141246 – Crash in JSC::DFG::StackLayoutPhase::run

RESOLVED DUPLICATE of bug 141721 141246

Crash in JSC::DFG::StackLayoutPhase::run

https://bugs.webkit.org/show_bug.cgi?id=141246

Summary Crash in JSC::DFG::StackLayoutPhase::run

Renata Hodovan

Reported 2015-02-04 07:20:11 PST

Created attachment 246031 [details] Test case Run the following test in release or debug JSC: function fuzz(arguments) { fuzz(arguments); } fuzz(2); For the first sight it looks like a stack-overflow but according to the backtraces it might be a different issue. Running the test in debug JSC it results in an assertion failure with the following trace: ASSERTION FAILED: usesArguments() ../../Source/JavaScriptCore/bytecode/CodeBlock.h(338) : JSC::VirtualRegister JSC::CodeBlock::argumentsRegister() const Program received signal SIGSEGV, Segmentation fault. 0x00007ffff73e0095 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 321 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff73e0095 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 #1 0x00007ffff6cf54a9 in JSC::CodeBlock::argumentsRegister (this=0x7fffb0649a00) at ../../Source/JavaScriptCore/bytecode/CodeBlock.h:338 #2 0x00007ffff6dfd079 in JSC::DFG::Graph::argumentsRegisterFor (this=0x7fffffff2410, inlineCallFrame=0x7ffff7f92730) at ../../Source/JavaScriptCore/dfg/DFGGraph.h:415 #3 0x00007ffff6fdf182 in JSC::DFG::StackLayoutPhase::run (this=0x7fffffff1e80) at ../../Source/JavaScriptCore/dfg/DFGStackLayoutPhase.cpp:112 #4 0x00007ffff6fe0250 in JSC::DFG::runAndLog<JSC::DFG::StackLayoutPhase> (phase=...) at ../../Source/JavaScriptCore/dfg/DFGPhase.h:77 #5 0x00007ffff6fe00ee in JSC::DFG::runPhase<JSC::DFG::StackLayoutPhase> (graph=...) at ../../Source/JavaScriptCore/dfg/DFGPhase.h:87 #6 0x00007ffff6fde654 in JSC::DFG::performStackLayout (graph=...) at ../../Source/JavaScriptCore/dfg/DFGStackLayoutPhase.cpp:272 #7 0x00007ffff6f2fa8c in JSC::DFG::Plan::compileInThreadImpl (this=0x7ffff7fbdd80, longLivedState=...) at ../../Source/JavaScriptCore/dfg/DFGPlan.cpp:296 #8 0x00007ffff6f2f25c in JSC::DFG::Plan::compileInThread (this=0x7ffff7fbdd80, longLivedState=..., threadData=0x0) at ../../Source/JavaScriptCore/dfg/DFGPlan.cpp:164 #9 0x00007ffff6e7a25d in JSC::DFG::compileImpl (vm=..., codeBlock=0x7fffb0649780, profiledDFGCodeBlock=0x0, mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=0, mustHandleValues=..., callback=...) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:108 #10 0x00007ffff6e7a398 in JSC::DFG::compile (vm=..., codeBlock=0x7fffb0649780, profiledDFGCodeBlock=0x0, mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=0, mustHandleValues=..., passedCallback=...) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:128 #11 0x00007ffff70d75cd in JSC::operationOptimize (exec=0x7fffffff2eb0, bytecodeIndex=0) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:1158 #12 0x00007fffb1662bc5 in ?? () #13 0x0000000000000000 in ?? () The backtrace of the release crash: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff78f4bde in JSC::DFG::StackLayoutPhase::run() () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 (gdb) bt #0 0x00007ffff78f4bde in JSC::DFG::StackLayoutPhase::run() () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #1 0x00007ffff78f4692 in JSC::DFG::performStackLayout(JSC::DFG::Graph&) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #2 0x00007ffff78891eb in JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #3 0x00007ffff78894b6 in JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #4 0x00007ffff78154ac in JSC::DFG::compile(JSC::VM&, JSC::CodeBlock*, JSC::CodeBlock*, JSC::DFG::CompilationMode, unsigned int, JSC::Operands<JSC::JSValue, JSC::OperandValueTraits<JSC::JSValue> > const&, WTF::PassRefPtr<JSC::DeferredCompilationCallback>) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #5 0x00007ffff79a9e27 in operationOptimize () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #6 0x00007fffb2c25b4c in ?? () #7 0x0000000000000000 in ?? ()

Attachments
Test case (59 bytes, application/javascript) 2015-02-04 07:20 PST, Renata Hodovan	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2015-02-12 11:32:47 PST

<rdar://problem/19815551>

Brent Fulgham

Comment 2 2016-08-04 16:26:48 PDT

This may be a duplicate of Bug 141721, and no longer causes a crash in WebKit. *** This bug has been marked as a duplicate of bug 141721 ***

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution DUPLICATE

of bug 141721

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Linux

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2015-02-04 07:20 PST

Modified

2016-08-04 16:26 PDT History

CC List

6 users Show

URL

Keywords InRadar

Depends on

Blocks

116980

Dependencies

tree graph