[Webkit-unassigned] [Bug 126913] New: ASSERTION FAILED: !m_insertions.size() || m_insertions.last().index() <= insertion.index() in JSC::DFG::InsertionSet::insert
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jan 13 09:58:54 PST 2014
https://bugs.webkit.org/show_bug.cgi?id=126913
Summary: ASSERTION FAILED: !m_insertions.size() ||
m_insertions.last().index() <= insertion.index() in
JSC::DFG::InsertionSet::insert
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: reni at webkit.org
Blocks: 116980
Created an attachment (id=221058)
--> (https://bugs.webkit.org/attachment.cgi?id=221058&action=review)
Test case
The assertion failure happens with the following test case (on ubuntu 13.10, x86_64):
function function_0 (var_1) {
do {
} while (var_1 != "M" );
delete [ var_1 >>> ( new Number(0).NaN = delete [ var_1 << var_1 ] ) ];
}
function_0();
GDB backtrace:
ASSERTION FAILED: !m_insertions.size() || m_insertions.last().index() <= insertion.index()
/home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGInsertionSet.h(50) : JSC::DFG::Node* JSC::DFG::InsertionSet::insert(const Insertion&)
1 0x7ffff74a6000 WTFCrash
2 0x7ffff705df0e JSC::DFG::InsertionSet::insert(WTF::Insertion<JSC::DFG::Node*> const&)
3 0x7ffff705df76 JSC::DFG::InsertionSet::insert(unsigned long, JSC::DFG::Node*)
4 0x7ffff7060ee6 JSC::DFG::Node* JSC::DFG::InsertionSet::insertNode<JSC::DFG::NodeType, JSC::CodeOrigin, JSC::DFG::Edge>(unsigned long, unsigned int, JSC::DFG::NodeType const&, JSC::CodeOrigin const&, JSC::DFG::Edge const&)
5 0x7ffff70d7fb7 JSC::DFG::DCEPhase::fixupBlock(JSC::DFG::BasicBlock*)
6 0x7ffff70d7b26 JSC::DFG::DCEPhase::run()
7 0x7ffff70d8b1f bool JSC::DFG::runAndLog<JSC::DFG::DCEPhase>(JSC::DFG::DCEPhase&)
8 0x7ffff70d86c3 bool JSC::DFG::runPhase<JSC::DFG::DCEPhase>(JSC::DFG::Graph&)
9 0x7ffff70d70bf JSC::DFG::performDCE(JSC::DFG::Graph&)
10 0x7ffff7162c6e JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&)
11 0x7ffff7162616 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&)
12 0x7ffff70e93a0
13 0x7ffff70e943b JSC::DFG::compile(JSC::VM&, JSC::CodeBlock*, JSC::DFG::CompilationMode, unsigned int, JSC::Operands<JSC::JSValue, JSC::OperandValueTraits<JSC::JSValue> > const&, WTF::PassRefPtr<JSC::DeferredCompilationCallback>, JSC::DFG::Worklist*)
14 0x7ffff725bdd7
15 0x7fffea58dc20
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff74a6005 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333
333 *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0 0x00007ffff74a6005 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333
#1 0x00007ffff705df0e in JSC::DFG::InsertionSet::insert (this=0x7fffffffb320, insertion=...)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGInsertionSet.h:50
#2 0x00007ffff705df76 in JSC::DFG::InsertionSet::insert (this=0x7fffffffb320, index=27, element=0x7fffa9762300)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGInsertionSet.h:57
#3 0x00007ffff7060ee6 in JSC::DFG::InsertionSet::insertNode<JSC::DFG::NodeType, JSC::CodeOrigin, JSC::DFG::Edge> (this=0x7fffffffb320, index=27, type=0,
_DFG_value1=@0x7fffffffade0: JSC::DFG::Phantom, _DFG_value2=..., _DFG_value3=...)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGInsertionSet.h:65
#4 0x00007ffff70d7fb7 in JSC::DFG::DCEPhase::fixupBlock (this=0x7fffffffaf00, block=0x673a50)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGDCEPhase.cpp:221
#5 0x00007ffff70d7b26 in JSC::DFG::DCEPhase::run (this=0x7fffffffaf00) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGDCEPhase.cpp:119
#6 0x00007ffff70d8b1f in JSC::DFG::runAndLog<JSC::DFG::DCEPhase> (phase=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGPhase.h:75
#7 0x00007ffff70d86c3 in JSC::DFG::runPhase<JSC::DFG::DCEPhase> (graph=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGPhase.h:85
#8 0x00007ffff70d70bf in JSC::DFG::performDCE (graph=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGDCEPhase.cpp:279
#9 0x00007ffff7162c6e in JSC::DFG::Plan::compileInThreadImpl (this=0x6759a0, longLivedState=...)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGPlan.cpp:242
#10 0x00007ffff7162616 in JSC::DFG::Plan::compileInThread (this=0x6759a0, longLivedState=...)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGPlan.cpp:124
#11 0x00007ffff70e93a0 in JSC::DFG::compileImpl (vm=..., codeBlock=0x6766b0, mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=1, mustHandleValues=...,
callback=..., worklist=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGDriver.cpp:100
#12 0x00007ffff70e943b in JSC::DFG::compile (vm=..., codeBlock=0x6766b0, mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=1, mustHandleValues=...,
passedCallback=..., worklist=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGDriver.cpp:119
#13 0x00007ffff725bdd7 in JSC::operationOptimize (exec=0x7fffa9d4df38, bytecodeIndex=1)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITOperations.cpp:1152
#14 0x00007fffea58dc20 in ?? ()
#15 0x00007fffaa58e8e0 in ?? ()
#16 0x0000000000652868 in ?? ()
#17 0x0000000000000000 in ?? ()
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list