[E8] JavascriptCore parse issue

[View] [Edit] [Lock] [References] [Attachments] [History] [Home] [Changes] [Search] [Help]

[E8] JavascriptCore parse issue

The JavascriptCore parser has issues parsing recursive calls
Ref.: test[s8] deep calls (see Executing a complex block)

Procedure

We will evaluate the following (simple) expression in this page that evidence the JSC parser bug in each execution environment

Note	Expression run with minimal manual operations. In platforms where ScanApp is available we scan the QRcode in this page. UI8 image & tools is used to run on desktop (web). In iOS the expression is evaluated in a workspace or as (in-image) application code.

Confirmation that the bug is present in all the places we run using JSC and is ABSENT using other VMs

Platform	Hardware	ISSUE	Comments
Safari 10.0.2 (12602.3.12.0.1) MacOS Sierra 10.12.2 (16C67)	Mac mini (Late 2014) 8 GB	DETECTED	Very slow execution (30seconds to parse, 15ms to run)
Chrome 55.0.2883.95 (64-bit) MacOS Sierra 10.12.2 (16C67)	Mac mini (Late 2014) 8 GB	ABSENT	OK 200ms to compile(st)+parse(js)+run
Safari iOS 10.2	iPhone 6s, iPad (32 & 64bits)	DETECTED	crash - page reloaded
Chrome 55.0.2883.79 iOS 10.2	iPhone 6s, iPad (32 & 64bits)	DETECTED	crash - page reloaded
coco8 iOS 10.2	iPhone 6s, iPad (32 & 64bits)	DETECTED	crash
coco8(static) iOS 10.2	iPhone 6s, iPad (32 & 64bits)	DETECTED	crash
jx8-ios(sm) iOS 10.2	iPhone 6s, iPad (32 & 64bits)	ABSENT	iPad (32bits) took 3067ms to compile(st)+parse(js)+run iPhone6s took 1564ms to compile(st)+parse(js)+run iPad(64bits) took 682ms to compile(st)+parse(js)+run
jx8-android(v8) Android 5.1.1	Sony	ABSENT	Error: Maximum call stack size exceeded (did NOT crash the app)

Finding of a hand-made javascript expression that exposes the bug without using S8

The code to expose the issue can be reduced as the following s8 code

[[[[[[[[[[[[[[[[[[[[
1 
] value + 1
] value + 1
] value + 1
] value + 1
] value + 1
] value + 1
] value + 1
] value + 1
] value + 1
] value + 1
] value + 1
] value + 1
] value + 1
] value + 1
] value + 1
] value + 1
] value + 1
] value + 1
] value + 1
] value + 1

The result of evaluating the code should be

The code to express the same behavior as javascript code is:

((function(){return ((function(){return ((function(){return ((function(){return ((function(){return ((function(){return ((function(){return ((function(){return ((function(){return ((function(){return ((function(){return ((function(){return ((function(){return ((function(){return ((function(){return ((function(){return ((function(){return ((function(){return ((function(){return ((function(){return (1);})() + 1);})() + 1);})() + 1);})() + 1);})() + 1);})() + 1);})() + 1);})() + 1);})() + 1);})() + 1);})() + 1);})() + 1);})() + 1);})() + 1);})() + 1);})() + 1);})() + 1);})() + 1);})() + 1);})() + 1)

The same code with line breaks...

((function(){return ((function(){return ((function(){return ((function(){return 
((function(){return ((function(){return ((function(){return ((function(){return 
((function(){return ((function(){return ((function(){return ((function(){return 
((function(){return ((function(){return ((function(){return ((function(){return 
((function(){return ((function(){return ((function(){return ((function(){return 
(1);
})() + 1);})() + 1);})() + 1);})() + 1);
})() + 1);})() + 1);})() + 1);})() + 1);
})() + 1);})() + 1);})() + 1);})() + 1);
})() + 1);})() + 1);})() + 1);})() + 1);
})() + 1);})() + 1);})() + 1);})() + 1)