[Webkit-unassigned] [Bug 138211] [GTK] [Stable] Crash in EventPath::updateTouchLists()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Oct 30 03:16:38 PDT 2014
https://bugs.webkit.org/show_bug.cgi?id=138211
--- Comment #2 from Alberto Garcia <berto at igalia.com> ---
Ok, the aforementioned fix is enough to solve this problem in release builds.
In debug builds it asserts here, though:
ASSERTION FAILED: m_isCheckingArgumentTypes || m_canExit
#0 0x00007f8c0ebb0b5f in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:333
#1 0x00007f8c0e87e7d5 in JSC::DFG::SpeculativeJIT::speculationCheck (this=0x1ea2b00, kind=JSC::Uncountable, jsValueSource=..., node=0x0, jumpToFail=...)
at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:113
#2 0x00007f8c0e88b55e in JSC::DFG::SpeculativeJIT::compileMakeRope (this=0x1ea2b00, node=0x7f8ba109f000) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2753
#3 0x00007f8c0e853666 in JSC::DFG::SpeculativeJIT::compile (this=0x1ea2b00, node=0x7f8ba109f000) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:2427
#4 0x00007f8c0e884977 in JSC::DFG::SpeculativeJIT::compileCurrentBlock (this=0x1ea2b00) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1431
#5 0x00007f8c0e884fbc in JSC::DFG::SpeculativeJIT::compile (this=0x1ea2b00) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1543
#6 0x00007f8c0e7f0e16 in JSC::DFG::JITCompiler::compileBody (this=0x7fff555ecae0) at ../../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:111
#7 0x00007f8c0e7f263d in JSC::DFG::JITCompiler::compileFunction (this=0x7fff555ecae0) at ../../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:336
#8 0x00007f8c0e84388e in JSC::DFG::Plan::compileInThreadImpl (this=0x1df46c0, longLivedState=...) at ../../Source/JavaScriptCore/dfg/DFGPlan.cpp:251
#9 0x00007f8c0e84319d in JSC::DFG::Plan::compileInThread (this=0x1df46c0, longLivedState=...) at ../../Source/JavaScriptCore/dfg/DFGPlan.cpp:125
#10 0x00007f8c0e7c773e in JSC::DFG::compileImpl (vm=..., codeBlock=0x1df42f0, mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=0, mustHandleValues=..., callback=...,
worklist=0x0) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:108
#11 0x00007f8c0e7c77e1 in JSC::DFG::compile (vm=..., codeBlock=0x1df42f0, mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=0, mustHandleValues=..., passedCallback=...,
worklist=0x0) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:127
#12 0x00007f8c0e973184 in JSC::operationOptimize (exec=0x7f8bac6b4638, bytecodeIndex=0) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:1148
#13 0x00007f8bb6da5089 in ?? ()
#14 0x00007f8bb6d21920 in ?? ()
#15 0x00000000012ce070 in ?? ()
#16 0xffff000000000002 in ?? ()
#17 0xffff000000000000 in ?? ()
#18 0x00007f8bac16fca0 in ?? ()
#19 0x0000000000000001 in ?? ()
#20 0x00007fff555edc90 in ?? ()
#21 0x00007f8c0e95e9e0 in JSC::JITCode::execute (this=0xffff000000000001, vm=0x7f8bac0dedf0, protoCallFrame=0x7f8ba00bfe30, topOfStack=0x0)
at ../../Source/JavaScriptCore/jit/JITCode.cpp:48
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20141030/565ea0b4/attachment-0002.html>
More information about the webkit-unassigned
mailing list