RESOLVED INVALID 68965
WebKit crashes in JSC when ENABLE_JIT is 0 
https://bugs.webkit.org/show_bug.cgi?id=68965
Summary WebKit crashes in JSC when ENABLE_JIT is 0
eric.hennigan
Reported 2011-09-27 19:40:44 PDT
Found in WebKit repo 337174f23f1feb767b4201b8a9fc95105967ba7e Steps to reproduce: 1. Turn off the JIT. Edited Source/JavaScriptCore/wtf/Platform.h and changed all defines for ENABLE_JIT to "#define ENABLE_JIT 0". 2. build-webkit --qt --debug (64-bit machine, running ubuntu) 3. run-launcher --qt --debug (runs WebKitBuild/Debug/bin/QtTestBrowser) 4. visit www.google.com 5. see crash message: Starting webkit launcher, running against the built WebKit in ~/projects/jsflow-webkit/web0-webkit-orig/WebKitBuild/Debug/lib... QInotifyFileSystemWatcherEngine::addPaths: inotify_add_watch failed: No such file or directory QFileSystemWatcher: failed to add paths: /home/erich/.config/ibus/bus ASSERTION FAILED: slot.base() == baseValue ../../../Source/JavaScriptCore/interpreter/Interpreter.cpp(3220) : JSC::JSValue JSC::Interpreter::privateExecute(JSC::Interpreter::ExecutionFlag, JSC::RegisterFile*, JSC::CallFrame*) Segmentation fault
Attachments
the patch (1.78 KB, patch)
2011-11-08 17:49 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
Remove second assert that pizlo missed (2.28 KB, patch)
2011-11-08 18:15 PST, Brian Burg 		bfulgham: review+
webkit.review.bot: commit-queue-
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
eric.hennigan
Comment 1 2011-10-06 00:10:18 PDT
I investigated the issue further. The interpreter is performing an op_put_by_id if (direct) { baseValue.putDirect(callFrame, ident, callFrame->r(value).jsValue(), slot); ASSERT(slot.base() == baseValue); } else It appears that JSObject::putDirectInternal actually performs the the put, but does not update the slot.base() because a specificFunction was available and // This is a new property; transitions with specific values are not currently cachable, // so leave the slot in an uncachable state. if (!specificFunction) { slot.setNewProperty(this, offset); } I'm not too familiar with JSC so my best conjecture is that new method, setUncachedProperty(...), should be added to the slot, so that the base and offset can be updated appropriately.
Brian Burg
Comment 2 2011-11-08 17:26:03 PST
I have also reproduced this on OS X 10.7 with the Safari port.
Brian Burg
Comment 3 2011-11-08 17:35:14 PST
Additionally, the crash is triggered by the following tests executed by run-javascriptcore-tests: ecma_3/Array/15.4.4.3-1.js ecma_3/Object/8.6.2.6-001.js js1_5/Object/regress-192105.js and the stack trace is nearly the same for each: ASSERTION FAILED: slot.base() == baseValue /Users/burg/repos/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp(3220) : JSC::JSValue JSC::Interpreter::privateExecute(JSC::Interpreter::ExecutionFlag, JSC::RegisterFile *, CallFrame *) 1 0x109b3a9c2 JSC::Interpreter::privateExecute(JSC::Interpreter::ExecutionFlag, JSC::RegisterFile*, JSC::ExecState*) 2 0x109b45d14 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*) 3 0x109af549f JSC::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) 4 0x109a30e44 _ZL14runWithScriptsP12GlobalObjectRKN3WTF6VectorI6ScriptLm0EEEb 5 0x109a30678 jscmain(int, char**, JSC::JSGlobalData*) 6 0x109a3057f main 7 0x109a303d4 start
Filip Pizlo
Comment 4 2011-11-08 17:49:02 PST
Created attachment 114185 [details] the patch This oughta do it.
Brian Burg
Comment 5 2011-11-08 18:15:57 PST
Created attachment 114188 [details] Remove second assert that pizlo missed Same as pizlo's patch, but there are actually two of these frivolous asserts that cause trouble. Updated patch takes care of both of them.
Brent Fulgham
Comment 6 2011-12-08 14:15:05 PST
Comment on attachment 114185 [details] the patch Clearing patch review flag since this was obsoleted by a newer patch.
Brent Fulgham
Comment 7 2011-12-08 14:16:02 PST
Comment on attachment 114188 [details] Remove second assert that pizlo missed Looks good to me.
WebKit Review Bot
Comment 8 2011-12-21 16:28:09 PST
Comment on attachment 114188 [details] Remove second assert that pizlo missed Rejecting attachment 114188 [details] from commit-queue. Failed to run "['/mnt/git/webkit-commit-queue/Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '-..." exit_code: 2 Last 500 characters of output: Fulgham', u'--fo..." exit_code: 1 Parsed 2 diffs from patch file(s). patching file Source/JavaScriptCore/ChangeLog Hunk #1 succeeded at 1 with fuzz 3. patching file Source/JavaScriptCore/interpreter/Interpreter.cpp Hunk #1 FAILED at 3215. Hunk #2 FAILED at 3334. 2 out of 2 hunks FAILED -- saving rejects to file Source/JavaScriptCore/interpreter/Interpreter.cpp.rej Failed to run "[u'/mnt/git/webkit-commit-queue/Tools/Scripts/svn-apply', u'--reviewer', u'Brent Fulgham', u'--fo..." exit_code: 1 Full output: http://queues.webkit.org/results/10996184
Csaba Osztrogonác
Comment 9 2015-02-26 04:31:00 PST
There is no Qt port long time ago and no crash on the CLOOP bot.
Note You need to log in before you can comment on or make changes to this bug.