[Webkit-unassigned] [Bug 115796] New: ASSERTION FAILED: callFrame->lexicalGlobalObject() == globalObject : JSValue JSC::JSScope::resolveGlobal(CallFrame *, const Identifier &, JSGlobalObject *, ResolveOperation *)
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed May 8 05:37:29 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=115796
Summary: ASSERTION FAILED: callFrame->lexicalGlobalObject() ==
globalObject : JSValue
JSC::JSScope::resolveGlobal(CallFrame *, const
Identifier &, JSGlobalObject *, ResolveOperation *)
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: simon.pena at samsung.com
Created an attachment (id=201061)
--> (https://bugs.webkit.org/attachment.cgi?id=201061&action=review)
Test case demonstrating the issue. Run in a web server.
We are using the GTK+ 64-bit port, with r149667.
We have a scenario where we are repeatedly calling a JavaScript
method in an iframe which interacts with other JavaScript in the
parent document.
We are using setTimeout / setInterval to get this periodic calls, and
with JIT enabled, after the method is called enough times, the
following assertion will fail:
ASSERT_UNUSED(globalObject, callFrame->lexicalGlobalObject() == globalObject);
which is in JSC::JSScope::resolveGlobal at Source/JavaScriptCore/runtime/JSScope.cpp:619
#0 0x00007f22cc502186 in JSC::JSScope::resolveGlobal (callFrame=0x7f216e3ed058, identifier=, globalObject=0x7f217005f470, resolveOperation=0x8470e0) at ../../Source/JavaScriptCore/runtime/JSScope.cpp:619
#1 0x00007f22cc2e7625 in JSC::DFG::operationResolveGlobal (exec=0x7f216e3ed058, resolveOperation=0x8470e0, globalObject=0x7f217005f470, propertyName=0xa9ebb8) at ../../Source/JavaScriptCore/dfg/DFGOperations.cpp:1263
#2 0x00007f227f38459c in ?? ()
#3 0x00007f216e3ed058 in ?? ()
#4 0x0000000000000008 in ?? ()
#5 0x00007fffc9ff3140 in ?? ()
#6 0x00007f22cc3b40d1 in JSC::JSStack::installTrapsAfterFrame (this=0x0, frame=0x0) at ../../Source/JavaScriptCore/interpreter/JSStackInlines.h:213
#7 0x00007f22cc3b2e00 in JSC::JITCode::execute (this=0x7f217010f690, stack=0x8db600, callFrame=0x7f216e3ed058, vm=0x9625b0) at ../../Source/JavaScriptCore/jit/JITCode.h:135
#8 0x00007f22cc3b0704 in JSC::Interpreter::executeCall (this=0x8db5f0, callFrame=0x7f217005f078, function=0x7f21700ae3b0, callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:1052
With JIT disabled, our scenario works fine. It is worth noting that
with a simpler version of our changeColor method the crash won't
appear (I am not familiar with JSC and JIT, but it might be that the
method would be so simple that it doesn't need to be compiled?)
Also, when the same functionality is done without involving iframes,
the crash doesn't happen.
I am attaching a test case which triggers the bug with GtkLauncher and
MiniBrowser, the full stack trace for both, and a core file resulting
from running GtkLauncher.
In order to run the test, maybe a web server will be needed to avoid
the different origin security warnings.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list