[Webkit-unassigned] [Bug 117136] New: ASSERTION FAILED: !resolveResult.isStatic() in JSC::BytecodeGenerator::emitResolveWithBaseForPut

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jun 3 02:31:12 PDT 2013 

https://bugs.webkit.org/show_bug.cgi?id=117136

           Summary: ASSERTION FAILED: !resolveResult.isStatic() in
                    JSC::BytecodeGenerator::emitResolveWithBaseForPut
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: reni at webkit.org


The following test fails in debug webkit:

function test() {
    const f = function() {
        if (f) {
            f[f--] = new f();
        }
    };
    return new f();
}

test();

Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00000000007fb8e5 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:339
339        *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00000000007fb8e5 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:339
#1  0x00000000004ca244 in JSC::BytecodeGenerator::emitResolveWithBaseForPut (this=0xf5b0c0, baseDst=0xf5b448, propDst=0xf5b43c, resolveResult=..., 
    property=..., verifier=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:1307
#2  0x00000000004fd638 in JSC::PostfixNode::emitResolve (this=0xf51cd0, generator=..., dst=0xf5b430)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:647
#3  0x00000000004fdd11 in JSC::PostfixNode::emitBytecode (this=0xf51cd0, generator=..., dst=0xf5b430)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:697
#4  0x00000000004d3040 in JSC::BytecodeGenerator::emitNode (this=0xf5b0c0, dst=0xf5b430, n=0xf51cd0)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:361
#5  0x00000000005076a5 in JSC::BytecodeGenerator::emitNodeForLeftHandSide (this=0xf5b0c0, n=0xf51cd0, rightHasAssignments=true, rightIsPure=false)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:418
#6  0x0000000000502060 in JSC::AssignBracketNode::emitBytecode (this=0xf51d98, generator=..., dst=0xf5b120)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1406
#7  0x00000000004d3040 in JSC::BytecodeGenerator::emitNode (this=0xf5b0c0, dst=0xf5b120, n=0xf51d98)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:361
#8  0x0000000000502b08 in JSC::ExprStatementNode::emitBytecode (this=0xf51dd8, generator=..., dst=0xf5b120)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1542
#9  0x00000000004d2f3e in JSC::BytecodeGenerator::emitNode (this=0xf5b0c0, dst=0xf5b120, n=0xf51dd8)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:346
#10 0x0000000000507d15 in JSC::SourceElements::emitBytecode (this=0xf51c68, generator=..., dst=0xf5b120)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1500
#11 0x000000000050299a in JSC::BlockNode::emitBytecode (this=0xf51df8, generator=..., dst=0xf5b120)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1519
#12 0x00000000004d2f3e in JSC::BytecodeGenerator::emitNode (this=0xf5b0c0, dst=0xf5b120, n=0xf51df8)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:346
#13 0x0000000000502f20 in JSC::IfElseNode::emitBytecode (this=0xf51e18, generator=..., dst=0xf5b120)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1610
#14 0x00000000004d2f3e in JSC::BytecodeGenerator::emitNode (this=0xf5b0c0, dst=0xf5b120, n=0xf51e18)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:346
#15 0x0000000000507d15 in JSC::SourceElements::emitBytecode (this=0xf51c28, generator=..., dst=0xf5b120)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1500
#16 0x000000000050299a in JSC::BlockNode::emitBytecode (this=0xf51e48, generator=..., dst=0xf5b120)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1519
#17 0x00000000004d2f3e in JSC::BytecodeGenerator::emitNode (this=0xf5b0c0, dst=0xf5b120, n=0xf51e48)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:346
---Type <return> to continue, or q <return> to quit---
#18 0x0000000000507d15 in JSC::SourceElements::emitBytecode (this=0xf51c10, generator=..., dst=0xf5b120)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1500
#19 0x0000000000507e14 in JSC::ScopeNode::emitStatementsBytecode (this=0xf44ba0, generator=..., dst=0xf5b120)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2135
#20 0x00000000005061a6 in JSC::FunctionBodyNode::emitBytecode (this=0xf44ba0, generator=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2171
#21 0x00000000004c3bf1 in JSC::BytecodeGenerator::generate (this=0xf5b0c0)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:86
#22 0x00000000004bcece in JSC::generateFunctionCodeBlock (vm=..., scope=0x7fffb211ffb0, executable=0x7fffb213ff20, source=..., kind=JSC::CodeForConstruct, 
    debuggerMode=JSC::DebuggerOff, profilerMode=JSC::ProfilerOff, error=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp:66
#23 0x00000000004bd677 in JSC::UnlinkedFunctionExecutable::codeBlockFor (this=0x7fffb213ff20, vm=..., scope=0x7fffb211ffb0, source=..., 
    specializationKind=JSC::CodeForConstruct, debuggerMode=JSC::DebuggerOff, profilerMode=JSC::ProfilerOff, error=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp:155
#24 0x00000000007337f5 in JSC::FunctionExecutable::produceCodeBlockFor (this=0x7fffb217fc70, scope=0x7fffb211ffb0, specializationKind=JSC::CodeForConstruct, 
    exception=@0x7fffffffca00: 0x0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Executable.cpp:502
#25 0x0000000000733d5a in JSC::FunctionExecutable::compileForConstructInternal (this=0x7fffb217fc70, exec=0x7fffb21c20e8, scope=0x7fffb211ffb0, 
    jitType=JSC::JITCode::BaselineJIT, bytecodeIndex=4294967295) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Executable.cpp:564
#26 0x00000000005bd456 in JSC::FunctionExecutable::compileForConstruct (this=0x7fffb217fc70, exec=0x7fffb21c20e8, scope=0x7fffb211ffb0)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Executable.h:637
#27 0x00000000005bd5eb in JSC::FunctionExecutable::compileFor (this=0x7fffb217fc70, exec=0x7fffb21c20e8, scope=0x7fffb211ffb0, kind=JSC::CodeForConstruct)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Executable.h:669
#28 0x000000000069abac in JSC::LLInt::setUpCall (execCallee=0x7fffb21c20e8, pc=0xf56598, kind=JSC::CodeForConstruct, calleeAsValue=..., callLinkInfo=0xf42ed0)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1392
#29 0x000000000069afeb in JSC::LLInt::genericCall (exec=0x7fffb21c20a0, pc=0xf56598, kind=JSC::CodeForConstruct)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1434
#30 0x00000000006980ec in JSC::LLInt::llint_slow_path_construct (exec=0x7fffb21c20a0, pc=0xf56598)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1446
#31 0x000000000069ef3e in llint_op_construct ()
#32 0x00007fffb21c2058 in ?? ()
#33 0x0000000000f40950 in ?? ()
#34 0x00007fffffffcd30 in ?? ()
#35 0x00000000006483c7 in JSC::JSStack::installTrapsAfterFrame (this=0x0, frame=0x0)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/JSStackInlines.h:212
#36 0x0000000000647226 in JSC::JITCode::execute (this=0x7fffb217fe90, stack=0xf40950, callFrame=0x7fffb21c2058, vm=0xf317e0)
---Type <return> to continue, or q <return> to quit---
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITCode.h:135
#37 0x0000000000644747 in JSC::Interpreter::execute (this=0xf40940, program=0x7fffb217fe70, callFrame=0x7ffff7f5fb78, thisObj=0x7ffff7e6feb0)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/Interpreter.cpp:976
#38 0x00000000007292c0 in JSC::evaluate (exec=0x7ffff7f5fb78, source=..., thisValue=..., returnedException=0x7fffffffda10)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Completion.cpp:83
#39 0x000000000040fdcd in runWithScripts (globalObject=0x7ffff7f5f970, scripts=..., dump=false)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jsc.cpp:587
#40 0x0000000000410b3d in jscmain (argc=2, argv=0x7fffffffdc98) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jsc.cpp:803

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list