Bug 16800 - REGRESSION: stack overflow crash in regress-96526-002.js
Summary: REGRESSION: stack overflow crash in regress-96526-002.js
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows XP
: P1 Normal
Assignee: Nobody
URL: http://build.webkit.org/builders/trun...
Keywords: Regression
Depends on:
Blocks:
 
Reported: 2008-01-09 00:53 PST by Alexey Proskuryakov
Modified: 2008-11-20 11:34 PST (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey Proskuryakov 2008-01-09 00:53:42 PST
WebKit_debug.dll!KJS::BracketAccessorNode::evaluate(KJS::ExecState * exec=0x0012ed5c)  Line 772	C++
 	WebKit_debug.dll!KJS::BracketAccessorNode::inlineEvaluate(KJS::ExecState * exec=0x0012ed5c)  Line 758 + 0x21 bytes	C++
 	WebKit_debug.dll!KJS::BracketAccessorNode::evaluate(KJS::ExecState * exec=0x0012ed5c)  Line 772	C++
 	WebKit_debug.dll!KJS::BracketAccessorNode::inlineEvaluate(KJS::ExecState * exec=0x0012ed5c)  Line 758 + 0x21 bytes	C++
 	WebKit_debug.dll!KJS::BracketAccessorNode::evaluate(KJS::ExecState * exec=0x0012ed5c)  Line 772	C++
...
Comment 1 Alexey Proskuryakov 2008-07-28 03:11:22 PDT
I don't have a Windows build ready right now, but this is probably obsoleted by SquirrelFish.
Comment 2 Chris Brichford 2008-07-29 15:20:33 PDT
After debugging this for a while, a squirrel fix enabled build, I don't think this bug is windows specific.  Post squirrel fish, this bug still occurs because the CodeGenerator uses recursion to walk the parse tree to generate the byte code.

I can think of three ways to fix this bug:
#1 Have CodeGenerator::emitNode keep track how many times it has be entered and emit code to throw an exception ( or fail in some other way ) when it has been re-entered too many times.
#2 Have the JS parser keep track of the depth of the parse tree treat that as a syntax error or insert nodes that will cause the CodeGenerator to emit code that throws an exception.
#3 Change the CodeGenerator to not use plain C++ recursion

#3 is arguably the correct option in the long run, but may involve significant code changes in the near term, including changing the interface between parse tree nodes and the CodeGenerator.


This is the stack trace that I'm seeing:
.
.
.
#1437	0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026
#1438	0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166
#1439	0x1a765e7a in KJS::CodeGenerator::emitNode at CodeGenerator.h:175
#1440	0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026
#1441	0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166
#1442	0x1a765e7a in KJS::CodeGenerator::emitNode at CodeGenerator.h:175
#1443	0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026
#1444	0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166
#1445	0x1a765e7a in KJS::CodeGenerator::emitNode at CodeGenerator.h:175
#1446	0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026
#1447	0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166
#1448	0x1a765e7a in KJS::CodeGenerator::emitNode at CodeGenerator.h:175
#1449	0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026
#1450	0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166
#1451	0x1a765e7a in KJS::CodeGenerator::emitNode at CodeGenerator.h:175
#1452	0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026
#1453	0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166
#1454	0x1a765e7a in KJS::CodeGenerator::emitNode at CodeGenerator.h:175
#1455	0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026
#1456	0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166
#1457	0x1a765e7a in KJS::CodeGenerator::emitNode at CodeGenerator.h:175
#1458	0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026
#1459	0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166
#1460	0x1a765e7a in KJS::CodeGenerator::emitNode at CodeGenerator.h:175
#1461	0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026
#1462	0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166
#1463	0x1a765e7a in KJS::CodeGenerator::emitNode at CodeGenerator.h:175
#1464	0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026
#1465	0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166
#1466	0x1a765e7a in KJS::CodeGenerator::emitNode at CodeGenerator.h:175
#1467	0x1a70a50f in KJS::BracketAccessorNode::emitCode at nodes.cpp:1026
#1468	0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166
#1469	0x1a70867b in KJS::ExprStatementNode::emitCode at nodes.cpp:4861
#1470	0x1a765e20 in KJS::CodeGenerator::emitNode at CodeGenerator.h:166
#1471	0x1a707380 in statementListEmitCode at nodes.cpp:4771
#1472	0x1a70aab5 in KJS::EvalNode::emitCode at nodes.cpp:5840
#1473	0x1a6de316 in KJS::CodeGenerator::generate at CodeGenerator.cpp:136
#1474	0x1a7064cf in KJS::EvalNode::generateCode at nodes.cpp:5856
#1475	0x1a77f83d in KJS::EvalNode::code at nodes.h:3202
#1476	0x1a77e397 in KJS::Machine::execute at Machine.cpp:851
#1477	0x1a77f248 in callEval at Machine.cpp:473
#1478	0x1a77cac9 in KJS::Machine::privateExecute at Machine.cpp:2031
#1479	0x1a77ed56 in KJS::Machine::execute at Machine.cpp:776
#1480	0x1a71bb92 in KJS::Interpreter::evaluate at interpreter.cpp:81
#1481	0x1aae1b90 in WebCore::KJSProxy::evaluate at kjs_proxy.cpp:89
#1482	0x1a9a304d in WebCore::FrameLoader::executeScript at FrameLoader.cpp:819
#1483	0x1a9778a8 in WebCore::HTMLTokenizer::scriptExecution at HTMLTokenizer.cpp:556
#1484	0x1a978f6c in WebCore::HTMLTokenizer::scriptHandler at HTMLTokenizer.cpp:489
#1485	0x1a979595 in WebCore::HTMLTokenizer::parseSpecial at HTMLTokenizer.cpp:334
#1486	0x1a97b60d in WebCore::HTMLTokenizer::parseTag at HTMLTokenizer.cpp:1514
#1487	0x1a97bfb9 in WebCore::HTMLTokenizer::write at HTMLTokenizer.cpp:1749
#1488	0x1a99b6de in WebCore::FrameLoader::write at FrameLoader.cpp:1070
#1489	0x1a99b7f4 in WebCore::FrameLoader::addData at FrameLoader.cpp:1905
.
.
.


Comment 3 Cameron Zwarich (cpst) 2008-11-20 11:34:23 PST
This no longer occurs on the Qt bots, and the underlying bug was fixed in r38247:

http://trac.webkit.org/changeset/38247

I'll close this as fixed.