before you can comment on or make changes to this bug.