Bug 16800

Summary:	REGRESSION: stack overflow crash in regress-96526-002.js
Product:	WebKit	Reporter:	Alexey Proskuryakov <ap>
Component:	JavaScriptCore	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	zwarich
Priority:	P1	Keywords:	Regression
Version:	528+ (Nightly build)
Hardware:	PC
OS:	Windows XP
URL:	http://build.webkit.org/builders/trunk-qt-win-release/builds/1702

Alexey Proskuryakov

Reported 2008-01-09 00:53:42 PST

WebKit_debug.dll!KJS::BracketAccessorNode::evaluate(KJS::ExecState * exec=0x0012ed5c) Line 772 C++ WebKit_debug.dll!KJS::BracketAccessorNode::inlineEvaluate(KJS::ExecState * exec=0x0012ed5c) Line 758 + 0x21 bytes C++ WebKit_debug.dll!KJS::BracketAccessorNode::evaluate(KJS::ExecState * exec=0x0012ed5c) Line 772 C++ WebKit_debug.dll!KJS::BracketAccessorNode::inlineEvaluate(KJS::ExecState * exec=0x0012ed5c) Line 758 + 0x21 bytes C++ WebKit_debug.dll!KJS::BracketAccessorNode::evaluate(KJS::ExecState * exec=0x0012ed5c) Line 772 C++ ...

Attachments
Add attachment proposed patch, testcase, etc.

Alexey Proskuryakov

Comment 1 2008-07-28 03:11:22 PDT

I don't have a Windows build ready right now, but this is probably obsoleted by SquirrelFish.

Chris Brichford

Comment 2 2008-07-29 15:20:33 PDT

After debugging this for a while, a squirrel fix enabled build, I don't think this bug is windows specific. Post squirrel fish, this bug still occurs because the CodeGenerator uses recursion to walk the parse tree to generate the byte code. I can think of three ways to fix this bug: #1 Have CodeGenerator::emitNode keep track how many times it has be entered and emit code to throw an exception ( or fail in some other way ) when it has been re-entered too many times. #2 Have the JS parser keep track of the depth of the parse tree treat that as a syntax error or insert nodes that will cause the CodeGenerator to emit code that throws an exception. #3 Change the CodeGenerator to not use plain C++ recursion #3 is arguably the correct option in the long run, but may involve significant code changes in the near term, including changing the interface between parse tree nodes and the CodeGenerator. This is the stack trace that I'm seeing: . . . #1437 0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026 #1438 0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166 #1439 0x1a765e7a in KJS::CodeGenerator::emitNode at CodeGenerator.h:175 #1440 0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026 #1441 0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166 #1442 0x1a765e7a in KJS::CodeGenerator::emitNode at CodeGenerator.h:175 #1443 0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026 #1444 0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166 #1445 0x1a765e7a in KJS::CodeGenerator::emitNode at CodeGenerator.h:175 #1446 0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026 #1447 0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166 #1448 0x1a765e7a in KJS::CodeGenerator::emitNode at CodeGenerator.h:175 #1449 0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026 #1450 0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166 #1451 0x1a765e7a in KJS::CodeGenerator::emitNode at CodeGenerator.h:175 #1452 0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026 #1453 0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166 #1454 0x1a765e7a in KJS::CodeGenerator::emitNode at CodeGenerator.h:175 #1455 0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026 #1456 0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166 #1457 0x1a765e7a in KJS::CodeGenerator::emitNode at CodeGenerator.h:175 #1458 0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026 #1459 0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166 #1460 0x1a765e7a in KJS::CodeGenerator::emitNode at CodeGenerator.h:175 #1461 0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026 #1462 0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166 #1463 0x1a765e7a in KJS::CodeGenerator::emitNode at CodeGenerator.h:175 #1464 0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026 #1465 0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166 #1466 0x1a765e7a in KJS::CodeGenerator::emitNode at CodeGenerator.h:175 #1467 0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026 #1468 0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166 #1469 0x1a70867b in KJS::ExprStatementNode::emitCode at nodes.cpp:4861 #1470 0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166 #1471 0x1a707380 in statementListEmitCode at nodes.cpp:4771 #1472 0x1a70aab5 in KJS::EvalNode::emitCode at nodes.cpp:5840 #1473 0x1a6de316 in KJS::CodeGenerator::generate at CodeGenerator.cpp:136 #1474 0x1a7064cf in KJS::EvalNode::generateCode at nodes.cpp:5856 #1475 0x1a77f83d in KJS::EvalNode::code at nodes.h:3202 #1476 0x1a77e397 in KJS::Machine::execute at Machine.cpp:851 #1477 0x1a77f248 in callEval at Machine.cpp:473 #1478 0x1a77cac9 in KJS::Machine::privateExecute at Machine.cpp:2031 #1479 0x1a77ed56 in KJS::Machine::execute at Machine.cpp:776 #1480 0x1a71bb92 in KJS::Interpreter::evaluate at interpreter.cpp:81 #1481 0x1aae1b90 in WebCore::KJSProxy::evaluate at kjs_proxy.cpp:89 #1482 0x1a9a304d in WebCore::FrameLoader::executeScript at FrameLoader.cpp:819 #1483 0x1a9778a8 in WebCore::HTMLTokenizer::scriptExecution at HTMLTokenizer.cpp:556 #1484 0x1a978f6c in WebCore::HTMLTokenizer::scriptHandler at HTMLTokenizer.cpp:489 #1485 0x1a979595 in WebCore::HTMLTokenizer::parseSpecial at HTMLTokenizer.cpp:334 #1486 0x1a97b60d in WebCore::HTMLTokenizer::parseTag at HTMLTokenizer.cpp:1514 #1487 0x1a97bfb9 in WebCore::HTMLTokenizer::write at HTMLTokenizer.cpp:1749 #1488 0x1a99b6de in WebCore::FrameLoader::write at FrameLoader.cpp:1070 #1489 0x1a99b7f4 in WebCore::FrameLoader::addData at FrameLoader.cpp:1905 . . .

Cameron Zwarich (cpst)

Comment 3 2008-11-20 11:34:23 PST

This no longer occurs on the Qt bots, and the underlying bug was fixed in r38247: http://trac.webkit.org/changeset/38247 I'll close this as fixed.

Note You need to log in before you can comment on or make changes to this bug.