[Webkit-unassigned] [Bug 107257] New: [GTK] fast/js/toString-stack-overflow.html is crashing
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jan 18 04:17:39 PST 2013
https://bugs.webkit.org/show_bug.cgi?id=107257
Summary: [GTK] fast/js/toString-stack-overflow.html is crashing
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Keywords: Gtk, LayoutTestFailure
Severity: Normal
Priority: P2
Component: WebKit Gtk
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: zandobersek at gmail.com
http://test-results.appspot.com/dashboards/flakiness_dashboard.html#group=%40ToT%20-%20webkit.org&showAllRuns=true&tests=fast%2Fjs%2FtoString-stack-overflow.html
No specific regression range ... yet.
Crash log for DumpRenderTree (pid 25347):
...
[New LWP 25357]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/Programs/DumpR'.
Program terminated with signal 11, Segmentation fault.
#0 0x00002b795b2e10ac in JSC::ConservativeRoots::genericAddSpan<JSC::DummyMarkHook> (this=0x7ffff6938160, begin=0x7ffff6938e20, end=0x7ffff7fd7000, markHook=...) at ../../Source/JavaScriptCore/heap/ConservativeRoots.cpp:97
97 ASSERT((static_cast<char*>(end) - static_cast<char*>(begin)) < 0x1000000);
...
Thread 1 (Thread 0x2b796a139680 (LWP 25347)):
#0 0x00002b795b2e10ac in JSC::ConservativeRoots::genericAddSpan<JSC::DummyMarkHook> (this=0x7ffff6938160, begin=0x7ffff6938e20, end=0x7ffff7fd7000, markHook=...) at ../../Source/JavaScriptCore/heap/ConservativeRoots.cpp:97
#1 0x00002b795b2e0702 in JSC::ConservativeRoots::add (this=0x7ffff6938160, begin=0x7ffff6938e20, end=0x7ffff7fd7000) at ../../Source/JavaScriptCore/heap/ConservativeRoots.cpp:114
#2 0x00002b795b2f8e37 in JSC::MachineThreads::gatherFromCurrentThread (this=0x28860b8, conservativeRoots=..., stackCurrent=0x7ffff6938e20) at ../../Source/JavaScriptCore/heap/MachineStackMarker.cpp:263
#3 0x00002b795b2f9025 in JSC::MachineThreads::gatherConservativeRoots (this=0x28860b8, conservativeRoots=..., stackCurrent=0x7ffff6938e20) at ../../Source/JavaScriptCore/heap/MachineStackMarker.cpp:475
#4 0x00002b795b2eb810 in JSC::Heap::markRoots (this=0x2882fc8, fullGC=true) at ../../Source/JavaScriptCore/heap/Heap.cpp:440
#5 0x00002b795b2ec2e0 in JSC::Heap::collect (this=0x2882fc8, sweepToggle=JSC::Heap::DoNotSweep) at ../../Source/JavaScriptCore/heap/Heap.cpp:748
#6 0x00002b795b2eaffe in JSC::Heap::reportExtraMemoryCostSlowCase (this=0x2882fc8, cost=17784) at ../../Source/JavaScriptCore/heap/Heap.cpp:309
#7 0x00002b795b1167d5 in JSC::Heap::reportExtraMemoryCost (this=0x2882fc8, cost=17784) at ../../Source/JavaScriptCore/heap/Heap.h:380
#8 0x00002b795b133383 in JSC::JSString::finishCreation (this=0x2b79b088cea0, globalData=..., length=17784, cost=17784) at ../../Source/JavaScriptCore/runtime/JSString.h:107
#9 0x00002b795b1334a2 in JSC::JSString::create (globalData=..., value=...) at ../../Source/JavaScriptCore/runtime/JSString.h:127
#10 0x00002b795b133603 in JSC::jsString (globalData=0x2882f70, s="0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,"...) at ../../Source/JavaScriptCore/runtime/JSString.h:395
#11 0x00002b795b133647 in JSC::jsString (exec=0x2b79b0085c48, s="0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,"...) at ../../Source/JavaScriptCore/runtime/JSString.h:458
#12 0x00002b795b3ea07d in JSC::arrayProtoFuncToString (exec=0x2b79b0085c48) at ../../Source/JavaScriptCore/runtime/ArrayPrototype.cpp:348
#13 0x00002b795b3114c5 in JSC::Interpreter::executeCall (this=0x2b79ac0067f0, callFrame=0x2b79b0085bf0, function=0x2b79b064d500, callType=JSC::CallTypeHost, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:1058
#14 0x00002b795b3f5c71 in JSC::call (exec=0x2b79b0085bf0, functionObject=..., callType=JSC::CallTypeHost, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/runtime/CallData.cpp:40
#15 0x00002b795b44bb59 in JSC::callDefaultValueFunction (exec=0x2b79b0085bf0, object=0x2b79b0c21940, propertyName=...) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:1362
#16 0x00002b795b44bd26 in JSC::JSObject::defaultValue (object=0x2b79b0c21940, exec=0x2b79b0085bf0, hint=JSC::PreferString) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:1383
#17 0x00002b795b427aad in JSC::JSObject::toPrimitive (this=0x2b79b0c21940, exec=0x2b79b0085bf0, preferredType=JSC::PreferString) at ../../Source/JavaScriptCore/runtime/JSObject.h:1400
#18 0x00002b795b427481 in JSC::JSCell::toPrimitive (this=0x2b79b0c21940, exec=0x2b79b0085bf0, preferredType=JSC::PreferString) at ../../Source/JavaScriptCore/runtime/JSCell.cpp:145
#19 0x00002b795b46dd44 in JSC::JSValue::toStringSlowCase (this=0x7ffff693a7a0, exec=0x2b79b0085bf0) at ../../Source/JavaScriptCore/runtime/JSValue.cpp:308
#20 0x00000000004b71d3 in JSC::JSValue::toString (this=0x7ffff693a7a0, exec=0x2b79b0085bf0) at ../../Source/JavaScriptCore/runtime/JSString.h:511
#21 0x00002b795b3efed3 in JSC::inlineJSValueNotStringtoString (value=..., exec=0x2b79b0085bf0) at ../../Source/JavaScriptCore/runtime/JSString.h:536
#22 0x00002b795b46ddff in JSC::JSValue::toWTFStringSlowCase (this=0x7ffff693a7a0, exec=0x2b79b0085bf0) at ../../Source/JavaScriptCore/runtime/JSValue.cpp:317
#23 0x00002b795b3efd1a in JSC::JSValue::toWTFString (this=0x7ffff693a7a0, exec=0x2b79b0085bf0) at ../../Source/JavaScriptCore/runtime/JSString.h:518
#24 0x00002b795b3e9d7e in JSC::arrayProtoFuncToString (exec=0x2b79b0085bf0) at ../../Source/JavaScriptCore/runtime/ArrayPrototype.cpp:320
#25 0x00002b795b3114c5 in JSC::Interpreter::executeCall (this=0x2b79ac0067f0, callFrame=0x2b79b0085b98, function=0x2b79b064d500, callType=JSC::CallTypeHost, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:1058
#26 0x00002b795b3f5c71 in JSC::call (exec=0x2b79b0085b98, functionObject=..., callType=JSC::CallTypeHost, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/runtime/CallData.cpp:40
#27 0x00002b795b44bb59 in JSC::callDefaultValueFunction (exec=0x2b79b0085b98, object=0x2b79b0c21920, propertyName=...) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:1362
#28 0x00002b795b44bd26 in JSC::JSObject::defaultValue (object=0x2b79b0c21920, exec=0x2b79b0085b98, hint=JSC::PreferString) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:1383
#29 0x00002b795b427aad in JSC::JSObject::toPrimitive (this=0x2b79b0c21920, exec=0x2b79b0085b98, preferredType=JSC::PreferString) at ../../Source/JavaScriptCore/runtime/JSObject.h:1400
#30 0x00002b795b427481 in JSC::JSCell::toPrimitive (this=0x2b79b0c21920, exec=0x2b79b0085b98, preferredType=JSC::PreferString) at ../../Source/JavaScriptCore/runtime/JSCell.cpp:145
#31 0x00002b795b46dd44 in JSC::JSValue::toStringSlowCase (this=0x7ffff693b680, exec=0x2b79b0085b98) at ../../Source/JavaScriptCore/runtime/JSValue.cpp:308
#32 0x00000000004b71d3 in JSC::JSValue::toString (this=0x7ffff693b680, exec=0x2b79b0085b98) at ../../Source/JavaScriptCore/runtime/JSString.h:511
#33 0x00002b795b3efed3 in JSC::inlineJSValueNotStringtoString (value=..., exec=0x2b79b0085b98) at ../../Source/JavaScriptCore/runtime/JSString.h:536
#34 0x00002b795b46ddff in JSC::JSValue::toWTFStringSlowCase (this=0x7ffff693b680, exec=0x2b79b0085b98) at ../../Source/JavaScriptCore/runtime/JSValue.cpp:317
#35 0x00002b795b3efd1a in JSC::JSValue::toWTFString (this=0x7ffff693b680, exec=0x2b79b0085b98) at ../../Source/JavaScriptCore/runtime/JSString.h:518
(The last 12 frames loop.)
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list