[Webkit-unassigned] [Bug 98596] New: [GTK] Crash in JSC::checkOffset, originating from LLInt

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Oct 6 04:44:58 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=98596

           Summary: [GTK] Crash in JSC::checkOffset, originating from
                    LLInt
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Tools / Tests
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: zandobersek at gmail.com
                CC: mrobinson at webkit.org, pnormand at igalia.com,
                    wingo at igalia.com, fpizlo at apple.com


The crash occurred on GTK 64-bit Debug builder, it seems to be first such crash in this test and it's also the first time I see such crash.
http://test-results.appspot.com/dashboards/flakiness_dashboard.html#group=%40ToT%20-%20webkit.org&showAllRuns=true&tests=http%2Ftests%2Finspector-enabled%2Fdedicated-workers-list

http://build.webkit.org/builders/GTK%20Linux%2064-bit%20Debug/builds/37359
http://build.webkit.org/results/GTK%20Linux%2064-bit%20Debug/r130578%20(37359)/results.html
Here's the crash log:

Crash log for DumpRenderTree (pid 26961):
...
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/Programs/DumpR'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007ff0f1125f2c in JSC::checkOffset (offset=49, inlineCapacity=15) at ../../Source/JavaScriptCore/runtime/PropertyOffset.h:71
71        ASSERT(offset == invalidOffset

...

Thread 1 (Thread 0x7ff0e2c9b900 (LWP 26961)):
#0  0x00007ff0f1125f2c in JSC::checkOffset (offset=49, inlineCapacity=15) at ../../Source/JavaScriptCore/runtime/PropertyOffset.h:71
#1  0x00007ff0f12395dc in JSC::validateOffset (offset=49, inlineCapacity=15) at ../../Source/JavaScriptCore/runtime/PropertyOffset.h:84
#2  0x00007ff0f1239790 in JSC::JSObject::offsetForLocation (this=0x7ff09764fee0, location=0x7ff097650078) at ../../Source/JavaScriptCore/runtime/JSObject.h:468
#3  0x00007ff0f1237bec in JSC::JSFunction::getOwnPropertySlot (cell=0x7ff09764fee0, exec=0x7ff09f69a038, propertyName=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSFunction.cpp:218
#4  0x00007ff0f1238771 in JSC::JSFunction::put (cell=0x7ff09764fee0, exec=0x7ff09f69a038, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSFunction.cpp:342
#5  0x00007ff0f10987d4 in JSC::JSValue::put (this=0x7fff9b194580, exec=0x7ff09f69a038, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1201
#6  0x00007ff0f118d52e in JSC::LLInt::llint_slow_path_put_by_id (exec=0x7ff09f69a038, pc=0x5322310) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:933
#7  0x00007ff0f11968d3 in llint_op_put_by_id () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0
#8  0x00007fff9b194640 in ?? ()
#9  0x00007fff9b194670 in ?? ()
#10 0x0000000000000000 in ?? ()

...

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list