[Webkit-unassigned] [Bug 133356] New: Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234 (StructureInlines.h:242)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed May 28 13:48:10 PDT 2014 

https://bugs.webkit.org/show_bug.cgi?id=133356

           Summary: Assertion failure at
                    JSC::Structure::checkOffsetConsistency() const + 234
                    (StructureInlines.h:242)
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: mark.lam at apple.com
                CC: fpizlo at apple.com, mhahnenberg at apple.com,
                    mark.lam at apple.com


This causes js/primitive-property-access-edge-cases.html to be flaky and crash sometimes.

See:
http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK1%20(Tests)/r169424%20(14130)/results.html
http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK1%20(Tests)/r169424%20(14130)/js/primitive-property-access-edge-cases-crash-log.txt.

The crash backtrace:
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore          0x0000000108dc623a WTFCrash + 42 (Assertions.cpp:333)
1   com.apple.JavaScriptCore          0x0000000108604eca JSC::Structure::checkOffsetConsistency() const + 234 (StructureInlines.h:242)
2   com.apple.JavaScriptCore          0x0000000108d46853 JSC::Structure::materializePropertyMap(JSC::VM&) + 867 (Structure.cpp:317)
3   com.apple.JavaScriptCore          0x00000001086c60c4 JSC::Structure::materializePropertyMapIfNecessary(JSC::VM&, JSC::DeferGC&) + 292 (Structure.h:432)
4   com.apple.JavaScriptCore          0x0000000108d49649 JSC::Structure::get(JSC::VM&, JSC::PropertyName, unsigned int&, JSC::JSCell*&) + 217 (Structure.cpp:908)
5   com.apple.JavaScriptCore          0x0000000108606dfd JSC::JSObject::inlineGetOwnPropertySlot(JSC::ExecState*, JSC::VM&, JSC::Structure&, JSC::PropertyName, JSC::PropertySlot&) + 93 (JSObject.h:1211)
6   com.apple.JavaScriptCore          0x000000010860051e JSC::JSObject::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) + 94 (JSObject.h:1231)
7   com.apple.JavaScriptCore          0x0000000108d383b0 JSC::StringObject::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) + 128 (StringObject.cpp:52)
8   com.apple.JavaScriptCore          0x0000000108607c04 JSC::JSObject::fastGetOwnPropertySlot(JSC::ExecState*, JSC::VM&, JSC::Structure&, JSC::PropertyName, JSC::PropertySlot&) + 164 (JSObject.h:1238)
9   com.apple.JavaScriptCore          0x00000001086079ae JSC::JSObject::getPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) + 110 (JSObject.h:1249)
10  com.apple.JavaScriptCore          0x000000010862c9ed JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const + 253 (JSCJSValueInlines.h:681)
11  com.apple.JavaScriptCore          0x0000000108a7411d operationGetByIdOptimize + 269 (JITOperations.cpp:157)
12  ???                               0x00005d090b02f085 0 + 102293420830853
13  ???                               0x00005d090b02e7f7 0 + 102293420828663
14  ???                               0x00005d090b00fc4d 0 + 102293420702797
15  ???                               0x00005d090b001fda 0 + 102293420646362
16  com.apple.JavaScriptCore          0x0000000108bd1ba7 llint_entry + 26033
17  com.apple.JavaScriptCore          0x0000000108bd1ba7 llint_entry + 26033
18  com.apple.JavaScriptCore          0x0000000108bd1ba7 llint_entry + 26033
19  com.apple.JavaScriptCore          0x0000000108bcb384 callToJavaScript + 356
20  com.apple.JavaScriptCore          0x0000000108a6721d JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 45 (JITCode.cpp:47)
21  com.apple.JavaScriptCore          0x0000000108a4b4bd JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) + 4733 (Interpreter.cpp:935)
22  com.apple.JavaScriptCore          0x00000001086f01b0 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) + 480 (Completion.cpp:82)
23  com.apple.WebCore                 0x000000010d6d4975 WebCore::JSMainThreadExecState::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) + 69 (JSMainThreadExecState.h:62)
24  com.apple.WebCore                 0x000000010e041e4d WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) + 317 (ScriptController.cpp:149)
...

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list