Long-running javascript crashes in JavascriptCore

Originator:adam.fedor
Number:rdar://19378158 Date Originated:01/05/2014
Status:Closed Resolved:03/11/2014
Product:OSX SDK Product Version:10.10.1
Classification: Reproducible:Yes
 
Summary:
Frameworks utilizing JavascriptCore to run javascript scripts will crash on certain long-running scripts. For illustrative purposes, I've chosen the OpenSource Mocha framework as an example (https://github.com/logancollins/Mocha). Although similar behavior occurs with other completely different frameworks (Such as jstalk (https://github.com/ccgus/jstalk.git)).

Steps to Reproduce:
1. Compile the Mocha project (in particular, the mocha command-line tool).
2. Run mocha with the below script:
   ./build/Debug/mocha crash2.js

=====
function createStory(j) {
  var role = NSString.stringWithString("CFBundleTypeRole");
  var ddict = NSMutableDictionary.dictionary();
  var dict = {};
  ddict["role"] = role;
  //dict["role"] = ddict["role"];
  //ddict["role"] = dict["role"];
  //role = ddict["role"];
  print("role " + j + " length " + role.length);
}

for (var j = 0; j < 10000; j++) {
  print("==== LOOP " + j + " =====");
  createStory(j);
}


Expected Results:
Script should run to completion

Actual Results:
Script crashes with a 'Segmentation Fault: 11'.   Simple changes in the script will crash after different lengths of time or sometimes not at all.  But any one particular script will always crash in the same place.

I have compiled a recent svn revision of WebKit (svn revision 176947 with Debug compile) and run mocha in Xcode which gives a more complete backtrace of the problem


Configuration:
OSX 10.10.1 (14B25), although this behavior is visible since at least 10.9 all the way up to a recent svn version of WebKit/JavascriptCore (svn revision 176947)

Comments

This is a bug in the Mocha framework. This bug has been marked as resolved and is closed.

By adam.fedor at March 11, 2015, 2:55 p.m. (reply...)

Backtrace

ASSERTION FAILED: structureID && structureID < m_capacity

/Examples/WebKit/Source/JavaScriptCore/runtime/StructureIDTable.h(86) : JSC::Structure *JSC::StructureIDTable::get(StructureID) 

 (lldb) bt
 * thread #1: tid = 0x3b919f, 0x0000000100978f4a JavaScriptCore`WTFCrashWithSecurityImplication + 42 at Assertions.cpp:335, queue = 'com.apple.main-thread',   stop reason = EXC_BAD_ACCESS (code=1, address=0xfbadbeef)
  * frame #0: 0x0000000100978f4a JavaScriptCore`WTFCrashWithSecurityImplication + 42 at Assertions.cpp:335
frame #1: 0x000000010002a4bb JavaScriptCore`JSC::StructureIDTable::get(this=0x00000001048002f8, structureID=1593835520) + 91 at StructureIDTable.h:86
frame #2: 0x0000000100030746 JavaScriptCore`JSC::JSCell::structure(this=0x000000010000014d, vm=0x0000000104800000) const + 54 at JSCellInlines.h:106
frame #3: 0x000000010004bfa6 JavaScriptCore`JSC::JSCell::methodTable(this=0x000000010519fa10) const + 70 at JSCellInlines.h:204
frame #4: 0x00000001005fa58e JavaScriptCore`toJS(exec=0x00007fff5fbfd850, v=0x000000010519fa10) + 158 at APICast.h:81
frame #5: 0x0000000100620b15 JavaScriptCore`JSC::JSCallbackObject<JSC::JSDestructibleObject>::call(exec=0x00007fff5fbfd850) + 533 at JSCallbackObjectFunctions.h:488
frame #6: 0x00000001005dff75 JavaScriptCore`JSC::handleHostCall(execCallee=0x00007fff5fbfd850, callee=JSValue at 0x00007fff5fbfd710, kind=CodeForCall) + 293 at JITOperations.cpp:641
frame #7: 0x00000001005e091c JavaScriptCore`linkFor(execCallee=0x00007fff5fbfd850, callLinkInfo=0x000000010236b440, kind=CodeForCall, registers=RegisterPreservationNotRequired) + 140 at JITOperations.cpp:686
frame #8: 0x00000001005dad96 JavaScriptCore`operationLinkCall(execCallee=0x00007fff5fbfd850, callLinkInfo=0x000000010236b440) + 38 at JITOperations.cpp:722
frame #9: 0x00004bbac46019bc
frame #10: 0x00004bbac46020f8
frame #11: 0x00004bbac460330a
frame #12: 0x000000010073d039 JavaScriptCore`vmEntryToJavaScript + 361
frame #13: 0x00000001005c9dfa JavaScriptCore`JSC::JITCode::execute(this=0x000000010218d060, vm=0x0000000104800000, protoCallFrame=0x00007fff5fbfdc60) + 266 at JITCode.cpp:77
frame #14: 0x00000001005ae381 JavaScriptCore`JSC::Interpreter::execute(this=0x0000000102401ab0, program=0x00000001051dfc70, callFrame=0x00000001027ff9b0, thisObj=0x000000010519fb30) + 4849 at Interpreter.cpp:914
frame #15: 0x00000001001314b0 JavaScriptCore`JSC::evaluate(exec=0x00000001027ff9b0, source=0x00007fff5fbff1c0, thisValue=JSValue at 0x00007fff5fbff120, returnedException=0x00007fff5fbff190) + 480 at Completion.cpp:81
frame #16: 0x0000000100617050 JavaScriptCore`JSEvaluateScript(ctx=0x00000001027ff9b0, script=0x0000000102337220, thisObject=0x0000000000000000, sourceURL=0x0000000102337540, startingLineNumber=1, exception=0x00007fff5fbff2d8) + 544 at JSBase.cpp:66
frame #17: 0x0000000101f2f779 Mocha`-[Mocha evalJSString:scriptPath:](self=0x0000000102101160, _cmd=0x0000000101f65ed1, string=0x0000000102401450, scriptPath=0x0000000102400810) + 313 at MochaRuntime.m:574
frame #18: 0x000000010000272f mocha`executeScript(script=0x0000000102401450, path=0x0000000102400810) + 1007 at main.m:130
frame #19: 0x0000000100001ecf mocha`main(argc=2, argv=0x00007fff5fbff818) + 1455 at main.m:101
frame #20: 0x0000000100001914 mocha`start + 52

(lldb)

By adam.fedor at Jan. 24, 2015, 4:39 p.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!