Bug 127677 - Segfault in JSC::JITCode::execute
Summary: Segfault in JSC::JITCode::execute
Status: RESOLVED WORKSFORME
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Linux
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks: 116980
  Show dependency treegraph
 
Reported: 2014-01-27 01:59 PST by Martin Hodovan
Modified: 2016-08-03 14:00 PDT (History)
9 users (show)

See Also:

Attachments
Test case (115 bytes, application/javascript)
2014-01-27 01:59 PST, Martin Hodovan 		no flags Details
JSC dump (472.17 KB, text/x-log)
2014-01-27 02:29 PST, Martin Hodovan 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Hodovan 2014-01-27 01:59:33 PST 
Created attachment 222311 [details]
Test case

The failing test: (The test was ran on x86_64, Ubuntu 13.04)
function function_0 ()
{
	if (!new Array(0, -1).some(function_0))
		[ 
			{
				y : 0 
			}
		], x;
}
function_0();

The backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x00007fffaa57b0b0 in ?? ()
(gdb) bt
#0  0x00007fffaa57b0b0 in ?? ()
#1  0x00007fffea579100 in ?? ()
#2  0x0000000000651670 in ?? ()
#3  0xffff000000000002 in ?? ()
#4  0xffff000000000000 in ?? ()
#5  0x00007fffffffde70 in ?? ()
#6  0x00007fffa9d4c0f0 in ?? ()
#7  0x00007ffffff57790 in ?? ()
#8  0x00007ffff7248acc in JSC::JITCode::execute (this=0xa, vm=0xffff0000ffffffff, protoCallFrame=0xffff000000000000, topOfStack=0xa)
    at /home/martin/Data/WebKit/Source/JavaScriptCore/jit/JITCode.cpp:48
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
Comment 1 Martin Hodovan 2014-01-27 02:29:00 PST 
Created attachment 222314 [details]
JSC dump
Comment 2 Alexey Proskuryakov 2014-01-27 09:16:46 PST 
I cannot reproduce this with ToT on Mac.
Comment 3 Martin Hodovan 2014-01-28 02:29:15 PST 
I've double-checked the test again on revision 162921 and the issue still seems valid to me.
Comment 4 Zan Dobersek 2014-01-28 03:57:07 PST 
I can reproduce it on GTK WK1 and WK2.
Comment 5 Csaba Osztrogonác 2014-02-13 03:32:49 PST 
Isn't it related to the cstack merge?
Comment 6 Brent Fulgham 2016-08-03 14:00:26 PDT 
This does not occur on Mac under r204037. I doubt this is happening on other platforms either, since the fix was in JSC.