[Webkit-unassigned] [Bug 46077] New: ASSERT failure in YARR JIT
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Sep 20 00:27:16 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=46077
Summary: ASSERT failure in YARR JIT
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Mac OS X 10.5
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: barraclough at apple.com
ASSERTION FAILED: to.m_offset != -1
(/Volumes/Data/CopperHead/JavaScriptCore/assembler/X86Assembler.h:1535 void JSC::X86Assembler::linkJump(JSC::X86Assembler::JmpSrc, JSC::X86Assembler::JmpDst))
Segmentation fault: 11
The problem is hit when there are multiple alternatives in the top level disjunction, the last disjunction is longer than the first, and all are BOL predicated, e.g.:
/^a|^bc/
Two optimizations are coming into conflict here.
Due to the BOL unrolling there is no need to ever loop, so no head of loop label has been set, however the optimized code path that loops without checking length is available (since we have already checked N+1 characters for the last alternative before looping) doesn't check the flag indicating whether a label has been set.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list