Bug 141246

Summary:

Crash in JSC::DFG::StackLayoutPhase::run

Product:

WebKit

Reporter:

Renata Hodovan <rhodovan.u-szeged>

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED DUPLICATE

Severity:

Normal

CC:

bfulgham, fpizlo, ggaren, msaboff, oliver, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Linux

Bug Depends on:

Bug Blocks:

116980

Attachments:

Description	Flags
Test case	none

Renata Hodovan

Reported 2015-02-04 07:20:11 PST

Created attachment 246031 [details] Test case Run the following test in release or debug JSC: function fuzz(arguments) { fuzz(arguments); } fuzz(2); For the first sight it looks like a stack-overflow but according to the backtraces it might be a different issue. Running the test in debug JSC it results in an assertion failure with the following trace: ASSERTION FAILED: usesArguments() ../../Source/JavaScriptCore/bytecode/CodeBlock.h(338) : JSC::VirtualRegister JSC::CodeBlock::argumentsRegister() const Program received signal SIGSEGV, Segmentation fault. 0x00007ffff73e0095 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 321 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff73e0095 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 #1 0x00007ffff6cf54a9 in JSC::CodeBlock::argumentsRegister (this=0x7fffb0649a00) at ../../Source/JavaScriptCore/bytecode/CodeBlock.h:338 #2 0x00007ffff6dfd079 in JSC::DFG::Graph::argumentsRegisterFor (this=0x7fffffff2410, inlineCallFrame=0x7ffff7f92730) at ../../Source/JavaScriptCore/dfg/DFGGraph.h:415 #3 0x00007ffff6fdf182 in JSC::DFG::StackLayoutPhase::run (this=0x7fffffff1e80) at ../../Source/JavaScriptCore/dfg/DFGStackLayoutPhase.cpp:112 #4 0x00007ffff6fe0250 in JSC::DFG::runAndLog<JSC::DFG::StackLayoutPhase> (phase=...) at ../../Source/JavaScriptCore/dfg/DFGPhase.h:77 #5 0x00007ffff6fe00ee in JSC::DFG::runPhase<JSC::DFG::StackLayoutPhase> (graph=...) at ../../Source/JavaScriptCore/dfg/DFGPhase.h:87 #6 0x00007ffff6fde654 in JSC::DFG::performStackLayout (graph=...) at ../../Source/JavaScriptCore/dfg/DFGStackLayoutPhase.cpp:272 #7 0x00007ffff6f2fa8c in JSC::DFG::Plan::compileInThreadImpl (this=0x7ffff7fbdd80, longLivedState=...) at ../../Source/JavaScriptCore/dfg/DFGPlan.cpp:296 #8 0x00007ffff6f2f25c in JSC::DFG::Plan::compileInThread (this=0x7ffff7fbdd80, longLivedState=..., threadData=0x0) at ../../Source/JavaScriptCore/dfg/DFGPlan.cpp:164 #9 0x00007ffff6e7a25d in JSC::DFG::compileImpl (vm=..., codeBlock=0x7fffb0649780, profiledDFGCodeBlock=0x0, mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=0, mustHandleValues=..., callback=...) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:108 #10 0x00007ffff6e7a398 in JSC::DFG::compile (vm=..., codeBlock=0x7fffb0649780, profiledDFGCodeBlock=0x0, mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=0, mustHandleValues=..., passedCallback=...) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:128 #11 0x00007ffff70d75cd in JSC::operationOptimize (exec=0x7fffffff2eb0, bytecodeIndex=0) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:1158 #12 0x00007fffb1662bc5 in ?? () #13 0x0000000000000000 in ?? () The backtrace of the release crash: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff78f4bde in JSC::DFG::StackLayoutPhase::run() () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 (gdb) bt #0 0x00007ffff78f4bde in JSC::DFG::StackLayoutPhase::run() () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #1 0x00007ffff78f4692 in JSC::DFG::performStackLayout(JSC::DFG::Graph&) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #2 0x00007ffff78891eb in JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #3 0x00007ffff78894b6 in JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #4 0x00007ffff78154ac in JSC::DFG::compile(JSC::VM&, JSC::CodeBlock*, JSC::CodeBlock*, JSC::DFG::CompilationMode, unsigned int, JSC::Operands<JSC::JSValue, JSC::OperandValueTraits<JSC::JSValue> > const&, WTF::PassRefPtr<JSC::DeferredCompilationCallback>) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #5 0x00007ffff79a9e27 in operationOptimize () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #6 0x00007fffb2c25b4c in ?? () #7 0x0000000000000000 in ?? ()

Attachments
Test case (59 bytes, application/javascript) 2015-02-04 07:20 PST, Renata Hodovan	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2015-02-12 11:32:47 PST

<rdar://problem/19815551>

Brent Fulgham

Comment 2 2016-08-04 16:26:48 PDT

This may be a duplicate of Bug 141721, and no longer causes a crash in WebKit. *** This bug has been marked as a duplicate of bug 141721 ***

Note You need to log in before you can comment on or make changes to this bug.