WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
135155
ASSERTION FAILED: info.spillFormat() & DataFormatJS in JSC::DFG::SpeculativeJIT::fillSpeculateCell
https://bugs.webkit.org/show_bug.cgi?id=135155
Summary
ASSERTION FAILED: info.spillFormat() & DataFormatJS in JSC::DFG::SpeculativeJ...
Renata Hodovan
Reported
2014-07-22 02:29:51 PDT
Created
attachment 235280
[details]
Test case Release assert was hit in DFGSpeculativeJIT with the following script: function run() { for (var t = 1; 1 <= 2; t++) { t.length = function() { var foo = iv.charCodeAt(foo, undefined); }; } } run(); The test was run on Ubuntu 13.10, x86_64. The related backtrace: ASSERTION FAILED: info.spillFormat() & DataFormatJS ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp(1022) : JSC::GPRReg JSC::DFG::SpeculativeJIT::fillSpeculateCell(JSC::DFG::Edge) 1 0x7ffff73b4662 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcoregtk-3.0.so.0(WTFCrash+0x1e) [0x7ffff73b4662] 2 0x7ffff70643c7 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcoregtk-3.0.so.0(_ZN3JSC3DFG14SpeculativeJIT17fillSpeculateCellENS0_4EdgeE+0x24f) [0x7ffff70643c7] 3 0x7ffff704c695 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcoregtk-3.0.so.0(_ZN3JSC3DFG20SpeculateCellOperand3gprEv+0x71) [0x7ffff704c695] 4 0x7ffff7041382 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcoregtk-3.0.so.0(_ZN3JSC3DFG14SpeculativeJIT19compileStoreBarrierEPNS0_4NodeE+0xa6) [0x7ffff7041382] 5 0x7ffff7077cc9 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcoregtk-3.0.so.0(_ZN3JSC3DFG14SpeculativeJIT7compileEPNS0_4NodeE+0xf771) [0x7ffff7077cc9] 6 0x7ffff702f4d5 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcoregtk-3.0.so.0(_ZN3JSC3DFG14SpeculativeJIT19compileCurrentBlockEv+0x613) [0x7ffff702f4d5] 7 0x7ffff702fa8a /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcoregtk-3.0.so.0(_ZN3JSC3DFG14SpeculativeJIT7compileEv+0x98) [0x7ffff702fa8a] 8 0x7ffff6fc43a2 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcoregtk-3.0.so.0(_ZN3JSC3DFG11JITCompiler11compileBodyEv+0x26) [0x7ffff6fc43a2] 9 0x7ffff6fc5b4e /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcoregtk-3.0.so.0(_ZN3JSC3DFG11JITCompiler15compileFunctionEv+0x19a) [0x7ffff6fc5b4e] 10 0x7ffff7018d35 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcoregtk-3.0.so.0(_ZN3JSC3DFG4Plan19compileInThreadImplERNS0_14LongLivedStateE+0x5af) [0x7ffff7018d35] 11 0x7ffff7018514 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcoregtk-3.0.so.0(_ZN3JSC3DFG4Plan15compileInThreadERNS0_14LongLivedStateEPNS0_10ThreadDataE+0x148) [0x7ffff7018514] 12 0x7ffff6f95e36 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcoregtk-3.0.so.0(+0xab8e36) [0x7ffff6f95e36] 13 0x7ffff6f95ecd /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcoregtk-3.0.so.0(_ZN3JSC3DFG7compileERNS_2VMEPNS_9CodeBlockES4_NS0_15CompilationModeEjRKNS_8OperandsINS_7JSValueENS_18OperandValueTraitsIS7_EEEEN3WTF10PassRefPtrINS_27DeferredCompilationCallbackEEE+0x6a) [0x7ffff6f95ecd] 14 0x7ffff715b80a /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcoregtk-3.0.so.0(+0xc7e80a) [0x7ffff715b80a] 15 0x7ffff2914d66 [0x7ffff2914d66] Program received signal SIGSEGV, Segmentation fault. 0x00007ffff73b4667 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:329 329 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff73b4667 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:329 #1 0x00007ffff70643c7 in JSC::DFG::SpeculativeJIT::fillSpeculateCell (this=0x68e8d0, edge=...) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:1022 #2 0x00007ffff704c695 in JSC::DFG::SpeculateCellOperand::gpr (this=0x7fffffffb4b0) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:3064 #3 0x00007ffff7041382 in JSC::DFG::SpeculativeJIT::compileStoreBarrier (this=0x68e8d0, node=0x7fffb08a0e80) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:5359 #4 0x00007ffff7077cc9 in JSC::DFG::SpeculativeJIT::compile (this=0x68e8d0, node=0x7fffb08a0e80) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:4687 #5 0x00007ffff702f4d5 in JSC::DFG::SpeculativeJIT::compileCurrentBlock (this=0x68e8d0) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1453 #6 0x00007ffff702fa8a in JSC::DFG::SpeculativeJIT::compile (this=0x68e8d0) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1565 #7 0x00007ffff6fc43a2 in JSC::DFG::JITCompiler::compileBody (this=0x7fffffffbc40) at ../../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:113 #8 0x00007ffff6fc5b4e in JSC::DFG::JITCompiler::compileFunction (this=0x7fffffffbc40) at ../../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:347 #9 0x00007ffff7018d35 in JSC::DFG::Plan::compileInThreadImpl (this=0x68a7b0, longLivedState=...) at ../../Source/JavaScriptCore/dfg/DFGPlan.cpp:290 #10 0x00007ffff7018514 in JSC::DFG::Plan::compileInThread (this=0x68a7b0, longLivedState=..., threadData=0x0) at ../../Source/JavaScriptCore/dfg/DFGPlan.cpp:159 #11 0x00007ffff6f95e36 in JSC::DFG::compileImpl (vm=..., codeBlock=0x68c010, profiledDFGCodeBlock=0x0, mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=8, mustHandleValues=..., callback=...) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:104 #12 0x00007ffff6f95ecd in JSC::DFG::compile (vm=..., codeBlock=0x68c010, profiledDFGCodeBlock=0x0, mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=8, mustHandleValues=..., passedCallback=...) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:124 #13 0x00007ffff715b80a in JSC::operationOptimize (exec=0x7fffffffcc40, bytecodeIndex=8) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:1195 #14 0x00007ffff2914d66 in ?? () #15 0x0000000000654490 in ?? () #16 0x00007fffb08c53f0 in ?? () #17 0xffff0000000005d5 in ?? () #18 0xffff0000000005d6 in ?? () #19 0x00007fffffffcc90 in ?? () #20 0x00007ffff739e0c8 in llint_entry () from /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcoregtk-3.0.so.0 Backtrace stopped: frame did not save the PC
Attachments
Test case
(163 bytes, application/javascript)
2014-07-22 02:29 PDT
,
Renata Hodovan
no flags
Details
the patch
(2.26 KB, patch)
2014-07-22 11:07 PDT
,
Filip Pizlo
oliver
: review+
Details
Formatted Diff
Diff
Show Obsolete
(1)
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2014-07-22 10:06:06 PDT
<
rdar://problem/17763909
>
Filip Pizlo
Comment 2
2014-07-22 11:03:58 PDT
This is not a security bug. In the future, please don't put compiler release asserts into the security component. It is misleading.
Filip Pizlo
Comment 3
2014-07-22 11:07:32 PDT
Created
attachment 235299
[details]
the patch
Geoffrey Garen
Comment 4
2014-07-22 11:19:28 PDT
Comment on
attachment 235299
[details]
the patch View in context:
https://bugs.webkit.org/attachment.cgi?id=235299&action=review
Does the 32_64 path need this change too? Maybe not because 32_64 already has an explicit int path?
> Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:1028 > RELEASE_ASSERT(info.spillFormat() & DataFormatJS);
This ASSERT seems redundant now, since the clause above checks the same condition.
Filip Pizlo
Comment 5
2014-07-22 11:24:21 PDT
(In reply to
comment #4
)
> (From update of
attachment 235299
[details]
) > View in context:
https://bugs.webkit.org/attachment.cgi?id=235299&action=review
> > Does the 32_64 path need this change too? Maybe not because 32_64 already has an explicit int path? > > > Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:1028 > > RELEASE_ASSERT(info.spillFormat() & DataFormatJS); > > This ASSERT seems redundant now, since the clause above checks the same condition.
Yup, removed.
Filip Pizlo
Comment 6
2014-07-22 12:48:27 PDT
Landed in
http://trac.webkit.org/changeset/171354
Renata Hodovan
Comment 7
2014-07-22 14:36:14 PDT
(In reply to
comment #2
)
> This is not a security bug. In the future, please don't put compiler release asserts into the security component. It is misleading.
I'm sorry. It seems that two weeks of vacation had bad effect on my memory. I remembered that release asserts should be reported as security in WebKit too. Next time I'll be more careful.
Filip Pizlo
Comment 8
2014-07-22 14:44:53 PDT
(In reply to
comment #7
)
> (In reply to
comment #2
) > > This is not a security bug. In the future, please don't put compiler release asserts into the security component. It is misleading. > > I'm sorry. It seems that two weeks of vacation had bad effect on my memory. I remembered that release asserts should be reported as security in WebKit too. Next time I'll be more careful.
No problem. I believe that there is an ASSERT_WITH_SECURITY_IMPLICATIONS macro somewhere, which is meant to help disambiguate. Release assertions in JSC are almost never security-related.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug