Bug 19098

Summary: SquirrelFish: Ref'd temporaries can be clobbered
Product: WebKit Reporter: Oliver Hunt <oliver>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ggaren, mjs
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
Attachments:
Description Flags
Testcase
none
Proposed patch
oliver: review+
Proposed patch (with layout test) oliver: review+

Oliver Hunt
Reported 2008-05-16 01:37:00 PDT
Assertion due over released registerid
Attachments
Testcase (140 bytes, text/plain)
2008-05-16 01:41 PDT, Oliver Hunt 		no flags
Details
Proposed patch (1.52 KB, patch)
2008-05-16 03:53 PDT, Cameron Zwarich (cpst) 		oliver: review+
DetailsFormatted DiffDiff
Proposed patch (with layout test) (4.10 KB, patch)
2008-05-16 04:54 PDT, Cameron Zwarich (cpst) 		oliver: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Oliver Hunt
Comment 1 2008-05-16 01:41:49 PDT
Created attachment 21198 [details] Testcase
Oliver Hunt
Comment 2 2008-05-16 03:03:16 PDT
Okay, it looks like we're clobbering temporary registers. In the attached test case ForNode refs the result of the statement at line 5020, but it then clobbers (by resets) the ref'd RegisterID when PreIncResolveNode requests a new temporary: #0 0x0031b996 in KJS::RegisterID::RegisterID (this=0xbfff5c00, index=1) at RegisterID.h:52 #1 0x00336eb5 in WTF::Vector<KJS::RegisterID, 512ul>::append<unsigned long> (this=0xbfff5be8, val=@0xbfff3f48) at Vector.h:731 #2 0x002d3830 in KJS::CodeGenerator::newTemporary (this=0xbfff4320) at CodeGenerator.cpp:351 #3 0x002e3a58 in KJS::PreIncResolveNode::emitCode (this=0x608e10, generator=@0xbfff4320, dst=0x0) at nodes.cpp:2350 #4 0x0033585d in KJS::CodeGenerator::emitNode (this=0xbfff4320, dst=0x0, n=0x608e10) at CodeGenerator.h:142 #5 0x00335884 in KJS::CodeGenerator::emitNode (this=0xbfff4320, n=0x608e10) at CodeGenerator.h:147 #6 0x002dca02 in KJS::ForNode::emitCode (this=0x609030, generator=@0xbfff4320, dst=0x0) at nodes.cpp:5023 #7 0x0033585d in KJS::CodeGenerator::emitNode (this=0xbfff4320, dst=0x0, n=0x609030) at CodeGenerator.h:142 #8 0x002d7754 in statementListEmitCode (statements=@0x6090e0, generator=@0xbfff4320, dst=0x0) at nodes.cpp:4682 #9 0x002d779a in KJS::BlockNode::emitCode (this=0x6090d0, generator=@0xbfff4320, dst=0x0) at nodes.cpp:4740 #10 0x0033585d in KJS::CodeGenerator::emitNode (this=0xbfff4320, dst=0x0, n=0x6090d0) at CodeGenerator.h:142 #11 0x002d81f5 in KJS::WithNode::emitCode (this=0x6090f0, generator=@0xbfff4320, dst=0x0) at nodes.cpp:5369 #12 0x0033585d in KJS::CodeGenerator::emitNode (this=0xbfff4320, dst=0x0, n=0x6090f0) at CodeGenerator.h:142 #13 0x002d7754 in statementListEmitCode (statements=@0x609170, generator=@0xbfff4320, dst=0x0) at nodes.cpp:4682 #14 0x002d8bbc in KJS::FunctionBodyNode::emitCode (this=0x609160, generator=@0xbfff4320) at nodes.cpp:5812 #15 0x002daeee in KJS::CodeGenerator::generate (this=0xbfff4320) at CodeGenerator.cpp:133 #16 0x00307456 in KJS::FunctionBodyNode::generateCode (this=0x609160, sc=0x6059b0) at nodes.cpp:5804 #17 0x00376ae7 in KJS::FunctionBodyNode::code (this=0x609160, scopeChain=0x6059b0) at nodes.h:3027 #18 0x00374651 in KJS::Machine::privateExecute (this=0x3c5960, flag=KJS::Machine::Normal, exec=0xbffff3ac, registerFile=0x605990, r=0x609328, scopeChain=0x6059b0, codeBlock=0x605540, exception=0xbffff438) at /Volumes/Data/git/WebKit/OpenSource/JavaScriptCore/VM/Machine.cpp:1768 #19 0x00376374 in KJS::Machine::execute (this=0x3c5960, programNode=0x608c90, exec=0x6059f0, scopeChain=0x6059b0, thisObj=0x20000, registerFileStack=0x605838, exception=0xbffff438) at /Volumes/Data/git/WebKit/OpenSource/JavaScriptCore/VM/Machine.cpp:610 #20 0x00314386 in KJS::Interpreter::evaluate (exec=0x6059f0, scopeChain=@0x605858, sourceURL=@0xbffff508, startingLineNumber=0, source=@0xbffff4a8, thisValue=0x0) at interpreter.cpp:85 #21 0x00314451 in KJS::Interpreter::evaluate (exec=0x6059f0, scopeChain=@0x605858, sourceURL=@0xbffff508, startingLineNumber=0, code=@0xbffff518, thisV=0x0) at interpreter.cpp:60 #22 0x00002b0b in runWithScripts (fileNames=@0xbffff570, arguments=@0xbffff564, prettyPrint=false, dump=true) at /Volumes/Data/git/WebKit/OpenSource/JavaScriptCore/API/../kjs/testkjs.cpp:299 #23 0x00002ce3 in kjsmain (argc=4, argv=0xbffff5e4) at /Volumes/Data/git/WebKit/OpenSource/JavaScriptCore/API/../kjs/testkjs.cpp:372 #24 0x00002d4d in main (argc=4, argv=0xbffff5e4) at /Volumes/Data/git/WebKit/OpenSource/JavaScriptCore/API/../kjs/testkjs.cpp:260
Cameron Zwarich (cpst)
Comment 3 2008-05-16 03:53:13 PDT
Created attachment 21201 [details] Proposed patch I'm gonna make a layout test as well, but I need to wait for things to rebuild to run the layout tests.
Oliver Hunt
Comment 4 2008-05-16 04:19:03 PDT
Comment on attachment 21201 [details] Proposed patch r=me, make a testcase though (the attached one hould be fine)
Cameron Zwarich (cpst)
Comment 5 2008-05-16 04:54:31 PDT
Created attachment 21202 [details] Proposed patch (with layout test)
Oliver Hunt
Comment 6 2008-05-16 05:07:50 PDT
M JavaScriptCore/ChangeLog M JavaScriptCore/kjs/nodes.cpp M LayoutTests/ChangeLog A LayoutTests/fast/js/resources/statement-list-register-crash.js A LayoutTests/fast/js/statement-list-register-crash-expected.txt A LayoutTests/fast/js/statement-list-register-crash.html Committed r33517
Note You need to log in before you can comment on or make changes to this bug.