RESOLVED FIXED Bug 144293
FTL failed to initialize arguments.callee on the slow path as well as the fast path 
https://bugs.webkit.org/show_bug.cgi?id=144293
Summary FTL failed to initialize arguments.callee on the slow path as well as the fas...
Mark Lam
Reported 2015-04-27 16:42:53 PDT
Here's the test case: === BEGIN === function foo(e) { if (e) { arguments[0]--; return arguments.callee.apply(this, arguments); } } try { for (var i = 0; i < 10000; i++) foo(1); } catch (e) { print("ERROR: " + e); } === END === Run it in a debug build of jsc like so: $ JSC_enableConcurrentJIT=0 DYLD_FRAMEWORK_PATH=WebKitBuild/Debug/ WebKitBuild/Debug/jsc test.js And you'll get this crash trace: (lldb) bt * thread #1: tid = 0x61fc1a, 0x0000000100a80cda JavaScriptCore`WTFCrash + 42 at Assertions.cpp:321, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef) frame #0: 0x0000000100a80cda JavaScriptCore`WTFCrash + 42 at Assertions.cpp:321 * frame #1: 0x000000010069dd3b JavaScriptCore`JSC::PropertySlot::setValue(this=0x00007fff5fbfdd78, slotBase=0x0000000104250500, attributes=4, value=JSValue at 0x00007fff5fbfdaa8) + 91 at PropertySlot.h:127 frame #2: 0x00000001006e430e JavaScriptCore`JSC::GenericArguments<JSC::DirectArguments>::getOwnPropertySlot(object=0x0000000104250500, exec=0x00007fff5fbfde80, ident=PropertyName at 0x00007fff5fbfdb90, slot=0x00007fff5fbfdd78) + 334 at GenericArgumentsInlines.h:46 frame #3: 0x000000010009ee67 JavaScriptCore`JSC::JSObject::fastGetOwnPropertySlot(this=0x0000000104250500, exec=0x00007fff5fbfde80, vm=0x0000000104010000, structure=0x0000000104034db0, propertyName=PropertyName at 0x00007fff5fbfdbf0, slot=0x00007fff5fbfdd78) + 167 at JSObject.h:1257 frame #4: 0x000000010009ebdc JavaScriptCore`JSC::JSObject::getPropertySlot(this=0x0000000104250500, exec=0x00007fff5fbfde80, propertyName=PropertyName at 0x00007fff5fbfdca0, slot=0x00007fff5fbfdd78) + 156 at JSObject.h:1269 frame #5: 0x00000001000a21a8 JavaScriptCore`JSC::JSValue::getPropertySlot(this=0x00007fff5fbfddb0, exec=0x00007fff5fbfde80, propertyName=PropertyName at 0x00007fff5fbfdd00, slot=0x00007fff5fbfdd78) const + 232 at JSCJSValueInlines.h:719 frame #6: 0x000000010067adb2 JavaScriptCore`operationGetByIdOptimize(exec=0x00007fff5fbfde80, stubInfo=0x0000000105fed4b0, base=4364502272, uid=0x0000000105ff3a40) + 162 at JITOperations.cpp:188 frame #7: 0x00003242ffa035c0 frame #8: 0x00003242ffa02529 From frame 2: (lldb) fr sel 2 frame #2: 0x00000001006e430e JavaScriptCore`JSC::GenericArguments<JSC::DirectArguments>::getOwnPropertySlot(object=0x0000000104250500, exec=0x00007fff5fbfde80, ident=PropertyName at 0x00007fff5fbfdb90, slot=0x00007fff5fbfdd78) + 334 at GenericArgumentsInlines.h:46 43 return true; 44 } 45 if (ident == vm.propertyNames->callee) { -> 46 slot.setValue(thisObject, DontEnum, thisObject->callee().get()); 47 return true; 48 } 49 if (ident == vm.propertyNames->iteratorSymbol) { (lldb) p thisObject (JSC::DirectArguments *) $0 = 0x0000000104250500 (lldb) p thisObject->callee() (JSC::WriteBarrier<JSC::JSFunction>) $1 = { JSC::WriteBarrierBase<JSC::JSFunction> = { m_cell = 0x0000000000000000 } }
Attachments
the patch (2.59 KB, patch)
2015-04-27 21:35 PDT, Filip Pizlo 		mark.lam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2015-04-27 16:43:55 PDT
<rdar://problem/20702553>
Filip Pizlo
Comment 2 2015-04-27 21:35:36 PDT
Created attachment 251822 [details] the patch
Mark Lam
Comment 3 2015-04-27 21:37:16 PDT
Comment on attachment 251822 [details] the patch r=me
Filip Pizlo
Comment 4 2015-04-27 21:46:19 PDT
Landed in http://trac.webkit.org/changeset/183453
Note You need to log in before you can comment on or make changes to this bug.