164120 – SEGFAULT in JSC::BytecodeIntrinsicNode

RESOLVED INVALID 164120

SEGFAULT in JSC::BytecodeIntrinsicNode

https://bugs.webkit.org/show_bug.cgi?id=164120

Summary SEGFAULT in JSC::BytecodeIntrinsicNode

Kamil Frankowicz

Reported 2016-10-28 03:51:49 PDT

Created attachment 293140 [details] POC to trigger SEGFAULT (jsc) Affected SVN revision: 208042 To reproduce the problem: ./jsc webkit_jsc_bytecode.js ASAN Output: ASAN:DEADLYSIGNAL ================================================================= ==17333==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x7f12116555e5 bp 0x0000005803b0 sp 0x7fff0fd316f0 T0) ==17333==The signal is caused by a READ memory access. ==17333==Hint: address points to the zero page. #0 0x7f12116555e4 in JSC::BytecodeIntrinsicNode::emit_intrinsic_tryGetById(JSC::BytecodeGenerator&, JSC::RegisterID*) XYZ/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:950:18 #1 0x7f121166c22c in JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::ExpressionNode*) XYZ/webkit/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:418:23 #2 0x7f121166c22c in JSC::BytecodeGenerator::emitNode(JSC::RegisterID*, JSC::ExpressionNode*) XYZ/webkit/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:407 #3 0x7f121166c22c in JSC::BytecodeGenerator::emitNode(JSC::ExpressionNode*) XYZ/webkit/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:423 #4 0x7f121166c22c in JSC::BytecodeGenerator::emitNodeForLeftHandSide(JSC::ExpressionNode*, bool, bool) XYZ/webkit/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:486 #5 0x7f121166c22c in JSC::BinaryOpNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) XYZ/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1894 #6 0x7f121166c22c in JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::ExpressionNode*) XYZ/webkit/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:418:23 #7 0x7f121166c22c in JSC::BytecodeGenerator::emitNode(JSC::RegisterID*, JSC::ExpressionNode*) XYZ/webkit/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:407 #8 0x7f121166c22c in JSC::BytecodeGenerator::emitNode(JSC::ExpressionNode*) XYZ/webkit/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:423 #9 0x7f121166c22c in JSC::BytecodeGenerator::emitNodeForLeftHandSide(JSC::ExpressionNode*, bool, bool) XYZ/webkit/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:486 #10 0x7f121166c22c in JSC::BinaryOpNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) XYZ/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1894 #11 0x7f1211682407 in JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::ExpressionNode*) XYZ/webkit/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:418:23 #12 0x7f1211682407 in JSC::ReturnNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) XYZ/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:3011 #13 0x7f1211679d32 in JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::StatementNode*) XYZ/webkit/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:391:16 #14 0x7f1211679d32 in JSC::SourceElements::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) XYZ/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2372 #15 0x7f1211679d32 in JSC::BlockNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) XYZ/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2392 #16 0x7f12116895e3 in JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::StatementNode*) XYZ/webkit/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:391:16 #17 0x7f12116895e3 in JSC::SourceElements::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) XYZ/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2372 #18 0x7f12116895e3 in JSC::ScopeNode::emitStatementsBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) XYZ/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:3326 #19 0x7f12116895e3 in JSC::FunctionNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) XYZ/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:3452 #20 0x7f12115c3e8a in JSC::BytecodeGenerator::generate() XYZ/webkit/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:120:22 #21 0x7f12115bdfa7 in JSC::ParserError JSC::BytecodeGenerator::generate<JSC::FunctionNode*, JSC::UnlinkedFunctionCodeBlock*&, JSC::DebuggerMode&, JSC::VariableEnvironment const*>(JSC::VM&, JSC::FunctionNode*&&, JSC::UnlinkedFunctionCodeBlock*&, JSC::DebuggerMode&, JSC::VariableEnvironment const*&&) XYZ/webkit/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:296:39 #22 0x7f12115bd3a4 in JSC::generateUnlinkedFunctionCodeBlock(JSC::VM&, JSC::UnlinkedFunctionExecutable*, JSC::SourceCode const&, JSC::CodeSpecializationKind, JSC::DebuggerMode, JSC::UnlinkedFunctionKind, JSC::ParserError&, JSC::SourceParseMode) XYZ/webkit/Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp:71:13 #23 0x7f12115bd3a4 in JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor(JSC::VM&, JSC::SourceCode const&, JSC::CodeSpecializationKind, JSC::DebuggerMode, JSC::ParserError&, JSC::SourceParseMode) XYZ/webkit/Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp:207 #24 0x7f121268ef1f in JSC::ScriptExecutable::newCodeBlockFor(JSC::CodeSpecializationKind, JSC::JSFunction*, JSC::JSScope*, JSC::JSObject*&) XYZ/webkit/Source/JavaScriptCore/runtime/Executable.cpp:314:43 #25 0x7f12126904c3 in JSC::ScriptExecutable::prepareForExecutionImpl(JSC::VM&, JSC::JSFunction*, JSC::JSScope*, JSC::CodeSpecializationKind, JSC::CodeBlock*&) XYZ/webkit/Source/JavaScriptCore/runtime/Executable.cpp:408:28 #26 0x7f12122a49a4 in JSC::JSObject* JSC::ScriptExecutable::prepareForExecution<JSC::FunctionExecutable>(JSC::VM&, JSC::JSFunction*, JSC::JSScope*, JSC::CodeSpecializationKind, JSC::CodeBlock*&) XYZ/webkit/Source/JavaScriptCore/runtime/Executable.h:773:12 #27 0x7f12122a49a4 in JSC::LLInt::setUpCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*) XYZ/webkit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1278 #28 0x7f12122accbb (XYZ/webkit/WebKitBuild/Release/lib/libJavaScriptCore.so.1+0x18abcbb) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV XYZ/webkit/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:950:18 in JSC::BytecodeIntrinsicNode::emit_intrinsic_tryGetById(JSC::BytecodeGenerator&, JSC::RegisterID*) ==17333==ABORTING Regards, Kamil Frankowicz

Attachments
POC to trigger SEGFAULT (jsc) (861 bytes, application/javascript) 2016-10-28 03:51 PDT, Kamil Frankowicz	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2016-10-29 11:39:56 PDT

<rdar://problem/29016201>

Yusuke Suzuki

Comment 2 2016-10-29 22:37:14 PDT

That's OK. `@tryGetById` does not accept the form `@tryGetById("value")`. These ones are called "bytecode intrinsic". They are special hatch for JSC builtin functions. They have some privilege that is not exposed to user JS. They are only allowed to be used in the JSC builtin code and they are not exposed in the user environment. But actually, the above code works. This is because the function "createBuiltin" is a function for testing builtins in the JSC shell harness. So it should not be exposed to users. And actually, it is only exposed in the JSC shell.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution INVALID

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware PC

OS Linux

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2016-10-28 03:51 PDT

Modified

2016-10-29 22:37 PDT History

CC List

3 users Show

URL

Keywords InRadar

Depends on

Blocks