Long-running javascript crashes in JavascriptCore
Originator: | adam.fedor | ||
Number: | rdar://19378158 | Date Originated: | 01/05/2014 |
Status: | Closed | Resolved: | 03/11/2014 |
Product: | OSX SDK | Product Version: | 10.10.1 |
Classification: | Reproducible: | Yes |
Summary: Frameworks utilizing JavascriptCore to run javascript scripts will crash on certain long-running scripts. For illustrative purposes, I've chosen the OpenSource Mocha framework as an example (https://github.com/logancollins/Mocha). Although similar behavior occurs with other completely different frameworks (Such as jstalk (https://github.com/ccgus/jstalk.git)). Steps to Reproduce: 1. Compile the Mocha project (in particular, the mocha command-line tool). 2. Run mocha with the below script: ./build/Debug/mocha crash2.js ===== function createStory(j) { var role = NSString.stringWithString("CFBundleTypeRole"); var ddict = NSMutableDictionary.dictionary(); var dict = {}; ddict["role"] = role; //dict["role"] = ddict["role"]; //ddict["role"] = dict["role"]; //role = ddict["role"]; print("role " + j + " length " + role.length); } for (var j = 0; j < 10000; j++) { print("==== LOOP " + j + " ====="); createStory(j); } Expected Results: Script should run to completion Actual Results: Script crashes with a 'Segmentation Fault: 11'. Simple changes in the script will crash after different lengths of time or sometimes not at all. But any one particular script will always crash in the same place. I have compiled a recent svn revision of WebKit (svn revision 176947 with Debug compile) and run mocha in Xcode which gives a more complete backtrace of the problem Configuration: OSX 10.10.1 (14B25), although this behavior is visible since at least 10.9 all the way up to a recent svn version of WebKit/JavascriptCore (svn revision 176947)
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!
This is a bug in the Mocha framework. This bug has been marked as resolved and is closed.
Backtrace
/Examples/WebKit/Source/JavaScriptCore/runtime/StructureIDTable.h(86) : JSC::Structure *JSC::StructureIDTable::get(StructureID)
(lldb)