[Webkit-unassigned] [Bug 117140] New: ASSERTION FAILED: m_isCheckingArgumentTypes || m_canExit in JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jun 3 04:45:00 PDT 2013 

https://bugs.webkit.org/show_bug.cgi?id=117140

           Summary: ASSERTION FAILED: m_isCheckingArgumentTypes ||
                    m_canExit in
                    JSC::DFG::SpeculativeJIT::terminateSpeculativeExecutio
                    n.
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: reni at webkit.org
            Blocks: 116980


The test fails in debug webkit:

function test() {
    for (var blockAlign = blockAlign; "\n" + blockAlign; -blockAlign) {
        blockAlign = "typeof new Boolean(-1)";
    }
    new blockAlign();
}

test();


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00000000007fb8e5 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:339
339        *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00000000007fb8e5 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:339
#1  0x00000000005d774e in JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution (this=0x7fffffffa820, kind=JSC::Uncountable, jsValueRegs=..., node=0x0)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:308
#2  0x0000000000605a0d in JSC::DFG::SpeculativeJIT::fillSpeculateCell (this=0x7fffffffa820, edge=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:1186
#3  0x00000000005f2eb9 in JSC::DFG::SpeculateCellOperand::gpr (this=0x7fffffff6a00)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:2780
#4  0x00000000005f2d98 in JSC::DFG::SpeculateCellOperand::SpeculateCellOperand (this=0x7fffffff6a00, jit=0x7fffffffa820, edge=..., 
    mode=JSC::DFG::AutomaticOperandSpeculation) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:2755
#5  0x00000000005e36cc in JSC::DFG::SpeculativeJIT::compileMakeRope (this=0x7fffffffa820, node=0x7fffb20f0620)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:3168
#6  0x000000000060b1d1 in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffffa820, node=0x7fffb20f0620)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:2170
#7  0x00000000005dcf59 in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffffa820, block=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1795
#8  0x00000000005dd666 in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffffa820)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1913
#9  0x00000000005ac2ea in JSC::DFG::JITCompiler::compileBody (this=0x7fffffffb450, speculative=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:108
#10 0x00000000005ad503 in JSC::DFG::JITCompiler::compileFunction (this=0x7fffffffb450, entry=..., entryWithArityCheck=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:302
#11 0x000000000059ac1e in JSC::DFG::compile (compileMode=JSC::DFG::CompileFunction, exec=0x7fffb21c20a0, codeBlock=0xf42e30, jitCode=..., 
    jitCodeWithArityCheck=0x7fffb217fdc0, osrEntryBytecodeIndex=9) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGDriver.cpp:164
#12 0x000000000059a424 in JSC::DFG::tryCompileFunction (exec=0x7fffb21c20a0, codeBlock=0xf42e30, jitCode=..., jitCodeWithArityCheck=..., bytecodeIndex=9)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGDriver.cpp:182
#13 0x00000000007355af in JSC::jitCompileFunctionIfAppropriate (exec=0x7fffb21c20a0, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., 
---Type <return> to continue, or q <return> to quit---
    jitType=JSC::JITCode::DFGJIT, bytecodeIndex=9, effort=JSC::JITCompilationCanFail)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITDriver.h:95
#14 0x00000000007358a1 in JSC::prepareFunctionForExecution (exec=0x7fffb21c20a0, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., 
    jitType=JSC::JITCode::DFGJIT, bytecodeIndex=9, kind=JSC::CodeForCall)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/ExecutionHarness.h:68
#15 0x0000000000733c40 in JSC::FunctionExecutable::compileForCallInternal (this=0x7fffb217fd70, exec=0x7fffb21c20a0, scope=0x7ffff7f5f970, 
    jitType=JSC::JITCode::DFGJIT, bytecodeIndex=9) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Executable.cpp:539
#16 0x0000000000733441 in JSC::FunctionExecutable::compileOptimizedForCall (this=0x7fffb217fd70, exec=0x7fffb21c20a0, scope=0x7ffff7f5f970, bytecodeIndex=9)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Executable.cpp:464
#17 0x000000000048430c in JSC::FunctionExecutable::compileOptimizedFor (this=0x7fffb217fd70, exec=0x7fffb21c20a0, scope=0x7ffff7f5f970, bytecodeIndex=9, 
    kind=JSC::CodeForCall) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Executable.h:679
#18 0x000000000047e87c in JSC::FunctionCodeBlock::compileOptimized (this=0xf51be0, exec=0x7fffb21c20a0, scope=0x7ffff7f5f970, bytecodeIndex=9)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecode/CodeBlock.cpp:2843
#19 0x0000000000677f24 in JSC::cti_optimize (args=0x7fffffffccd0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITStubs.cpp:1964
#20 0x00000000006750f9 in JSC::tryCacheGetByID (callFrame=0x7fffb21c20a0, codeBlock=0x7ffff7f5f970, returnAddress=..., baseValue=..., propertyName=..., 
    slot=..., stubInfo=0x7fff00000009) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITStubs.cpp:1068
#21 0x00007fffb21c2058 in ?? ()
#22 0x00007fff00000009 in ?? ()
#23 0x00007ffff7f7f530 in ?? ()
#24 0x00000000006483c7 in JSC::JSStack::installTrapsAfterFrame (this=0xa88d8b4810244c89, frame=0x48fffffeb88d8b48)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/JSStackInlines.h:212
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list