[Webkit-unassigned] [Bug 114018] New: Crash due to an assertion in AbstractMacroAssembler.h

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Apr 5 03:26:19 PDT 2013 

https://bugs.webkit.org/show_bug.cgi?id=114018

           Summary: Crash due to an assertion in AbstractMacroAssembler.h
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: cgarcia at igalia.com


Program terminated with signal 11, Segmentation fault.
#0  0x04eaf128 in JSC::AbstractMacroAssembler<JSC::ARMv7Assembler>::TrustedImmPtr::TrustedImmPtr (this=0x77feeba0, value=2)
    at /home/cgarcia/rim/webkit/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:187
187                ASSERT_UNUSED(value, !value);
(gdb) bt
#0  0x04eaf128 in JSC::AbstractMacroAssembler<JSC::ARMv7Assembler>::TrustedImmPtr::TrustedImmPtr (this=0x77feeba0, value=2)
    at /home/cgarcia/rim/webkit/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:187
#1  0x04f07b00 in JSC::DFG::SpeculativeJIT::callOperation (this=0x77feec28, operation=0x4eb07b9 <JSC::DFG::operationCreateThis(JSC::ExecState*, JSC::JSObject*, std::int32_t)>, 
    result=JSC::ARMRegisters::r1, object=JSC::ARMRegisters::r0, size=2) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:1274
#2  0x04f133ac in JSC::DFG::CallResultAndTwoArgumentsSlowPathGenerator<JSC::AbstractMacroAssembler<JSC::ARMv7Assembler>::JumpList, JSC::JSCell* (*)(JSC::ExecState*, JSC::JSObject*, int), JSC::ARMRegisters::RegisterID, JSC::ARMRegisters::RegisterID, unsigned int>::generateInternal (this=0x76839ea8, jit=0x77feec28)
    at /home/cgarcia/rim/webkit/Source/JavaScriptCore/dfg/DFGSlowPathGenerator.h:218
#3  0x04edf1f2 in JSC::DFG::SlowPathGenerator::generate (this=0x76839ea8, jit=0x77feec28) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/dfg/DFGSlowPathGenerator.h:56
#4  0x04ec8dd0 in JSC::DFG::SpeculativeJIT::runSlowPathGenerators (this=0x77feec28) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:355
#5  0x04e9e1fa in JSC::DFG::JITCompiler::compileFunction (this=0x77feff98, entry=..., entryWithArityCheck=...) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:342
#6  0x04e8f70e in JSC::DFG::compile (compileMode=JSC::DFG::CompileFunction, exec=0x7fb00af8, codeBlock=0x7678ba30, jitCode=..., jitCodeWithArityCheck=0x77151788, osrEntryBytecodeIndex=0)
    at /home/cgarcia/rim/webkit/Source/JavaScriptCore/dfg/DFGDriver.cpp:161
#7  0x04e8ef94 in JSC::DFG::tryCompileFunction (exec=0x7fb00af8, codeBlock=0x7678ba30, jitCode=..., jitCodeWithArityCheck=..., bytecodeIndex=0)
    at /home/cgarcia/rim/webkit/Source/JavaScriptCore/dfg/DFGDriver.cpp:179
#8  0x050121b0 in JSC::jitCompileFunctionIfAppropriate (exec=0x7fb00af8, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., jitType=JSC::JITCode::DFGJIT, bytecodeIndex=0, 
    effort=JSC::JITCompilationCanFail) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/jit/JITDriver.h:95
#9  0x050123ba in JSC::prepareFunctionForExecution (exec=0x7fb00af8, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., jitType=JSC::JITCode::DFGJIT, bytecodeIndex=0, 
    kind=JSC::CodeForConstruct) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/runtime/ExecutionHarness.h:68
#10 0x05010ca6 in JSC::FunctionExecutable::compileForConstructInternal (this=0x77151758, exec=0x7fb00af8, scope=0x79f3d038, jitType=JSC::JITCode::DFGJIT, bytecodeIndex=0)
    at /home/cgarcia/rim/webkit/Source/JavaScriptCore/runtime/Executable.cpp:574
#11 0x0501056e in JSC::FunctionExecutable::compileOptimizedForConstruct (this=0x77151758, exec=0x7fb00af8, scope=0x79f3d038, bytecodeIndex=0)
    at /home/cgarcia/rim/webkit/Source/JavaScriptCore/runtime/Executable.cpp:474
#12 0x04dbedcc in JSC::FunctionExecutable::compileOptimizedFor (this=0x77151758, exec=0x7fb00af8, scope=0x79f3d038, bytecodeIndex=0, kind=JSC::CodeForConstruct)
    at /home/cgarcia/rim/webkit/Source/JavaScriptCore/runtime/Executable.h:680
#13 0x04db8c80 in JSC::FunctionCodeBlock::compileOptimized (this=0x775b0400, exec=0x7fb00af8, scope=0x79f3d038, bytecodeIndex=0)
    at /home/cgarcia/rim/webkit/Source/JavaScriptCore/bytecode/CodeBlock.cpp:2879
#14 0x04f859e6 in JSC::JITStubThunked_optimize (args=0x77ff0530) at /home/cgarcia/rim/webkit/Source/JavaScriptCore/jit/JITStubs.cpp:1912
#15 0x04f85920 in cti_optimize () at /home/cgarcia/rim/webkit/Source/JavaScriptCore/jit/JITStubs.cpp:1843
#16 0x04f83190 in JSC::tryCacheGetByID (callFrame=0x77ff05e0, codeBlock=0x76d5c86c, returnAddress=..., baseValue=..., propertyName=..., slot=..., stubInfo=0x0)
    at /home/cgarcia/rim/webkit/Source/JavaScriptCore/jit/JITStubs.cpp:1009
#17 0x00000000 in ?? ()


The problem seem to be that TrustedImmPtr is called for a int32_t and the TrustedImmPtr that receives an int is called, which only expects a 0.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list