No subject


Tue Jan 27 15:54:36 PST 2015 

(lldb) fr sel 2
frame #2: 0x00000001006e430e JavaScriptCore`JSC::GenericArguments<JSC::DirectArguments>::getOwnPropertySlot(object=0x0000000104250500, exec=0x00007fff5fbfde80, ident=PropertyName at 0x00007fff5fbfdb90, slot=0x00007fff5fbfdd78) + 334 at GenericArgumentsInlines.h:46
   43                  return true;
   44              }
   45              if (ident == vm.propertyNames->callee) {
-> 46                  slot.setValue(thisObject, DontEnum, thisObject->callee().get());
   47                  return true;
   48              }
   49              if (ident == vm.propertyNames->iteratorSymbol) {

(lldb) p thisObject
(JSC::DirectArguments *) $0 = 0x0000000104250500

(lldb) p thisObject->callee()
(JSC::WriteBarrier<JSC::JSFunction>) $1 = {
  JSC::WriteBarrierBase<JSC::JSFunction> = {
    m_cell = 0x0000000000000000
  }
}

-- 
You are receiving this mail because:
You are the assignee for the bug.
--1430178105.ab25CaA9.6080
Date: Mon, 27 Apr 2015 16:41:45 -0700
MIME-Version: 1.0
Content-Type: text/html

<html>
    <head>
      <base href="https://bugs.webkit.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - FTL failed to initialize arguments.callee"
   href="https://bugs.webkit.org/show_bug.cgi?id=144293">144293</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>FTL failed to initialize arguments.callee
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>Unclassified
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>WebKit
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>528+ (Nightly build)
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Unspecified
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Unspecified
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>Normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P2
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>JavaScriptCore
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>webkit-unassigned&#64;lists.webkit.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>mark.lam&#64;apple.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Here's the test case:

=== BEGIN ===
function foo(e) {
    if (e) {
        arguments[0]--;
        return arguments.callee.apply(this, arguments);
    }
}

try {
    for (var i = 0; i &lt; 10000; i++)
        foo(1);
} catch (e) {
    print(&quot;ERROR: &quot; + e);
}
=== END ===

Run it in a debug build of jsc like so:
$ JSC_enableConcurrentJIT=0 DYLD_FRAMEWORK_PATH=WebKitBuild/Debug/ WebKitBuild/Debug/jsc test.js

And you'll get this crash trace:

(lldb) bt
* thread #1: tid = 0x61fc1a, 0x0000000100a80cda JavaScriptCore`WTFCrash + 42 at Assertions.cpp:321, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef)
    frame #0: 0x0000000100a80cda JavaScriptCore`WTFCrash + 42 at Assertions.cpp:321
  * frame #1: 0x000000010069dd3b JavaScriptCore`JSC::PropertySlot::setValue(this=0x00007fff5fbfdd78, slotBase=0x0000000104250500, attributes=4, value=JSValue at 0x00007fff5fbfdaa8) + 91 at PropertySlot.h:127
    frame #2: 0x00000001006e430e JavaScriptCore`JSC::GenericArguments&lt;JSC::DirectArguments&gt;::getOwnPropertySlot(object=0x0000000104250500, exec=0x00007fff5fbfde80, ident=PropertyName at 0x00007fff5fbfdb90, slot=0x00007fff5fbfdd78) + 334 at GenericArgumentsInlines.h:46
    frame #3: 0x000000010009ee67 JavaScriptCore`JSC::JSObject::fastGetOwnPropertySlot(this=0x0000000104250500, exec=0x00007fff5fbfde80, vm=0x0000000104010000, structure=0x0000000104034db0, propertyName=PropertyName at 0x00007fff5fbfdbf0, slot=0x00007fff5fbfdd78) + 167 at JSObject.h:1257
    frame #4: 0x000000010009ebdc JavaScriptCore`JSC::JSObject::getPropertySlot(this=0x0000000104250500, exec=0x00007fff5fbfde80, propertyName=PropertyName at 0x00007fff5fbfdca0, slot=0x00007fff5fbfdd78) + 156 at JSObject.h:1269
    frame #5: 0x00000001000a21a8 JavaScriptCore`JSC::JSValue::getPropertySlot(this=0x00007fff5fbfddb0, exec=0x00007fff5fbfde80, propertyName=PropertyName at 0x00007fff5fbfdd00, slot=0x00007fff5fbfdd78) const + 232 at JSCJSValueInlines.h:719
    frame #6: 0x000000010067adb2 JavaScriptCore`operationGetByIdOptimize(exec=0x00007fff5fbfde80, stubInfo=0x0000000105fed4b0, base=4364502272, uid=0x0000000105ff3a40) + 162 at JITOperations.cpp:188
    frame #7: 0x00003242ffa035c0
    frame #8: 0x00003242ffa02529

More information about the webkit-unassigned mailing list