Bug 18934 - SQUIRRELFISH: ASSERT @ nytimes.com due to RegisterFile being clobbered
Summary: SQUIRRELFISH: ASSERT @ nytimes.com due to RegisterFile being clobbered
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Macintosh OS X 10.5
: P2 Normal
Assignee: Oliver Hunt
URL: http://nytimes.com
Keywords:
: 18999 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-05-07 21:48 PDT by Geoffrey Garen
Modified: 2008-05-12 17:39 PDT (History)
2 users (show)

See Also:


Attachments
Testcase (168 bytes, text/html)
2008-05-11 17:18 PDT, Oliver Hunt
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Geoffrey Garen 2008-05-07 21:48:19 PDT
TO REPRODUCE:
1. navigate to nytimes.com
-> crash

ASSERTION FAILED: addressOffset < instructions.size()
(/Volumes/Big/ggaren/Labyrinth/OpenSource/JavaScriptCore/VM/CodeBlock.cpp:541 bool KJS::CodeBlock::getHandlerForVPC(const KJS::Instruction*, KJS::Instruction*&, int&))
Program received signal:  “EXC_BAD_ACCESS”.

Script URL: 

http://pagead2.googlesyndication.com/pagead/show_ads.js

Script:

      m_buffer = 0x1a0d1000 "(function(){?var f=document,j=navigator,l=window;function da(){var b=f.cookie,a=Math.round((new Date).getTime()/1000),c=b.indexOf(\"__utma=\")>-1,e=b.indexOf(\"__utmb=\")>-1,d=b.indexOf(\"__utmc=\")>-1,g,i="..., 
      m_capacity = 19864

Top of Backtrace:

#0  0x00651cfe in KJS::CodeBlock::getHandlerForVPC (this=0x19d40000, vPC=0x19d48280, target=@0xbfffccb0, scopeDepth=@0xbfffccb4) at /Volumes/Big/ggaren/Labyrinth/OpenSource/JavaScriptCore/VM/CodeBlock.cpp:541
#1  0x0063bd43 in KJS::Machine::throwException (this=0x682760, exec=0xbfffdab4, exceptionValue=0x19d4b260, registerBase=0x18037680, vPC=0x19d48280, codeBlock=@0xbfffda98, k=@0xbfffce08, scopeChain=@0xbfffda94, r=@0xbfffda90) at /Volumes/Big/ggaren/Labyrinth/OpenSource/JavaScriptCore/VM/Machine.cpp:539
#2  0x00641a92 in KJS::Machine::privateExecute (this=0x682760, flag=KJS::Machine::Normal, exec=0xbfffdab4, registerFile=0x18037670, r=0x6c26bef0, scopeChain=0x19fe7270, codeBlock=0x19d40000, exception=0xbfffdb4c) at /Volumes/Big/ggaren/Labyrinth/OpenSource/JavaScriptCore/VM/Machine.cpp:2008
#3  0x00642303 in KJS::Machine::execute (this=0x682760, programNode=0x19fb8760, exec=0x19bc9c8c, scopeChain=0x18037660, thisObj=0x19d40000, registerFileStack=0x19bc9c68, exception=0xbfffdb4c) at /Volumes/Big/ggaren/Labyrinth/OpenSource/JavaScriptCore/VM/Machine.cpp:577
#4  0x005e2e5b in KJS::Interpreter::evaluate (exec=0x19bc9c8c, scopeChain=@0x19bc9c88, sourceURL=@0xbfffdbd4, startingLineNumber=0, code=0x19ed5000, codeLength=19863, thisValue=0x19d40000) at interpreter.cpp:84
#5  0x024282e7 in WebCore::KJSProxy::evaluate (this=0x152c2dc0, filename=@0xbfffde08, baseLine=0, str=@0xbfffde8c) at /Volumes/Big/ggaren/Labyrinth/OpenSource/WebCore/bindings/js/kjs_proxy.cpp:87
#6  0x01fea437 in WebCore::FrameLoader::executeScript (this=0x409b800, url=@0xbfffde08, baseLine=0, script=@0xbfffde8c) at /Volumes/Big/ggaren/Labyrinth/OpenSource/WebCore/loader/FrameLoader.cpp:771
#7  0x0206e53e in WebCore::HTMLTokenizer::scriptExecution (this=0x418d200, str=@0xbfffde8c, state={static EntityShift = 4, m_bits = 0}, scriptURL=@0xbfffde88, baseLine=0) at /Volumes/Big/ggaren/Labyrinth/OpenSource/WebCore/html/HTMLTokenizer.cpp:540
Comment 1 Maciej Stachowiak 2008-05-10 05:53:22 PDT
I don't crash on nytimes.com but I see similar crashes on arstechnica.
Comment 2 Cameron Zwarich (cpst) 2008-05-11 16:46:09 PDT
Here is another URL that repeatedly crashes SquirrelFish for me in unwindCallFrame:

http://blog.wired.com/games/2008/05/for-wiiware-nin.html

The assertion that fails is

ASSERTION FAILED: activation->isActivationObject()
(/Users/Cameron/sf/JavaScriptCore/VM/Machine.cpp:503 bool KJS::Machine::unwindCallFrame(KJS::ExecState*, KJS::Register**, const KJS::Instruction*&, KJS::CodeBlock*&, KJS::JSValue**&, KJS::ScopeChainNode*&, KJS::Register*&))

I am not sure if this is the same bug or not, but it might be easier to debug than nytimes.com.
Comment 3 Oliver Hunt 2008-05-11 17:18:03 PDT
*** Bug 18999 has been marked as a duplicate of this bug. ***
Comment 4 Oliver Hunt 2008-05-11 17:18:28 PDT
Created attachment 21073 [details]
Testcase
Comment 5 Oliver Hunt 2008-05-12 01:58:13 PDT
Okay there are multiple issues at play here:
 * r32838 removed the implicit function called tracking, and changed the ProgramNode constructor from originally checking to see whether we were in a nested implicit call to just a check to see if the current registerfile is a global file.  This fails if you have JS->native getter->Global JS as the current file will be a global file so new registers defined in the global code will be propagated back into the tainted file, invalidating r in the calling frame.
 * The repeated addition and removal of "this" (to avoid "this" being enumerable in the global object) results screws with variable numbering in the created CodeGenerator, leading us to believe a variable has been added, even though it hasn't.  This results in a reallocation of the registerfile, once again invalidating r in the callframe.

Some ugly hacks that break non-enumerable this, and force no globals to be register allocated ever seem to fix this issue, i believe i will need to reestablish the implicit call-fu.

Comment 6 Oliver Hunt 2008-05-12 17:26:42 PDT
	M	JavaScriptCore/ChangeLog
	M	JavaScriptCore/VM/Machine.cpp
	M	JavaScriptCore/VM/RegisterFileStack.cpp
	M	JavaScriptCore/VM/RegisterFileStack.h
	M	LayoutTests/ChangeLog
	A	LayoutTests/fast/js/implicit-call-with-global-reentry-expected.txt
	A	LayoutTests/fast/js/implicit-call-with-global-reentry.html
	A	LayoutTests/fast/js/resources/implicit-call-with-global-reentry.js
Committed r33066

Comment 7 Cameron Zwarich (cpst) 2008-05-12 17:39:22 PDT
This doesn't fix the crash on the Wired link. I'll make a new bug.