Bug 144293 - FTL failed to initialize arguments.callee on the slow path as well as the fast path
Summary: FTL failed to initialize arguments.callee on the slow path as well as the fas...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Filip Pizlo
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2015-04-27 16:42 PDT by Mark Lam
Modified: 2015-04-27 21:46 PDT (History)
9 users (show)

See Also:

Attachments
the patch (2.59 KB, patch)
2015-04-27 21:35 PDT, Filip Pizlo 		mark.lam: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Lam 2015-04-27 16:42:53 PDT 
Here's the test case:

=== BEGIN ===
function foo(e) {
    if (e) {
        arguments[0]--;
        return arguments.callee.apply(this, arguments);
    }
}

try {
    for (var i = 0; i < 10000; i++)
        foo(1);
} catch (e) {
    print("ERROR: " + e);
}
=== END ===

Run it in a debug build of jsc like so:
$ JSC_enableConcurrentJIT=0 DYLD_FRAMEWORK_PATH=WebKitBuild/Debug/ WebKitBuild/Debug/jsc test.js

And you'll get this crash trace:

(lldb) bt
* thread #1: tid = 0x61fc1a, 0x0000000100a80cda JavaScriptCore`WTFCrash + 42 at Assertions.cpp:321, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef)
    frame #0: 0x0000000100a80cda JavaScriptCore`WTFCrash + 42 at Assertions.cpp:321
  * frame #1: 0x000000010069dd3b JavaScriptCore`JSC::PropertySlot::setValue(this=0x00007fff5fbfdd78, slotBase=0x0000000104250500, attributes=4, value=JSValue at 0x00007fff5fbfdaa8) + 91 at PropertySlot.h:127
    frame #2: 0x00000001006e430e JavaScriptCore`JSC::GenericArguments<JSC::DirectArguments>::getOwnPropertySlot(object=0x0000000104250500, exec=0x00007fff5fbfde80, ident=PropertyName at 0x00007fff5fbfdb90, slot=0x00007fff5fbfdd78) + 334 at GenericArgumentsInlines.h:46
    frame #3: 0x000000010009ee67 JavaScriptCore`JSC::JSObject::fastGetOwnPropertySlot(this=0x0000000104250500, exec=0x00007fff5fbfde80, vm=0x0000000104010000, structure=0x0000000104034db0, propertyName=PropertyName at 0x00007fff5fbfdbf0, slot=0x00007fff5fbfdd78) + 167 at JSObject.h:1257
    frame #4: 0x000000010009ebdc JavaScriptCore`JSC::JSObject::getPropertySlot(this=0x0000000104250500, exec=0x00007fff5fbfde80, propertyName=PropertyName at 0x00007fff5fbfdca0, slot=0x00007fff5fbfdd78) + 156 at JSObject.h:1269
    frame #5: 0x00000001000a21a8 JavaScriptCore`JSC::JSValue::getPropertySlot(this=0x00007fff5fbfddb0, exec=0x00007fff5fbfde80, propertyName=PropertyName at 0x00007fff5fbfdd00, slot=0x00007fff5fbfdd78) const + 232 at JSCJSValueInlines.h:719
    frame #6: 0x000000010067adb2 JavaScriptCore`operationGetByIdOptimize(exec=0x00007fff5fbfde80, stubInfo=0x0000000105fed4b0, base=4364502272, uid=0x0000000105ff3a40) + 162 at JITOperations.cpp:188
    frame #7: 0x00003242ffa035c0
    frame #8: 0x00003242ffa02529

From frame 2:

(lldb) fr sel 2
frame #2: 0x00000001006e430e JavaScriptCore`JSC::GenericArguments<JSC::DirectArguments>::getOwnPropertySlot(object=0x0000000104250500, exec=0x00007fff5fbfde80, ident=PropertyName at 0x00007fff5fbfdb90, slot=0x00007fff5fbfdd78) + 334 at GenericArgumentsInlines.h:46
   43  	            return true;
   44  	        }
   45  	        if (ident == vm.propertyNames->callee) {
-> 46  	            slot.setValue(thisObject, DontEnum, thisObject->callee().get());
   47  	            return true;
   48  	        }
   49  	        if (ident == vm.propertyNames->iteratorSymbol) {

(lldb) p thisObject
(JSC::DirectArguments *) $0 = 0x0000000104250500

(lldb) p thisObject->callee()
(JSC::WriteBarrier<JSC::JSFunction>) $1 = {
  JSC::WriteBarrierBase<JSC::JSFunction> = {
    m_cell = 0x0000000000000000
  }
}
Comment 1 Mark Lam 2015-04-27 16:43:55 PDT 
<rdar://problem/20702553>
Comment 2 Filip Pizlo 2015-04-27 21:35:36 PDT 
Created attachment 251822 [details]
the patch
Comment 3 Mark Lam 2015-04-27 21:37:16 PDT 
Comment on attachment 251822 [details]
the patch

r=me
Comment 4 Filip Pizlo 2015-04-27 21:46:19 PDT 
Landed in http://trac.webkit.org/changeset/183453