[Webkit-unassigned] [Bug 119395] Crash in JSCell::methodTable under errorDescriptionForValue()

Fri Aug 16 11:51:57 PDT 2013

https://bugs.webkit.org/show_bug.cgi?id=119395

--- Comment #8 from peavo at outlook.com  2013-08-16 11:51:29 PST ---
(In reply to comment #7)
> (In reply to comment #6)
> > I'm frequently getting this crash. Trying another patch, but I assume it's not sufficient, as it doesn't address the root cause of the crash, but only avoids it :) I have not yet been able to figure out the origin of the empty JSValue.
> 
> The original backtrace seems to indicate that you got the empty JSValue from inside the baseline JIT (cti_op_blah_blah_blah is a baseline JIT stub). Have you tried disabling the JITs to see if the issue goes away? You can do this by setting "useJIT() = false;" in Options::initialize in Options.cpp and recompiling. If that makes the problem go away then try just disabling the top tier JIT by setting "useDFGJIT() = false;" in the same manner (and removing "useJIT() = false;" where you added it previously). These experiments will tell us which execution engine (the LLInt, the baseline JIT, or the DFG JIT) is responsible for the empty JSValue you're seeing.
> 
> This all should take < 5 minutes to build both versions. How long does it usually take to see this crash when browsing around the web?

Thanks for the response!

I tried setting "useJIT() = false;", but I get the same crash. I believe both LLInt and the DFG JIT is disabled on Windows, so I guess there's no fallback, so baseline JIT is used regardless? I get the same stacktrace with cti_op_get_by_val_generic, which indicates this. Should I try to enable the DFG JIT? I usually see the crash quickly (within minutes or less) when browsing around. It happens every time when I visit www.sfgate.com.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.