[Webkit-unassigned] [Bug 119895] New: ASSERTION FAILED: item.cell()->structure()->classInfo()->methodTable.copyBackingStore == JSObject::copyBackingStore

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Aug 16 09:08:18 PDT 2013


https://bugs.webkit.org/show_bug.cgi?id=119895

           Summary: ASSERTION FAILED:
                    item.cell()->structure()->classInfo()->methodTable.cop
                    yBackingStore == JSObject::copyBackingStore
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: simon.pena at samsung.com


The Quake 3 WebGL Demo at http://media.tojicode.com/q3bsp/ crashes in an assertion in WebKitGTK (in both WK1 and WK2)

ASSERT(item.cell()->structure()->classInfo()->methodTable.copyBackingStore == JSObject::copyBackingStore)
#0  0x00007ffff2113d51 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:342
#1  0x00007ffff1edba02 in JSC::CopyVisitor::visitItem (this=0x7fff7000bee0, item=...) at ../../Source/JavaScriptCore/heap/CopyVisitorInlines.h:40
#2  0x00007ffff1edb4d6 in JSC::CopyVisitor::copyFromShared (this=0x7fff7000bee0) at ../../Source/JavaScriptCore/heap/CopyVisitor.cpp:57
#3  0x00007ffff1ee7294 in JSC::Heap::copyBackingStores (this=0x7fff70003018) at ../../Source/JavaScriptCore/heap/Heap.cpp:618
#4  0x00007ffff1ee7994 in JSC::Heap::collect (this=0x7fff70003018, sweepToggle=JSC::Heap::DoNotSweep) at ../../Source/JavaScriptCore/heap/Heap.cpp:780
#5  0x00007ffff1ee7cde in JSC::Heap::collectIfNecessaryOrDefer (this=0x7fff70003018) at ../../Source/JavaScriptCore/heap/Heap.cpp:862
#6  0x00007ffff1ef7d1a in JSC::MarkedAllocator::allocateSlowCase (this=0x7fff70008d90, bytes=16) at ../../Source/JavaScriptCore/heap/MarkedAllocator.cpp:87
#7  0x00007ffff1cc00de in JSC::MarkedAllocator::allocate (this=0x7fff70008d90, bytes=16) at ../../Source/JavaScriptCore/heap/MarkedAllocator.h:82
#8  0x00007ffff1cc10f2 in JSC::MarkedSpace::allocateWithoutDestructor (this=0x7fff700032a0, bytes=16) at ../../Source/JavaScriptCore/heap/MarkedSpace.h:205
#9  0x00007ffff1cc1380 in JSC::Heap::allocateWithoutDestructor (this=0x7fff70003018, bytes=16) at ../../Source/JavaScriptCore/heap/Heap.h:420
#10 0x00007ffff1cdd4b1 in JSC::allocateCell<JSC::JSArray> (heap=..., size=16) at ../../Source/JavaScriptCore/runtime/JSCellInlines.h:99
#11 0x00007ffff1cdc4fe in JSC::allocateCell<JSC::JSArray> (heap=...) at ../../Source/JavaScriptCore/runtime/JSCellInlines.h:107
#12 0x00007ffff1cda98f in JSC::JSArray::create (vm=..., structure=0x7fff8010cf70, initialLength=3) at ../../Source/JavaScriptCore/runtime/JSArray.h:225
#13 0x00007ffff1e3b339 in JSC::DFG::operationNewArrayWithSize (exec=0x7fff47c00408, arrayStructure=0x7fff8010cf70, size=3) at ../../Source/JavaScriptCore/dfg/DFGOperations.cpp:1359

With JSC_useDFGJIT=false, the stack trace is different:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff1ae8088 in JSC::IndexingHeader::vectorLength (this=0x7fff3c168040) at ../../Source/JavaScriptCore/runtime/IndexingHeader.h:57
57        uint32_t vectorLength() const { return u.lengths.vectorLength; }
(gdb) bt
#0  0x00007ffff1ae8088 in JSC::IndexingHeader::vectorLength (this=0x7fff3c168040) at ../../Source/JavaScriptCore/runtime/IndexingHeader.h:57
#1  0x00007ffff1c4cf40 in JSC::ArrayStorage::vectorLength (this=0x7fff3c168048) at ../../Source/JavaScriptCore/runtime/ArrayStorage.h:61
#2  0x00007ffff1e72c61 in JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage (this=0x7fff9404b170, exec=0x7fff77c000a8, i=100000, value=..., attributes=0, mode=JSC::PutDirectIndexLikePutDirect, storage=0x7fff3c168048)
    at ../../Source/JavaScriptCore/runtime/JSObject.cpp:2062
#3  0x00007ffff1e735f6 in JSC::JSObject::putDirectIndexBeyondVectorLength (this=0x7fff9404b170, exec=0x7fff77c000a8, i=100000, value=..., attributes=0, mode=JSC::PutDirectIndexLikePutDirect) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:2196
#4  0x00007ffff3a2919d in JSC::JSObject::putDirectIndex (this=0x7fff9404b170, exec=0x7fff77c000a8, propertyName=100000, value=..., attributes=0, mode=JSC::PutDirectIndexLikePutDirect) at ../../Source/JavaScriptCore/runtime/JSObject.h:182
#5  0x00007ffff3a291da in JSC::JSObject::putDirectIndex (this=0x7fff9404b170, exec=0x7fff77c000a8, propertyName=100000, value=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:186
#6  0x00007ffff3ad3743 in WebCore::CloneDeserializer::putProperty (this=0x7fffffffbec0, object=0x7fff9404b170, index=100000, value=...) at ../../Source/WebCore/bindings/js/SerializedScriptValue.cpp:1256
#7  0x00007ffff3acea97 in WebCore::CloneDeserializer::deserialize (this=0x7fffffffbec0) at ../../Source/WebCore/bindings/js/SerializedScriptValue.cpp:1611
#8  0x00007ffff3ad2f94 in WebCore::CloneDeserializer::deserialize (exec=0x7fff77c000a8, globalObject=0x7fff9402f970, messagePorts=0x7fffffffc040, arrayBufferContentsArray=0x7fff540f5fc0, buffer=WTF::Vector of length 5587771, capacity 5593233 = {...})
    at ../../Source/WebCore/bindings/js/SerializedScriptValue.cpp:1006
#9  0x00007ffff3acfb2b in WebCore::SerializedScriptValue::deserialize (this=0x7fff540f5fe0, exec=0x7fff77c000a8, globalObject=0x7fff9402f970, messagePorts=0x7fffffffc040, throwExceptions=WebCore::NonThrowing)
    at ../../Source/WebCore/bindings/js/SerializedScriptValue.cpp:1836
#10 0x00007ffff3a8b7a6 in WebCore::JSMessageEvent::data (this=0x7fff9406b910, exec=0x7fff77c000a8) at ../../Source/WebCore/bindings/js/JSMessageEventCustom.cpp:67
#11 0x00007ffff480ecd2 in WebCore::jsMessageEventData (exec=0x7fff77c000a8, slotBase=...) at DerivedSources/WebCore/JSMessageEvent.cpp:251
#12 0x00007ffff1d4f8d9 in JSC::cti_op_get_by_id_custom_stub (args=0x7fffffffc150) at ../../Source/JavaScriptCore/jit/JITStubs.cpp:730
#13 0x00007ffff1d4e011 in JSC::tryCacheGetByID (callFrame=0x7fff9406b910, codeBlock=0xc4b610, returnAddress=..., baseValue=..., 
    propertyName="\000=\000\000\000\000\000\000\000>\001=\000\000\000\000$\000\000\000=\000\000\000\000=\000>\002=>\002==\000\000\000\000\000\001\000\000\000\001\000\000\002\000\000=\000\000\000\001\000\000\001\000\001%\000\001\000\000\000\001\000\000\000\002\000\000\000\000\002\000\000>\002=>\002=\001\000\000\000\006\001\000\000\a\005\006\004\000=\025\000\000\000\000\000\000\000\002\001>\003=\000\000\001\000\000\000\000\000\000\000\000\000\000\000\000\000\000=\000\000\000\000\000\000\000B\000====\000==\000\000\006\000\000\000\000\000>\003=\000\000\000=\000\004\000\000\000\000\000==\000\000\004\000===\000\000\000\000==\000===\000\000\002>\004=\000\000\000\000=\000\000\000\000"..., slot=..., stubInfo=0x7fff9406b910) at ../../Source/JavaScriptCore/jit/JITStubs.cpp:276
#14 0x00007fffffffc1a0 in ?? ()
#15 0x00007fff9406b910 in ?? ()
#16 0x00007ffff480ec93 in WebCore::jsMessageEventSource (exec=0x7fffa4d4e6af, slotBase=...) at DerivedSources/WebCore/JSMessageEvent.cpp:245
#17 0x0000000000c9d510 in ?? ()
#18 0x00007fffa4d4cf05 in ?? ()
#19 0x0000000000f4a290 in ?? ()
#20 0x00007fffffffc1a0 in ?? ()
#21 0x00007ffff1d32410 in JSC::MacroAssemblerCodeRef::operator! (this=0xc35d5b48c48348d0) at ../../Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.h:409

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list