Bug 142625

Summary: Crash in JSC::Interpreter::execute
Product: WebKit Reporter: Renata Hodovan <rhodovan.u-szeged>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal CC: fpizlo, ggaren, mark.lam, msaboff, oliver, ossy, pikachu17997, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Linux   
Bug Depends on:    
Bug Blocks: 116980    
Attachments:
Description Flags
Test case
none
Patch fpizlo: review+

Description Renata Hodovan 2015-03-12 08:57:17 PDT
Created attachment 248519 [details]
Test case

If you load this with TotT JSC (on Ubuntu 14.04, x86_64):

do 
    eval("function fuzz() {}");
while(true);


then you will get a crash with the following backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff73de2d9 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
321	    *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff73de2d9 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
#1  0x00000000004280fa in WTF::CrashOnOverflow::overflowed () at ../../Source/WTF/wtf/CheckedArithmetic.h:78
#2  0x00007ffff6ce7899 in WTF::Vector<JSC::WriteBarrier<JSC::FunctionExecutable>, 0ul, WTF::CrashOnOverflow>::at (this=0x7fffef7f06d0, i=0)
    at ../../Source/WTF/wtf/Vector.h:659
#3  0x00007ffff6cdf303 in WTF::Vector<JSC::WriteBarrier<JSC::FunctionExecutable>, 0ul, WTF::CrashOnOverflow>::operator[] (this=0x7fffef7f06d0, i=0)
    at ../../Source/WTF/wtf/Vector.h:679
#4  0x00007ffff6dd1ba8 in JSC::CodeBlock::functionDecl (this=0x7fffef7f04d0, index=0) at ../../Source/JavaScriptCore/bytecode/CodeBlock.h:657
#5  0x00007ffff709b0ee in JSC::Interpreter::execute (this=0x7fffefff6000, eval=0x7fffee16fb70, callFrame=0x7fffffffcac0, thisValue=..., 
    scope=0x7fffee0af970) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:1119
#6  0x00007ffff7096ca1 in JSC::eval (callFrame=0x7fffffffcac0) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:134
#7  0x00007ffff70ce0a9 in JSC::operationCallEval (exec=0x7fffffffcb10, execCallee=0x7fffffffcac0)
    at ../../Source/JavaScriptCore/jit/JITOperations.cpp:638
#8  0x00007fffadfffe06 in ?? ()
#9  0x00007fffffffcb10 in ?? ()
#10 0x00007ffff738d751 in llint_entry () from /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18
#11 0x00007ffff7387966 in vmEntryToJavaScript () from /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18
#12 0x00007ffff70be1fb in JSC::JITCode::execute (this=0x7fffefff7900, vm=0x7fffee010000, protoCallFrame=0x7fffffffcd30)
    at ../../Source/JavaScriptCore/jit/JITCode.cpp:77
#13 0x00007ffff70997dc in JSC::Interpreter::execute (this=0x7fffefff6000, program=0x7fffee16fc70, callFrame=0x7fffee0af9b0, thisObj=0x7fffee0cfaf0)
    at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:855
#14 0x00007ffff72299ca in JSC::evaluate (exec=0x7fffee0af9b0, source=..., thisValue=..., returnedException=0x7fffffffd6b0)
    at ../../Source/JavaScriptCore/runtime/Completion.cpp:81
#15 0x000000000042648f in runWithScripts (globalObject=0x7fffee0af970, scripts=..., dump=false) at ../../Source/JavaScriptCore/jsc.cpp:1264
#16 0x00000000004272c4 in jscmain (argc=2, argv=0x7fffffffd928) at ../../Source/JavaScriptCore/jsc.cpp:1481
#17 0x000000000042627a in main (argc=2, argv=0x7fffffffd928) at ../../Source/JavaScriptCore/jsc.cpp:1222



From Source/JavaScriptCore/interpreter/Interpreter.cpp:


1118	        for (int i = 0; i < numFunctions; ++i) {
1119	            FunctionExecutable* function = codeBlock->functionDecl(i);
...
...
1122	        }

The crash happens in line 1119. After a short debugging it seems that at the moment of the crash the index of the loop is 0 and the value of |numFunctions| is 1. However, since |codeBlock| doesn't contain any functionDeclarations at this point, we crash. One more note that could be important: the crash happens around the 4096th eval execution.
Comment 1 Csaba Osztrogonác 2015-03-23 05:14:56 PDT
(In reply to comment #0)
...
> The crash happens in line 1119. After a short debugging it seems that at the
> moment of the crash the index of the loop is 0 and the value of
> |numFunctions| is 1. However, since |codeBlock| doesn't contain any
> functionDeclarations at this point, we crash. One more note that could be
> important: the crash happens around the 4096th eval execution.

It's easy to reproduce it on Mac too. The test passes with disabled baseline
JIT (LLINT only), with disabled DFG JIT (LLINT + baseline JIT), so the bug
must be in the DFG JIT engine somewhere.
Comment 2 Csaba Osztrogonác 2015-04-21 03:51:32 PDT
This crash is still valid on Mac too. Any plan to fix it?
Comment 3 Radar WebKit Bug Importer 2015-04-21 09:18:41 PDT
<rdar://problem/20634024>
Comment 4 Michael Saboff 2015-04-21 09:54:04 PDT
This was introduced in http://trac.webkit.org/changeset/180993.  When we DFG compile, we call the CodeBlock::jettisonFunctionDeclsAndExprs() which will clear the functions from the list.  When we go to eval the CodeBlock, the functions aren't there.
Comment 5 Michael Saboff 2015-04-21 10:54:17 PDT
Created attachment 251240 [details]
Patch
Comment 6 Michael Saboff 2015-04-21 10:58:20 PDT
Committed r183067: <http://trac.webkit.org/changeset/183067>