102353 – JSC's Bytecode dumping option causes segfault.

Bug 102353 - JSC's Bytecode dumping option causes segfault.

Summary: JSC's Bytecode dumping option causes segfault.

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2012-11-15 01:39 PST by Gabor Ballabas
Modified:	2013-01-08 04:45 PST (History)
CC List:	5 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gabor Ballabas 2012-11-15 01:39:27 PST

Crash info:

114 m_instructions; 912 bytes at 0xea66f0 (GlobalCode); 1 parameter(s); 11 callee register(s); 0 variable(s)
Program received signal SIGSEGV, Segmentation fault.
0x0000000000480a12 in JSC::SharedSymbolTable::captureCount (this=0x0) at /home/ximinez/work/webkit/webkit/Source/JavaScriptCore/runtime/SymbolTable.h:373
373             int captureCount() { return m_captureEnd - m_captureStart; }
(gdb) bt 5
#0  0x0000000000480a12 in JSC::SharedSymbolTable::captureCount (this=0x0) at /home/ximinez/work/webkit/webkit/Source/JavaScriptCore/runtime/SymbolTable.h:373
#1  0x0000000000470a11 in JSC::CodeBlock::dump (this=0xea66f0, exec=0x7ffff7f7f388) at /home/ximinez/work/webkit/webkit/Source/JavaScriptCore/bytecode/CodeBlock.cpp:495
#2  0x0000000000479b10 in JSC::CodeBlock::CodeBlock (this=0xea66f0, ownerExecutable=0x7ffff7f9ae00, unlinkedCodeBlock=0x7ffff7e5fd80, globalObject=0x7ffff7f7f180, 
    baseScopeDepth=0, sourceProvider=..., sourceOffset=0, alternative=...) at /home/ximinez/work/webkit/webkit/Source/JavaScriptCore/bytecode/CodeBlock.cpp:1881
#3  0x0000000000717e86 in JSC::GlobalCodeBlock::GlobalCodeBlock (this=0xea66f0, ownerExecutable=0x7ffff7f9ae00, unlinkedCodeBlock=0x7ffff7e5fd80, globalObject=0x7ffff7f7f180, 
    baseScopeDepth=0, sourceProvider=..., sourceOffset=0, alternative=...) at /home/ximinez/work/webkit/webkit/Source/JavaScriptCore/bytecode/CodeBlock.h:1414
#4  0x0000000000717f91 in JSC::ProgramCodeBlock::ProgramCodeBlock (this=0xea66f0, ownerExecutable=0x7ffff7f9ae00, unlinkedCodeBlock=0x7ffff7e5fd80, globalObject=0x7ffff7f7f180, 
    sourceProvider=..., alternative=...) at /home/ximinez/work/webkit/webkit/Source/JavaScriptCore/bytecode/CodeBlock.h:1427
(More stack frames follow...)
(gdb) fr 1
#1  0x0000000000470a11 in JSC::CodeBlock::dump (this=0xea66f0, exec=0x7ffff7f7f388) at /home/ximinez/work/webkit/webkit/Source/JavaScriptCore/bytecode/CodeBlock.cpp:495
495         if (symbolTable()->captureCount())
(gdb) p symbolTable()
$2 = (JSC::SharedSymbolTable *) 0x0

It looks like that the symbolTable() function returns a null pointer.
I have the same crash on x86_64 and on ARM too.

Comment 1 Gabor Ballabas 2012-11-15 02:01:52 PST

UnlinkedCodeBlock.h:465

UnlinkedCodeBlock::finishCreation

If I put that #if 0 - #endif in the code the problem goes away
but evidently that code didn't get there by accident so I think
someone who knows this code better should take a look at it.
Oliver?

void finishCreation(JSGlobalData& globalData)
    {
        Base::finishCreation(globalData);
#if 0
        if (codeType() == GlobalCode)
            return;
#endif
        m_symbolTable.set(globalData, this, SharedSymbolTable::create(globalData));
    }

Comment 2 Oliver Hunt 2012-11-15 10:49:08 PST

Is this happening on ToT?  I thought i had landed a fix for this (the fix is to check that you have a symbol table before using it, _not_ to give global code a symbol table, that is not allowed)

Comment 3 Gabor Ballabas 2012-11-16 00:33:35 PST

(In reply to comment #2)
> Is this happening on ToT?  I thought i had landed a fix for this (the fix is to check that you have a symbol table before using it, _not_ to give global code a symbol table, that is not allowed)

I've checked it with r134912 and unfortunately it still crashes.