Bug 146636

Summary:

ASSERTION FAILED: returnAddress >= instructions().begin() && returnAddress < instructions().end() in JSC::CodeBlock::bytecodeOffset

Product:

WebKit

Reporter:

Renata Hodovan <rhodovan.u-szeged>

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

NEW ---

Severity:

Normal

CC:

fpizlo, oliver

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Bug Depends on:

Bug Blocks:

116980

Attachments:

Description	Flags
Test case	none

Description Renata Hodovan 2015-07-06 05:50:26 PDT

Created attachment 256210 [details]
Test case

Loading this with debug jsc ends in a release assert failure:


function test() {
    try {
        releaseExecutableMemory();
        Array.from(Object);
        Array.from();
    } catch(err) {}
}

for (var i = 0; i < 2; i++)
    test();


Backtrace:

ASSERTION FAILED: returnAddress >= instructions().begin() && returnAddress < instructions().end()
../../Source/JavaScriptCore/bytecode/CodeBlock.h(252) : unsigned int JSC::CodeBlock::bytecodeOffset(JSC::Instruction*)
1   0x7ffff72d46db WTFCrash
2   0x7ffff7103737 JSC::CodeBlock::bytecodeOffset(JSC::Instruction*)
3   0x7ffff70fe7aa
4   0x7fffb10007f5
[New Thread 0x7fffaf7fa700 (LWP 4629)]
[New Thread 0x7fffafffb700 (LWP 4628)]
[New Thread 0x7fffb07fc700 (LWP 4627)]
[New Thread 0x7fffb0ffd700 (LWP 4626)]

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff72d46e0 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
321     *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff72d46e0 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
#1  0x00007ffff7103737 in JSC::CodeBlock::bytecodeOffset (this=0x7ffff15de4c0, returnAddress=0x7ffff10380f8)
    at ../../Source/JavaScriptCore/bytecode/CodeBlock.h:252
#2  0x00007ffff70fe7aa in JSC::slow_path_nstricteq (exec=0x7fffffffca00, pc=0x7ffff10380f8) at ../../Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:300
#3  0x00007fffb10007f5 in ?? ()
#4  0x00007fffffffc9b0 in ?? ()
#5  0x00007ffff6f8b958 in JSC::getHostCallReturnValueWithExecState (exec=0x7ffff10342e0) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:2057
#6  0x00007fffb0fffafa in ?? ()
#7  0x00007ffff15de4c0 in ?? ()
#8  0x00007ffff1050c10 in ?? ()
#9  0x0000001f00000001 in ?? ()
#10 0x00007ffff1034480 in ?? ()
#11 0x000000000000000a in ?? ()
#12 0x00007ffff727e87e in llint_entry () from webkit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.1
#13 0x00007ffff727e87e in llint_entry () from webkit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.1
#14 0x00007ffff7278cc6 in vmEntryToJavaScript () from webkit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.1
#15 0x00007ffff6f75702 in JSC::JITCode::execute (this=0x7ffff17e3ed0, vm=0x7ffff1004000, protoCallFrame=0x7fffffffcca0)
    at ../../Source/JavaScriptCore/jit/JITCode.cpp:77
#16 0x00007ffff6f4e1e4 in JSC::Interpreter::execute (this=0x7ffff17f6000, program=0x7ffff1046000, callFrame=0x7ffff102b840, thisObj=0x7ffff107acc0)
    at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:901
#17 0x00007ffff7103f48 in JSC::evaluate (exec=0x7ffff102b840, source=..., thisValue=..., returnedException=...)
    at ../../Source/JavaScriptCore/runtime/Completion.cpp:82
#18 0x0000000000428d38 in runWithScripts (globalObject=0x7ffff102b800, scripts=..., dump=false) at ../../Source/JavaScriptCore/jsc.cpp:1315
#19 0x0000000000429c41 in jscmain (argc=3, argv=0x7fffffffd8e8) at ../../Source/JavaScriptCore/jsc.cpp:1533
#20 0x0000000000428b0a in main (argc=3, argv=0x7fffffffd8e8) at ../../Source/JavaScriptCore/jsc.cpp:1273

Comment 1 Renata Hodovan 2015-07-06 06:04:13 PDT

Forgot to say: jsc needs to be run with the --thresholdForJITAfterWarmUp=10 runtime flag to reproduce the assertion fail.


If you leave the flag then another crash happens in llint_entry with the backtrace below:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7279a51 in llint_entry () from webkit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.1
(gdb) bt
#0  0x00007ffff7279a51 in llint_entry () from webkit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.1
#1  0x00007ffff727e87e in llint_entry () from webkit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.1
#2  0x00007ffff7278cc6 in vmEntryToJavaScript () from webkit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.1
#3  0x00007ffff6f75702 in JSC::JITCode::execute (this=0x7ffff17e3ed0, vm=0x7ffff1004000, protoCallFrame=0x7fffffffccc0)
    at ../../Source/JavaScriptCore/jit/JITCode.cpp:77
#4  0x00007ffff6f4e1e4 in JSC::Interpreter::execute (this=0x7ffff17f6000, program=0x7ffff1046000, callFrame=0x7ffff102b840, thisObj=0x7ffff107acc0)
    at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:901
#5  0x00007ffff7103f48 in JSC::evaluate (exec=0x7ffff102b840, source=..., thisValue=..., returnedException=...)
    at ../../Source/JavaScriptCore/runtime/Completion.cpp:82
#6  0x0000000000428d38 in runWithScripts (globalObject=0x7ffff102b800, scripts=..., dump=false) at ../../Source/JavaScriptCore/jsc.cpp:1315
#7  0x0000000000429c41 in jscmain (argc=2, argv=0x7fffffffd908) at ../../Source/JavaScriptCore/jsc.cpp:1533
#8  0x0000000000428b0a in main (argc=2, argv=0x7fffffffd908) at ../../Source/JavaScriptCore/jsc.cpp:1273

Further note: to reproduce the latter, the test case can be minimized as follows:

function test() {
    releaseExecutableMemory();
}

for (var i = 0; i < 2; i++)
    test();