[Webkit-unassigned] [Bug 127043] New: ASSERTION FAILED: from.isCell() && from.asCell()->JSCell::inherits(std::remove_pointer<To>::type::info()) in JSC::jsCast

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jan 15 04:34:29 PST 2014 

https://bugs.webkit.org/show_bug.cgi?id=127043

           Summary: ASSERTION FAILED: from.isCell() &&
                    from.asCell()->JSCell::inherits(std::remove_pointer<To
                    >::type::info()) in JSC::jsCast
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: reni at webkit.org
            Blocks: 116980


Created an attachment (id=221259)
 --> (https://bugs.webkit.org/attachment.cgi?id=221259&action=review)
Test case

The failing script:

function function_0 (var_0) {

    for ( ; ; Array(-1, -6).filter(function_0) )
        continue ;

    new Date(1) = {
        set prop_0(){
            switch ( var_0 ) {}
        }
    }

}

function_0();


The backtrace:

ASSERTION FAILED: from.isCell() && from.asCell()->JSCell::inherits(std::remove_pointer<To>::type::info())
/home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/JSCell.h(187) : To JSC::jsCast(JSC::JSValue) [with To = JSC::JSActivation*]
1   0x7ffff74a3e44 WTFCrash
2   0x7ffff723314f JSC::JSActivation* JSC::jsCast<JSC::JSActivation*>(JSC::JSValue)
3   0x7ffff722d9fc
4   0x7ffff7232b32 JSC::UnwindFunctor::operator()(JSC::StackVisitor&)
5   0x7ffff723410c void JSC::StackVisitor::visit<JSC::UnwindFunctor>(JSC::ExecState*, JSC::UnwindFunctor&)
6   0x7ffff72333ab void JSC::ExecState::iterate<JSC::UnwindFunctor>(JSC::UnwindFunctor&)
7   0x7ffff722e406 JSC::Interpreter::unwind(JSC::ExecState*&, JSC::JSValue&)
8   0x7ffff724ecec JSC::genericUnwind(JSC::VM*, JSC::ExecState*, JSC::JSValue)
9   0x7ffff725da9d
10  0x7fffaa55912a

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff74a3e49 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333
333        *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff74a3e49 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333
#1  0x00007ffff723314f in JSC::jsCast<JSC::JSActivation*> (from=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/JSCell.h:187
#2  0x00007ffff722d9fc in JSC::unwindCallFrame (visitor=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/Interpreter.cpp:441
#3  0x00007ffff7232b32 in JSC::UnwindFunctor::operator() (this=0x7fffff9f3c90, visitor=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/Interpreter.cpp:645
#4  0x00007ffff723410c in JSC::StackVisitor::visit<JSC::UnwindFunctor> (startFrame=0x7fffa9bdf978, functor=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/StackVisitor.h:123
#5  0x00007ffff72333ab in JSC::ExecState::iterate<JSC::UnwindFunctor> (this=0x7fffa9bdf978, functor=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/CallFrame.h:309
#6  0x00007ffff722e406 in JSC::Interpreter::unwind (this=0x659170, callFrame=@0x7fffff9f3d70: 0x7fffa9bdf978, exceptionValue=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/Interpreter.cpp:709
#7  0x00007ffff724ecec in JSC::genericUnwind (vm=0x6472c0, callFrame=0x7fffa9bdf978, exceptionValue=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITExceptions.cpp:47
#8  0x00007ffff725da9d in JSC::operationVMHandleException (exec=0x7fffa9bdf978)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITOperations.cpp:1750
#9  0x00007fffaa55912a in ?? ()
#10 0x00007fffaa55a920 in ?? ()
#11 0x0000000000651628 in ?? ()
#12 0xffff000000000002 in ?? ()
#13 0xffff000000000000 in ?? ()
#14 0x00007fffffffdd70 in ?? ()
#15 0x00007fffa9bdf9f0 in ?? ()
#16 0x00007fffff9f3e80 in ?? ()
#17 0x00007ffff724ca38 in JSC::JITCode::execute (this=0x7fff00000002, vm=0x7fffa983d830, protoCallFrame=0x7fffa98af970, topOfStack=0x0)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITCode.cpp:48
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list