Bug 142625

Summary: Crash in JSC::Interpreter::execute
Product: WebKit Reporter: Renata Hodovan <rhodovan.u-szeged>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal CC: fpizlo, ggaren, mark.lam, msaboff, oliver, ossy, pikachu17997, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Linux   
Bug Depends on:    
Bug Blocks: 116980    
Attachments:
Description Flags
Test case
none
Patch fpizlo: review+

Renata Hodovan
Reported 2015-03-12 08:57:17 PDT
Created attachment 248519 [details] Test case If you load this with TotT JSC (on Ubuntu 14.04, x86_64): do eval("function fuzz() {}"); while(true); then you will get a crash with the following backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff73de2d9 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 321 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff73de2d9 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 #1 0x00000000004280fa in WTF::CrashOnOverflow::overflowed () at ../../Source/WTF/wtf/CheckedArithmetic.h:78 #2 0x00007ffff6ce7899 in WTF::Vector<JSC::WriteBarrier<JSC::FunctionExecutable>, 0ul, WTF::CrashOnOverflow>::at (this=0x7fffef7f06d0, i=0) at ../../Source/WTF/wtf/Vector.h:659 #3 0x00007ffff6cdf303 in WTF::Vector<JSC::WriteBarrier<JSC::FunctionExecutable>, 0ul, WTF::CrashOnOverflow>::operator[] (this=0x7fffef7f06d0, i=0) at ../../Source/WTF/wtf/Vector.h:679 #4 0x00007ffff6dd1ba8 in JSC::CodeBlock::functionDecl (this=0x7fffef7f04d0, index=0) at ../../Source/JavaScriptCore/bytecode/CodeBlock.h:657 #5 0x00007ffff709b0ee in JSC::Interpreter::execute (this=0x7fffefff6000, eval=0x7fffee16fb70, callFrame=0x7fffffffcac0, thisValue=..., scope=0x7fffee0af970) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:1119 #6 0x00007ffff7096ca1 in JSC::eval (callFrame=0x7fffffffcac0) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:134 #7 0x00007ffff70ce0a9 in JSC::operationCallEval (exec=0x7fffffffcb10, execCallee=0x7fffffffcac0) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:638 #8 0x00007fffadfffe06 in ?? () #9 0x00007fffffffcb10 in ?? () #10 0x00007ffff738d751 in llint_entry () from /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18 #11 0x00007ffff7387966 in vmEntryToJavaScript () from /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18 #12 0x00007ffff70be1fb in JSC::JITCode::execute (this=0x7fffefff7900, vm=0x7fffee010000, protoCallFrame=0x7fffffffcd30) at ../../Source/JavaScriptCore/jit/JITCode.cpp:77 #13 0x00007ffff70997dc in JSC::Interpreter::execute (this=0x7fffefff6000, program=0x7fffee16fc70, callFrame=0x7fffee0af9b0, thisObj=0x7fffee0cfaf0) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:855 #14 0x00007ffff72299ca in JSC::evaluate (exec=0x7fffee0af9b0, source=..., thisValue=..., returnedException=0x7fffffffd6b0) at ../../Source/JavaScriptCore/runtime/Completion.cpp:81 #15 0x000000000042648f in runWithScripts (globalObject=0x7fffee0af970, scripts=..., dump=false) at ../../Source/JavaScriptCore/jsc.cpp:1264 #16 0x00000000004272c4 in jscmain (argc=2, argv=0x7fffffffd928) at ../../Source/JavaScriptCore/jsc.cpp:1481 #17 0x000000000042627a in main (argc=2, argv=0x7fffffffd928) at ../../Source/JavaScriptCore/jsc.cpp:1222 From Source/JavaScriptCore/interpreter/Interpreter.cpp: 1118 for (int i = 0; i < numFunctions; ++i) { 1119 FunctionExecutable* function = codeBlock->functionDecl(i); ... ... 1122 } The crash happens in line 1119. After a short debugging it seems that at the moment of the crash the index of the loop is 0 and the value of |numFunctions| is 1. However, since |codeBlock| doesn't contain any functionDeclarations at this point, we crash. One more note that could be important: the crash happens around the 4096th eval execution.
Attachments
Test case (48 bytes, application/javascript)
2015-03-12 08:57 PDT, Renata Hodovan 		no flags
Details
Patch (4.84 KB, patch)
2015-04-21 10:54 PDT, Michael Saboff 		fpizlo: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Csaba Osztrogonác
Comment 1 2015-03-23 05:14:56 PDT
(In reply to comment #0) ... > The crash happens in line 1119. After a short debugging it seems that at the > moment of the crash the index of the loop is 0 and the value of > |numFunctions| is 1. However, since |codeBlock| doesn't contain any > functionDeclarations at this point, we crash. One more note that could be > important: the crash happens around the 4096th eval execution. It's easy to reproduce it on Mac too. The test passes with disabled baseline JIT (LLINT only), with disabled DFG JIT (LLINT + baseline JIT), so the bug must be in the DFG JIT engine somewhere.
Csaba Osztrogonác
Comment 2 2015-04-21 03:51:32 PDT
This crash is still valid on Mac too. Any plan to fix it?
Radar WebKit Bug Importer
Comment 3 2015-04-21 09:18:41 PDT
<rdar://problem/20634024>
Michael Saboff
Comment 4 2015-04-21 09:54:04 PDT
This was introduced in http://trac.webkit.org/changeset/180993. When we DFG compile, we call the CodeBlock::jettisonFunctionDeclsAndExprs() which will clear the functions from the list. When we go to eval the CodeBlock, the functions aren't there.
Michael Saboff
Comment 5 2015-04-21 10:54:17 PDT
Created attachment 251240 [details] Patch
Michael Saboff
Comment 6 2015-04-21 10:58:20 PDT
Committed r183067: <http://trac.webkit.org/changeset/183067>
Note You need to log in before you can comment on or make changes to this bug.