TO REPRODUCE: 1. navigate to nytimes.com -> crash ASSERTION FAILED: addressOffset < instructions.size() (/Volumes/Big/ggaren/Labyrinth/OpenSource/JavaScriptCore/VM/CodeBlock.cpp:541 bool KJS::CodeBlock::getHandlerForVPC(const KJS::Instruction*, KJS::Instruction*&, int&)) Program received signal: “EXC_BAD_ACCESS”. Script URL: http://pagead2.googlesyndication.com/pagead/show_ads.js Script: m_buffer = 0x1a0d1000 "(function(){?var f=document,j=navigator,l=window;function da(){var b=f.cookie,a=Math.round((new Date).getTime()/1000),c=b.indexOf(\"__utma=\")>-1,e=b.indexOf(\"__utmb=\")>-1,d=b.indexOf(\"__utmc=\")>-1,g,i="..., m_capacity = 19864 Top of Backtrace: #0 0x00651cfe in KJS::CodeBlock::getHandlerForVPC (this=0x19d40000, vPC=0x19d48280, target=@0xbfffccb0, scopeDepth=@0xbfffccb4) at /Volumes/Big/ggaren/Labyrinth/OpenSource/JavaScriptCore/VM/CodeBlock.cpp:541 #1 0x0063bd43 in KJS::Machine::throwException (this=0x682760, exec=0xbfffdab4, exceptionValue=0x19d4b260, registerBase=0x18037680, vPC=0x19d48280, codeBlock=@0xbfffda98, k=@0xbfffce08, scopeChain=@0xbfffda94, r=@0xbfffda90) at /Volumes/Big/ggaren/Labyrinth/OpenSource/JavaScriptCore/VM/Machine.cpp:539 #2 0x00641a92 in KJS::Machine::privateExecute (this=0x682760, flag=KJS::Machine::Normal, exec=0xbfffdab4, registerFile=0x18037670, r=0x6c26bef0, scopeChain=0x19fe7270, codeBlock=0x19d40000, exception=0xbfffdb4c) at /Volumes/Big/ggaren/Labyrinth/OpenSource/JavaScriptCore/VM/Machine.cpp:2008 #3 0x00642303 in KJS::Machine::execute (this=0x682760, programNode=0x19fb8760, exec=0x19bc9c8c, scopeChain=0x18037660, thisObj=0x19d40000, registerFileStack=0x19bc9c68, exception=0xbfffdb4c) at /Volumes/Big/ggaren/Labyrinth/OpenSource/JavaScriptCore/VM/Machine.cpp:577 #4 0x005e2e5b in KJS::Interpreter::evaluate (exec=0x19bc9c8c, scopeChain=@0x19bc9c88, sourceURL=@0xbfffdbd4, startingLineNumber=0, code=0x19ed5000, codeLength=19863, thisValue=0x19d40000) at interpreter.cpp:84 #5 0x024282e7 in WebCore::KJSProxy::evaluate (this=0x152c2dc0, filename=@0xbfffde08, baseLine=0, str=@0xbfffde8c) at /Volumes/Big/ggaren/Labyrinth/OpenSource/WebCore/bindings/js/kjs_proxy.cpp:87 #6 0x01fea437 in WebCore::FrameLoader::executeScript (this=0x409b800, url=@0xbfffde08, baseLine=0, script=@0xbfffde8c) at /Volumes/Big/ggaren/Labyrinth/OpenSource/WebCore/loader/FrameLoader.cpp:771 #7 0x0206e53e in WebCore::HTMLTokenizer::scriptExecution (this=0x418d200, str=@0xbfffde8c, state={static EntityShift = 4, m_bits = 0}, scriptURL=@0xbfffde88, baseLine=0) at /Volumes/Big/ggaren/Labyrinth/OpenSource/WebCore/html/HTMLTokenizer.cpp:540
I don't crash on nytimes.com but I see similar crashes on arstechnica.
Here is another URL that repeatedly crashes SquirrelFish for me in unwindCallFrame: http://blog.wired.com/games/2008/05/for-wiiware-nin.html The assertion that fails is ASSERTION FAILED: activation->isActivationObject() (/Users/Cameron/sf/JavaScriptCore/VM/Machine.cpp:503 bool KJS::Machine::unwindCallFrame(KJS::ExecState*, KJS::Register**, const KJS::Instruction*&, KJS::CodeBlock*&, KJS::JSValue**&, KJS::ScopeChainNode*&, KJS::Register*&)) I am not sure if this is the same bug or not, but it might be easier to debug than nytimes.com.
*** Bug 18999 has been marked as a duplicate of this bug. ***
Created attachment 21073 [details] Testcase
Okay there are multiple issues at play here: * r32838 removed the implicit function called tracking, and changed the ProgramNode constructor from originally checking to see whether we were in a nested implicit call to just a check to see if the current registerfile is a global file. This fails if you have JS->native getter->Global JS as the current file will be a global file so new registers defined in the global code will be propagated back into the tainted file, invalidating r in the calling frame. * The repeated addition and removal of "this" (to avoid "this" being enumerable in the global object) results screws with variable numbering in the created CodeGenerator, leading us to believe a variable has been added, even though it hasn't. This results in a reallocation of the registerfile, once again invalidating r in the callframe. Some ugly hacks that break non-enumerable this, and force no globals to be register allocated ever seem to fix this issue, i believe i will need to reestablish the implicit call-fu.
M JavaScriptCore/ChangeLog M JavaScriptCore/VM/Machine.cpp M JavaScriptCore/VM/RegisterFileStack.cpp M JavaScriptCore/VM/RegisterFileStack.h M LayoutTests/ChangeLog A LayoutTests/fast/js/implicit-call-with-global-reentry-expected.txt A LayoutTests/fast/js/implicit-call-with-global-reentry.html A LayoutTests/fast/js/resources/implicit-call-with-global-reentry.js Committed r33066
This doesn't fix the crash on the Wired link. I'll make a new bug.