Bug 134945

Summary: Need ability to fuzz exception throwing
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, ggaren, mark.lam, mhahnenberg, msaboff, oliver, ossy, rhodovan.u-szeged, sam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on: 134988, 146831    
Bug Blocks:    
Attachments:
Description Flags
almost done
none
the patch sam: review+

Filip Pizlo
Reported 2014-07-15 15:03:50 PDT
Patch forthcoming.
Attachments
almost done (233.17 KB, patch)
2014-07-15 15:05 PDT, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (240.48 KB, patch)
2014-07-15 19:31 PDT, Filip Pizlo 		sam: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2014-07-15 15:05:17 PDT
Created attachment 234957 [details] almost done
Filip Pizlo
Comment 2 2014-07-15 18:32:35 PDT
This causes a rare crash in v8-earley-boyer. I will try to fix it.
Filip Pizlo
Comment 3 2014-07-15 18:38:04 PDT
(In reply to comment #2) > This causes a rare crash in v8-earley-boyer. I will try to fix it. Here's the repro: [pizlo@dethklok OpenSource] DYLD_FRAMEWORK_PATH=WebKitBuild/Release/ lldb -- WebKitBuild/Release/jsc Source/JavaScriptCore/tests/exceptionFuzz/earley-boyer.js --enableConcurrentJIT=false --enableExceptionFuzz=true --fireExceptionFuzzAt=13582 Current executable set to 'WebKitBuild/Release/jsc' (x86_64). (lldb) r Process 47764 launched: '/Volumes/Data/pizlo/quartary/OpenSource/WebKitBuild/Release/jsc' (x86_64) JSC EXCEPTION FUZZ: Throwing fuzz exception. Process 47764 stopped * thread #1: tid = 0x3d48178, 0x000000010022b8bd JavaScriptCore`JSC::UnwindFunctor::operator()(JSC::StackVisitor&) [inlined] JSC::WriteBarrierBase<JSC::SymbolTable>::get() const at WriteBarrier.h:92, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT) frame #0: 0x000000010022b8bd JavaScriptCore`JSC::UnwindFunctor::operator()(JSC::StackVisitor&) [inlined] JSC::WriteBarrierBase<JSC::SymbolTable>::get() const at WriteBarrier.h:92 89 T* get() const 90 { 91 // Copy m_cell to a local to avoid multiple-read issues. (See <http://webkit.org/b/110854>) -> 92 JSCell* cell = m_cell; 93 if (cell) 94 validateCell(cell); 95 return reinterpret_cast<T*>(static_cast<void*>(cell)); (lldb) bt [0x0000000000000000 - 0x0000000000000198) [0x0000000000000198 - 0x0000000000000336) [0x0000000000000336 - 0x000000000000035c) [0x000000000000035c - 0x000000000000632b) * thread #1: tid = 0x3d48178, 0x000000010022b8bd JavaScriptCore`JSC::UnwindFunctor::operator()(JSC::StackVisitor&) [inlined] JSC::WriteBarrierBase<JSC::SymbolTable>::get() const at WriteBarrier.h:92, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT) frame #0: 0x000000010022b8bd JavaScriptCore`JSC::UnwindFunctor::operator()(JSC::StackVisitor&) [inlined] JSC::WriteBarrierBase<JSC::SymbolTable>::get() const at WriteBarrier.h:92 frame #1: 0x000000010022b8bd JavaScriptCore`JSC::UnwindFunctor::operator()(JSC::StackVisitor&) [inlined] JSC::JSSymbolTableObject::symbolTable() const at JSSymbolTableObject.h:43 frame #2: 0x000000010022b8bd JavaScriptCore`JSC::UnwindFunctor::operator()(JSC::StackVisitor&) [inlined] JSC::JSActivation::tearOff(this=0xffff000000000002) at JSActivation.h:151 frame #3: 0x000000010022b8bd JavaScriptCore`JSC::UnwindFunctor::operator()(JSC::StackVisitor&) [inlined] JSC::unwindCallFrame(JSC::StackVisitor&) + 312 at Interpreter.cpp:461 frame #4: 0x000000010022b785 JavaScriptCore`JSC::UnwindFunctor::operator(this=0x00007fff5fbfc8c8, visitor=0x00007fff5fbfc910)(JSC::StackVisitor&) + 117 at Interpreter.cpp:661 frame #5: 0x000000010022876b JavaScriptCore`JSC::Interpreter::unwind(JSC::ExecState*&, JSC::JSValue&) [inlined] void JSC::StackVisitor::visit<JSC::UnwindFunctor>(functor=0x00007fff5fbfc9a0, startFrame=<unavailable>) + 42 at StackVisitor.h:123 frame #6: 0x0000000100228741 JavaScriptCore`JSC::Interpreter::unwind(JSC::ExecState*&, JSC::JSValue&) [inlined] void JSC::ExecState::iterate<JSC::UnwindFunctor>(functor=0x00007fff5fbfc9a0, this=<unavailable>) at CallFrame.h:308 frame #7: 0x0000000100228741 JavaScriptCore`JSC::Interpreter::unwind(this=<unavailable>, callFrame=0x00007fff5fbfc9a0, exceptionValue=0x00007fff5fbfc998) + 513 at Interpreter.cpp:734 frame #8: 0x0000000100245db8 JavaScriptCore`JSC::genericUnwind(vm=0x000000010086e000, callFrame=0x00007fff5fbfcab0, exceptionValue=JSValue at 0x00007fff5fbfc998) + 72 at JITExceptions.cpp:51 frame #9: 0x0000538cb201172f frame #10: 0x0000538cb20462be frame #11: 0x0000538cb201da1e frame #12: 0x0000538cb201db3e frame #13: 0x0000538cb204625e frame #14: 0x0000538cb201a4de frame #15: 0x0000538cb20461fe frame #16: 0x0000538cb204625e frame #17: 0x0000538cb20187fe frame #18: 0x0000538cb204625e frame #19: 0x0000538cb201a4de frame #20: 0x0000538cb20461fe frame #21: 0x0000538cb204625e frame #22: 0x0000538cb201a4de frame #23: 0x0000538cb20461fe frame #24: 0x0000538cb20462be frame #25: 0x0000538cb201da1e frame #26: 0x0000538cb201da1e frame #27: 0x0000538cb201db3e frame #28: 0x0000538cb20462be frame #29: 0x0000538cb201da1e frame #30: 0x0000538cb201db3e frame #31: 0x0000538cb2018224 frame #32: 0x0000538cb201a4de frame #33: 0x0000538cb2011353 frame #34: 0x0000538cb2018224 frame #35: 0x0000538cb201a4de frame #36: 0x0000538cb201131c frame #37: 0x0000538cb2018224 frame #38: 0x0000538cb201a4de frame #39: 0x0000000100336f20 JavaScriptCore`llint_entry + 22744 frame #40: 0x0000000100336f20 JavaScriptCore`llint_entry + 22744 frame #41: 0x0000000100336eb5 JavaScriptCore`llint_entry + 22637 frame #42: 0x0000000100336eb5 JavaScriptCore`llint_entry + 22637 frame #43: 0x0000000100336f20 JavaScriptCore`llint_entry + 22744 frame #44: 0x0000000100336eb5 JavaScriptCore`llint_entry + 22637 frame #45: 0x0000000100336eb5 JavaScriptCore`llint_entry + 22637 frame #46: 0x0000000100331423 JavaScriptCore`callToJavaScript + 311
Filip Pizlo
Comment 4 2014-07-15 19:13:50 PDT
Looks like this particular failure was caused by exception fuzzing incorrectly causing an exception to be thrown from operationOptimize. In an ideal world, we would fix this by removing the exception check from operationOptimize. But there's the possibility that this exception check was picking up a stale exception that we hadn't ever checked - this is a really dumb bug we have sometimes. Then, we'd crash instead of throwing.
Filip Pizlo
Comment 5 2014-07-15 19:31:10 PDT
Created attachment 234974 [details] the patch
Sam Weinig
Comment 6 2014-07-15 19:44:52 PDT
Comment on attachment 234974 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=234974&action=review > Source/JavaScriptCore/jit/JITOperations.cpp:1812 > + ExecState* exec = static_cast<ExecState*>(__builtin_frame_address(1)); It's probably worth noting why you are doing these shenanigans for future sanity.
Geoffrey Garen
Comment 7 2014-07-16 10:52:05 PDT
Comment on attachment 234974 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=234974&action=review > Source/JavaScriptCore/interpreter/Interpreter.cpp:461 > + if (activation && activation.isCell()) > jsCast<JSActivation*>(activation)->tearOff(*scope->vm()); When is the activation present but not a cell?
Filip Pizlo
Comment 8 2014-07-16 14:14:38 PDT
(In reply to comment #7) > (From update of attachment 234974 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=234974&action=review > > > Source/JavaScriptCore/interpreter/Interpreter.cpp:461 > > + if (activation && activation.isCell()) > > jsCast<JSActivation*>(activation)->tearOff(*scope->vm()); > > When is the activation present but not a cell? If we throw an exception between op_enter and op_init_lazy_reg, then both the activation and the arguments registers will be undefined. This can definitely happen due to my fuzzer. It's also possible if we have a pending exception at the time that we execute a function's prologue. It's kind of funny, but it could probably happen if we have other bugs elsewhere.
Radar WebKit Bug Importer
Comment 9 2014-07-17 21:27:55 PDT
<rdar://problem/17722027>
Filip Pizlo
Comment 10 2014-07-17 21:34:58 PDT
Landed in http://trac.webkit.org/changeset/171213
Csaba Osztrogonác
Comment 11 2014-07-17 22:56:40 PDT
(In reply to comment #10) > Landed in http://trac.webkit.org/changeset/171213 it made 3 jsc tests fail everywhere
Filip Pizlo
Comment 12 2014-07-18 00:00:54 PDT
(In reply to comment #11) > (In reply to comment #10) > > Landed in http://trac.webkit.org/changeset/171213 > > it made 3 jsc tests fail everywhere Investigating.
Filip Pizlo
Comment 13 2014-07-18 00:06:56 PDT
(In reply to comment #12) > (In reply to comment #11) > > (In reply to comment #10) > > > Landed in http://trac.webkit.org/changeset/171213 > > > > it made 3 jsc tests fail everywhere > > Investigating. Will land a fix shortly.
Filip Pizlo
Comment 14 2014-07-18 00:12:05 PDT
(In reply to comment #13) > (In reply to comment #12) > > (In reply to comment #11) > > > (In reply to comment #10) > > > > Landed in http://trac.webkit.org/changeset/171213 > > > > > > it made 3 jsc tests fail everywhere > > > > Investigating. > > Will land a fix shortly. Should be fixed in http://trac.webkit.org/changeset/171216.
Filip Pizlo
Comment 15 2014-07-18 00:14:09 PDT
(In reply to comment #14) > (In reply to comment #13) > > (In reply to comment #12) > > > (In reply to comment #11) > > > > (In reply to comment #10) > > > > > Landed in http://trac.webkit.org/changeset/171213 > > > > > > > > it made 3 jsc tests fail everywhere > > > > > > Investigating. > > > > Will land a fix shortly. > > Should be fixed in http://trac.webkit.org/changeset/171216. Make that http://trac.webkit.org/changeset/171217.
Csaba Osztrogonác
Comment 16 2014-07-18 10:05:54 PDT
And it broke the CLOOP build: Undefined symbols for architecture x86_64: "__ZN3JSC27numberOfExceptionFuzzChecksEv", referenced from: __Z7jscmainiPPc in jsc.o
Filip Pizlo
Comment 17 2014-07-18 11:41:48 PDT
(In reply to comment #16) > And it broke the CLOOP build: > Undefined symbols for architecture x86_64: > "__ZN3JSC27numberOfExceptionFuzzChecksEv", referenced from: > __Z7jscmainiPPc in jsc.o Fixed in http://trac.webkit.org/changeset/171228
Note You need to log in before you can comment on or make changes to this bug.