Bug 18934

Summary: SQUIRRELFISH: ASSERT @ nytimes.com due to RegisterFile being clobbered
Product: WebKit Reporter: Geoffrey Garen <ggaren>
Component: JavaScriptCoreAssignee: Oliver Hunt <oliver>
Status: RESOLVED FIXED    
Severity: Normal CC: oliver, zwarich
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
URL: http://nytimes.com
Attachments:
Description Flags
Testcase none

Geoffrey Garen
Reported 2008-05-07 21:48:19 PDT
TO REPRODUCE: 1. navigate to nytimes.com -> crash ASSERTION FAILED: addressOffset < instructions.size() (/Volumes/Big/ggaren/Labyrinth/OpenSource/JavaScriptCore/VM/CodeBlock.cpp:541 bool KJS::CodeBlock::getHandlerForVPC(const KJS::Instruction*, KJS::Instruction*&, int&)) Program received signal: “EXC_BAD_ACCESS”. Script URL: http://pagead2.googlesyndication.com/pagead/show_ads.js Script: m_buffer = 0x1a0d1000 "(function(){?var f=document,j=navigator,l=window;function da(){var b=f.cookie,a=Math.round((new Date).getTime()/1000),c=b.indexOf(\"__utma=\")>-1,e=b.indexOf(\"__utmb=\")>-1,d=b.indexOf(\"__utmc=\")>-1,g,i="..., m_capacity = 19864 Top of Backtrace: #0 0x00651cfe in KJS::CodeBlock::getHandlerForVPC (this=0x19d40000, vPC=0x19d48280, target=@0xbfffccb0, scopeDepth=@0xbfffccb4) at /Volumes/Big/ggaren/Labyrinth/OpenSource/JavaScriptCore/VM/CodeBlock.cpp:541 #1 0x0063bd43 in KJS::Machine::throwException (this=0x682760, exec=0xbfffdab4, exceptionValue=0x19d4b260, registerBase=0x18037680, vPC=0x19d48280, codeBlock=@0xbfffda98, k=@0xbfffce08, scopeChain=@0xbfffda94, r=@0xbfffda90) at /Volumes/Big/ggaren/Labyrinth/OpenSource/JavaScriptCore/VM/Machine.cpp:539 #2 0x00641a92 in KJS::Machine::privateExecute (this=0x682760, flag=KJS::Machine::Normal, exec=0xbfffdab4, registerFile=0x18037670, r=0x6c26bef0, scopeChain=0x19fe7270, codeBlock=0x19d40000, exception=0xbfffdb4c) at /Volumes/Big/ggaren/Labyrinth/OpenSource/JavaScriptCore/VM/Machine.cpp:2008 #3 0x00642303 in KJS::Machine::execute (this=0x682760, programNode=0x19fb8760, exec=0x19bc9c8c, scopeChain=0x18037660, thisObj=0x19d40000, registerFileStack=0x19bc9c68, exception=0xbfffdb4c) at /Volumes/Big/ggaren/Labyrinth/OpenSource/JavaScriptCore/VM/Machine.cpp:577 #4 0x005e2e5b in KJS::Interpreter::evaluate (exec=0x19bc9c8c, scopeChain=@0x19bc9c88, sourceURL=@0xbfffdbd4, startingLineNumber=0, code=0x19ed5000, codeLength=19863, thisValue=0x19d40000) at interpreter.cpp:84 #5 0x024282e7 in WebCore::KJSProxy::evaluate (this=0x152c2dc0, filename=@0xbfffde08, baseLine=0, str=@0xbfffde8c) at /Volumes/Big/ggaren/Labyrinth/OpenSource/WebCore/bindings/js/kjs_proxy.cpp:87 #6 0x01fea437 in WebCore::FrameLoader::executeScript (this=0x409b800, url=@0xbfffde08, baseLine=0, script=@0xbfffde8c) at /Volumes/Big/ggaren/Labyrinth/OpenSource/WebCore/loader/FrameLoader.cpp:771 #7 0x0206e53e in WebCore::HTMLTokenizer::scriptExecution (this=0x418d200, str=@0xbfffde8c, state={static EntityShift = 4, m_bits = 0}, scriptURL=@0xbfffde88, baseLine=0) at /Volumes/Big/ggaren/Labyrinth/OpenSource/WebCore/html/HTMLTokenizer.cpp:540
Attachments
Testcase (168 bytes, text/html)
2008-05-11 17:18 PDT, Oliver Hunt 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Maciej Stachowiak
Comment 1 2008-05-10 05:53:22 PDT
I don't crash on nytimes.com but I see similar crashes on arstechnica.
Cameron Zwarich (cpst)
Comment 2 2008-05-11 16:46:09 PDT
Here is another URL that repeatedly crashes SquirrelFish for me in unwindCallFrame: http://blog.wired.com/games/2008/05/for-wiiware-nin.html The assertion that fails is ASSERTION FAILED: activation->isActivationObject() (/Users/Cameron/sf/JavaScriptCore/VM/Machine.cpp:503 bool KJS::Machine::unwindCallFrame(KJS::ExecState*, KJS::Register**, const KJS::Instruction*&, KJS::CodeBlock*&, KJS::JSValue**&, KJS::ScopeChainNode*&, KJS::Register*&)) I am not sure if this is the same bug or not, but it might be easier to debug than nytimes.com.
Oliver Hunt
Comment 3 2008-05-11 17:18:03 PDT
*** Bug 18999 has been marked as a duplicate of this bug. ***
Oliver Hunt
Comment 4 2008-05-11 17:18:28 PDT
Created attachment 21073 [details] Testcase
Oliver Hunt
Comment 5 2008-05-12 01:58:13 PDT
Okay there are multiple issues at play here: * r32838 removed the implicit function called tracking, and changed the ProgramNode constructor from originally checking to see whether we were in a nested implicit call to just a check to see if the current registerfile is a global file. This fails if you have JS->native getter->Global JS as the current file will be a global file so new registers defined in the global code will be propagated back into the tainted file, invalidating r in the calling frame. * The repeated addition and removal of "this" (to avoid "this" being enumerable in the global object) results screws with variable numbering in the created CodeGenerator, leading us to believe a variable has been added, even though it hasn't. This results in a reallocation of the registerfile, once again invalidating r in the callframe. Some ugly hacks that break non-enumerable this, and force no globals to be register allocated ever seem to fix this issue, i believe i will need to reestablish the implicit call-fu.
Oliver Hunt
Comment 6 2008-05-12 17:26:42 PDT
M JavaScriptCore/ChangeLog M JavaScriptCore/VM/Machine.cpp M JavaScriptCore/VM/RegisterFileStack.cpp M JavaScriptCore/VM/RegisterFileStack.h M LayoutTests/ChangeLog A LayoutTests/fast/js/implicit-call-with-global-reentry-expected.txt A LayoutTests/fast/js/implicit-call-with-global-reentry.html A LayoutTests/fast/js/resources/implicit-call-with-global-reentry.js Committed r33066
Cameron Zwarich (cpst)
Comment 7 2008-05-12 17:39:22 PDT
This doesn't fix the crash on the Wired link. I'll make a new bug.
Note You need to log in before you can comment on or make changes to this bug.