[Webkit-unassigned] [Bug 120591] New: ASSERTION FAILED: to.isSet() in JSC::X86Assembler::linkJump
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Sep 1 23:48:27 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=120591
Summary: ASSERTION FAILED: to.isSet() in
JSC::X86Assembler::linkJump
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: reni at webkit.org
Blocks: 116980
Created an attachment (id=210263)
--> (https://bugs.webkit.org/attachment.cgi?id=210263&action=review)
Test case
The failing test was checked on x86_64 linux (Ubuntu 13.04):
function foo() {}
function test() {
var start = true;
while (start++)
if (+start.push)
foo();
return function() {
return start;
};
}
test();
The backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x000000000088e079 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342
342 *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0 0x000000000088e079 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342
#1 0x00000000005386a6 in JSC::X86Assembler::linkJump (this=0x7fffffffc360, from=..., to=...)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/assembler/X86Assembler.h:1886
#2 0x00000000005cb01f in JSC::AbstractMacroAssembler<JSC::X86Assembler>::Jump::linkTo (this=0x10d4618, label=..., masm=0x7fffffffc360)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:592
#3 0x000000000064176c in JSC::DFG::SpeculativeJIT::linkBranches (this=0x10d4100)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:5370
#4 0x00000000006315d2 in JSC::DFG::SpeculativeJIT::compile (this=0x10d4100)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1883
#5 0x00000000005c63ac in JSC::DFG::JITCompiler::compileBody (this=0x7fffffffc360)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:117
#6 0x00000000005c7f6c in JSC::DFG::JITCompiler::compileFunction (this=0x7fffffffc360)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:382
#7 0x0000000000618e05 in JSC::DFG::Plan::compileInThreadImpl (this=0x10d1e50, longLivedState=...)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGPlan.cpp:259
#8 0x00000000006188a9 in JSC::DFG::Plan::compileInThread (this=0x10d1e50, longLivedState=...)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGPlan.cpp:114
#9 0x00000000005a93e2 in JSC::DFG::compileImpl (exec=0x7fffb1fa20a0, codeBlock=0x10d0620, mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=14, callback=...,
worklist=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGDriver.cpp:128
#10 0x00000000005a9481 in JSC::DFG::compile (exec=0x7fffb1fa20a0, codeBlock=0x10d0620, mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=14, passedCallback=...,
worklist=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGDriver.cpp:147
#11 0x00000000006d6644 in JSC::cti_optimize (args=0x7fffffffcb30) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITStubs.cpp:1048
#12 0x00000000006d377f in JSC::tryCacheGetByID (callFrame=0x10d17b0, codeBlock=0x7fffffffca50, returnAddress=..., baseValue=..., propertyName=..., slot=...,
stubInfo=0x7ff900000000000e) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITStubs.cpp:280
#13 0x00007fffb1fa2058 in ?? ()
#14 0x7ff900000000000e in ?? ()
#15 0x00000000010d2b00 in ?? ()
#16 0x00000000006a67ad in JSC::JSStack::installTrapsAfterFrame (this=0x48f88949c1894d24, frame=0xc8948b04d8b4808)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/JSStackInlines.h:212
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list