RESOLVED FIXED 124529
ASSERTION FAILED: scopeDepth() - targetScopeDepth >= 0 in JSC::BytecodeGenerator::emitPopScopes 
https://bugs.webkit.org/show_bug.cgi?id=124529
Summary ASSERTION FAILED: scopeDepth() - targetScopeDepth >= 0 in JSC::BytecodeGenera...
Renata Hodovan
Reported 2013-11-18 11:29:00 PST
Created attachment 217216 [details] Test case Another buggy test where nothing should have been run, instead we hit an assertion check. (The script was tested on x86_64, Ubuntu 12.04.) function function_0() { switch (var_1) { case "foo": switch (var_1) { case "foo": } try { do { with(new Object()) return null; } while (false); } finally { break; } } } function_0(); ================================= Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff750b209 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:341 341 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff750b209 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:341 #1 0x00007ffff709dccb in JSC::BytecodeGenerator::emitPopScopes (this=0x6736a0, targetScopeDepth=1) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:2151 #2 0x00007ffff70d205a in JSC::BreakNode::emitBytecode (this=0x670648, generator=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1899 #3 0x00007ffff70a257f in JSC::BytecodeGenerator::emitNode (this=0x6736a0, dst=0x0, n=0x670648) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:240 #4 0x00007ffff70d71bf in JSC::SourceElements::emitBytecode (this=0x670630, generator=..., dst=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1504 #5 0x00007ffff70cfc4c in JSC::BlockNode::emitBytecode (this=0x670690, generator=..., dst=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1523 #6 0x00007ffff70a257f in JSC::BytecodeGenerator::emitNode (this=0x6736a0, dst=0x0, n=0x670690) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:240 #7 0x00007ffff70a25a7 in JSC::BytecodeGenerator::emitNode (this=0x6736a0, n=0x670690) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:245 #8 0x00007ffff709d954 in JSC::BytecodeGenerator::emitComplexPopScopes (this=0x6736a0, topScope=0x675370, bottomScope=0x675340) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:2116 #9 0x00007ffff709ddaf in JSC::BytecodeGenerator::emitPopScopes (this=0x6736a0, targetScopeDepth=0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:2164 #10 0x00007ffff70d21ff in JSC::ReturnNode::emitBytecode (this=0x670530, generator=..., dst=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1916 #11 0x00007ffff70a257f in JSC::BytecodeGenerator::emitNode (this=0x6736a0, dst=0x6736f8, n=0x670530) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:240 #12 0x00007ffff70d236f in JSC::WithNode::emitBytecode (this=0x670578, generator=..., dst=0x6736f8) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1932 #13 0x00007ffff70a257f in JSC::BytecodeGenerator::emitNode (this=0x6736a0, dst=0x6736f8, n=0x670578) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:240 #14 0x00007ffff70d71bf in JSC::SourceElements::emitBytecode (this=0x670478, generator=..., dst=0x6736f8) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1504 #15 0x00007ffff70cfc4c in JSC::BlockNode::emitBytecode (this=0x6705b0, generator=..., dst=0x6736f8) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1523 #16 0x00007ffff70a257f in JSC::BytecodeGenerator::emitNode (this=0x6736a0, dst=0x6736f8, n=0x6705b0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:240 #17 0x00007ffff70d03d5 in JSC::DoWhileNode::emitBytecode (this=0x6705e8, generator=..., dst=0x6736f8) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1638 #18 0x00007ffff70a257f in JSC::BytecodeGenerator::emitNode (this=0x6736a0, dst=0x6736f8, n=0x6705e8) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:240 #19 0x00007ffff70d71bf in JSC::SourceElements::emitBytecode (this=0x670460, generator=..., dst=0x6736f8) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1504 #20 0x00007ffff70cfc4c in JSC::BlockNode::emitBytecode (this=0x670610, generator=..., dst=0x6736f8) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1523 #21 0x00007ffff70a257f in JSC::BytecodeGenerator::emitNode (this=0x6736a0, dst=0x6736f8, n=0x670610) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:240 #22 0x00007ffff70d35a2 in JSC::TryNode::emitBytecode (this=0x6706b0, generator=..., dst=0x6736f8) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2156 #23 0x00007ffff70a257f in JSC::BytecodeGenerator::emitNode (this=0x6736a0, dst=0x6736f8, n=0x6706b0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:240 #24 0x00007ffff70d71bf in JSC::SourceElements::emitBytecode (this=0x670380, generator=..., dst=0x6736f8) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1504 #25 0x00007ffff70d7276 in JSC::CaseClauseNode::emitBytecode (this=0x6706e8, generator=..., dst=0x6736f8) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1942 #26 0x00007ffff70d2deb in JSC::CaseBlockNode::emitBytecodeForBlock (this=0x670708, generator=..., switchExpression=0x673b08, dst=0x6736f8) ---Type <return> to continue, or q <return> to quit--- at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2075 #27 0x00007ffff70d3166 in JSC::SwitchNode::emitBytecode (this=0x670720, generator=..., dst=0x6736f8) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2106 #28 0x00007ffff70a257f in JSC::BytecodeGenerator::emitNode (this=0x6736a0, dst=0x6736f8, n=0x670720) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:240 #29 0x00007ffff70d71bf in JSC::SourceElements::emitBytecode (this=0x670318, generator=..., dst=0x6736f8) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1504 #30 0x00007ffff70cfc4c in JSC::BlockNode::emitBytecode (this=0x670748, generator=..., dst=0x6736f8) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1523 #31 0x00007ffff70a257f in JSC::BytecodeGenerator::emitNode (this=0x6736a0, dst=0x6736f8, n=0x670748) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:240 #32 0x00007ffff70d71bf in JSC::SourceElements::emitBytecode (this=0x670300, generator=..., dst=0x6736f8) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1504 #33 0x00007ffff70d72be in JSC::ScopeNode::emitStatementsBytecode (this=0x6733f0, generator=..., dst=0x6736f8) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2206 #34 0x00007ffff70d3d00 in JSC::FunctionBodyNode::emitBytecode (this=0x6733f0, generator=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2242 #35 0x00007ffff709332e in JSC::BytecodeGenerator::generate (this=0x6736a0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:65 #36 0x00007ffff708a970 in JSC::generateFunctionCodeBlock (vm=..., executable=0x7fffa9a674e0, source=..., kind=JSC::CodeForCall, debuggerMode=JSC::DebuggerOff, profilerMode=JSC::ProfilerOff, error=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp:66 #37 0x00007ffff708b1e8 in JSC::UnlinkedFunctionExecutable::codeBlockFor (this=0x7fffa9a674e0, vm=..., source=..., specializationKind=JSC::CodeForCall, debuggerMode=JSC::DebuggerOff, profilerMode=JSC::ProfilerOff, error=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp:161 #38 0x00007ffff73d6421 in JSC::ScriptExecutable::newCodeBlockFor (this=0x7fffa987fe70, kind=JSC::CodeForCall, scope=0x7fffa9a0f970, exception=@0x7fffffffc438: 0x0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Executable.cpp:211 #39 0x00007ffff73d6ad1 in JSC::ScriptExecutable::prepareForExecutionImpl (this=0x7fffa987fe70, exec=0x7fffa9e70f30, scope=0x7fffa9a0f970, kind=JSC::CodeForCall) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Executable.cpp:293 #40 0x00007ffff72a79aa in JSC::ScriptExecutable::prepareForExecution (this=0x7fffa987fe70, exec=0x7fffa9e70f30, scope=0x7fffa9a0f970, kind=JSC::CodeForCall) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Executable.h:415 #41 0x00007ffff7505cb3 in JSC::LLInt::setUpCall (execCallee=0x7fffa9e70f30, pc=0x673120, kind=JSC::CodeForCall, calleeAsValue=..., callLinkInfo=0x6728b0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1043 #42 0x00007ffff75060e1 in JSC::LLInt::genericCall (exec=0x7fffa9e70f78, pc=0x673120, kind=JSC::CodeForCall) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1090 #43 0x00007ffff75023f4 in JSC::LLInt::llint_slow_path_call (exec=0x7fffa9e70f78, pc=0x673120) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1096 #44 0x00007ffff750a247 in llint_op_call () from /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.0 #45 0x00007fffaa6b1920 in ?? () #46 0x00000000006573d8 in ?? () #47 0x0000000000000000 in ?? ()
Attachments
Test case (367 bytes, text/plain)
2013-11-18 11:29 PST, Renata Hodovan 		no flags
Details
proposed fix (1.35 KB, patch)
2013-12-30 02:15 PST, Gabor Rapcsanyi 		no flags
DetailsFormatted DiffDiff
proposed fix with test case (3.95 KB, patch)
2014-01-07 07:41 PST, Gabor Rapcsanyi 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Gabor Rapcsanyi
Comment 1 2013-12-30 02:15:32 PST
Created attachment 220103 [details] proposed fix
Gabor Rapcsanyi
Comment 2 2014-01-07 07:41:37 PST
Created attachment 220525 [details] proposed fix with test case
Geoffrey Garen
Comment 3 2014-01-07 10:57:22 PST
Comment on attachment 220525 [details] proposed fix with test case r=me Do we need the same fix in BytecodeGenerator::emitComplexPopScopes?
WebKit Commit Bot
Comment 4 2014-01-07 11:06:59 PST
Comment on attachment 220525 [details] proposed fix with test case Clearing flags on attachment: 220525 Committed r161437: <http://trac.webkit.org/changeset/161437>
WebKit Commit Bot
Comment 5 2014-01-07 11:07:03 PST
All reviewed patches have been landed. Closing bug.
Gabor Rapcsanyi
Comment 6 2014-01-08 01:25:26 PST
(In reply to comment #3) > (From update of attachment 220525 [details]) > r=me > > Do we need the same fix in BytecodeGenerator::emitComplexPopScopes? The problem started in BytecodeGenerator::emitComplexPopScopes at bool flipLabelScopes = finallyContext.labelScopesSize != m_labelScopes.size(); because we had a wrong labelScopesSize here in the finallyContext and the patch fixed this bug.
Note You need to log in before you can comment on or make changes to this bug.