[Webkit-unassigned] [Bug 118498] New: ASSERTION FAILED: callFrame == vm->topCallFrame || callFrame == callFrame->lexicalGlobalObject()->globalExec() || callFrame == callFrame->dynamicGlobalObject()->globalExec() in JSC::Interpreter::addStackTraceIfNecessary

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jul 9 02:06:10 PDT 2013 

https://bugs.webkit.org/show_bug.cgi?id=118498

           Summary: ASSERTION FAILED: callFrame == vm->topCallFrame ||
                    callFrame ==
                    callFrame->lexicalGlobalObject()->globalExec() ||
                    callFrame ==
                    callFrame->dynamicGlobalObject()->globalExec() in
                    JSC::Interpreter::addStackTraceIfNecessary
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: reni at webkit.org
            Blocks: 116980


The following script fails the assertion above:

function test() {
    var myObj = {
        toString: function() {
            throw typeof new myObj();
        },
    };
    var help = [ 1, 2 ];
    var l2 = help[myObj];

}

test();


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00000000004352e0 in WTFCrash () at /home/reni/Data/REPOS/webkitnix/Source/WTF/wtf/Assertions.cpp:339
339        *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00000000004352e0 in WTFCrash () at /home/reni/Data/REPOS/webkitnix/Source/WTF/wtf/Assertions.cpp:339
#1  0x000000000049322d in JSC::Interpreter::addStackTraceIfNecessary (callFrame=0x7fffb44f3e08, error=<incomplete type>)
    at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/interpreter/Interpreter.cpp:655
#2  0x00000000004ebb41 in JSC::throwError (exec=0x7fffb44f3e08, error=0x7ffff7e8ff08)
    at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/runtime/Error.cpp:165
#3  0x00000000004ec92d in JSC::throwStackOverflowError (exec=0x7fffb44f3e08)
    at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp:141
#4  0x0000000000494e1a in JSC::Interpreter::executeCall (this=0xeec600, callFrame=0x7fffb44f3e08, function=0x7ffff7ececb0, callType=JSC::CallTypeJS, 
    callData=..., thisValue=<incomplete type>, args=...) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/interpreter/Interpreter.cpp:961
#5  0x00000000004e2a87 in JSC::call (exec=0x7fffb44f3e08, functionObject=<incomplete type>, callType=JSC::CallTypeJS, callData=..., 
    thisValue=<incomplete type>, args=...) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/runtime/CallData.cpp:40
#6  0x0000000000532444 in JSC::callDefaultValueFunction (exec=0x7fffb44f3e08, object=0x7ffff7e8ff20, propertyName=<incomplete type>)
    at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/runtime/JSObject.cpp:1344
#7  0x00000000005325d9 in JSC::JSObject::defaultValue (object=0x7ffff7e8ff20, exec=0x7fffb44f3e08, hint=JSC::PreferString)
    at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/runtime/JSObject.cpp:1365
#8  0x000000000050ab6b in JSC::JSObject::toPrimitive (this=0x7ffff7e8ff20, exec=0x7fffb44f3e08, preferredType=JSC::PreferString)
    at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/runtime/JSObject.h:1402
#9  0x000000000050a645 in JSC::JSCell::toPrimitive (this=0x7ffff7e8ff20, exec=0x7fffb44f3e08, preferredType=JSC::PreferString)
    at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/runtime/JSCell.cpp:145
#10 0x000000000055365c in JSC::JSValue::toStringSlowCase (this=0x7fffff81f290, exec=0x7fffb44f3e08)
    at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/runtime/JSCJSValue.cpp:314
#11 0x0000000000424a47 in JSC::JSValue::toString (this=0x7fffff81f290, exec=0x7fffb44f3e08)
    at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/runtime/JSString.h:530
#12 0x00000000004ec55d in JSC::createNotAConstructorError (exec=0x7fffb44f3e08, value=<incomplete type>)
    at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp:98
#13 0x00000000004ad708 in JSC::cti_op_construct_NotJSConstruct (args=0x7fffff81f370)
    at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/jit/JITStubs.cpp:2467
#14 0x00000000004a8cb4 in JSC::tryCacheGetByID (callFrame=0xff81f300, codeBlock=0x4ad708 <JSC::cti_op_construct_NotJSConstruct(void**)+207>, 
    returnAddress=<incomplete type>, baseValue=<incomplete type>, propertyName=..., slot=..., stubInfo=0xeec610)
    at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/jit/JITStubs.cpp:1068
#15 0x00007fffb44f3e08 in ?? ()
#16 0x0000000000eec610 in ?? ()
#17 0x00007fffff81f3d0 in ?? ()
#18 0x000000000049b609 in JSC::JSStack::installTrapsAfterFrame (this=0x588d8b4810244c89, frame=0x48ffffff688d8b48)
    at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/interpreter/JSStackInlines.h:212
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list