[Webkit-unassigned] [Bug 156487] New: Crash in JSC::Register::codeBlock on http://detexify.kirelabs.org/symbols.html
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Apr 11 19:32:30 PDT 2016
https://bugs.webkit.org/show_bug.cgi?id=156487
Bug ID: 156487
Summary: Crash in JSC::Register::codeBlock on
http://detexify.kirelabs.org/symbols.html
Classification: Unclassified
Product: WebKit
Version: Other
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mcatanzaro at igalia.com
WebKitGTK+ 2.12.0 crashes 100% when visiting http://detexify.kirelabs.org/symbols.html
Program terminated with signal SIGSEGV, Segmentation fault.
#0 JSC::Register::codeBlock (this=0xffff000000000012)
at /usr/src/debug/webkitgtk-2.12.0/Source/JavaScriptCore/interpreter/Register.h:157
157 return u.codeBlock;
#0 0x00007f0819825904 in JSC::StackVisitor::readFrame(JSC::ExecState*) (this=0xffff000000000012)
at /usr/src/debug/webkitgtk-2.12.0/Source/JavaScriptCore/interpreter/Register.h:157
index = <optimized out>
codeOrigin =
{static invalidBytecodeIndex = 4294967295, bytecodeIndex = 2869128288, inlineCallFrame = 0x7ffeab0376f0}
#1 0x00007f0819825904 in JSC::StackVisitor::readFrame(JSC::ExecState*) (this=0xffff000000000002)
at /usr/src/debug/webkitgtk-2.12.0/Source/JavaScriptCore/interpreter/CallFrame.h:70
index = <optimized out>
codeOrigin =
{static invalidBytecodeIndex = 4294967295, bytecodeIndex = 2869128288, inlineCallFrame = 0x7ffeab0376f0}
#2 0x00007f0819825904 in JSC::StackVisitor::readFrame(JSC::ExecState*) (this=0x7ffeab036c60, callFrame=0xffff000000000002)
at /usr/src/debug/webkitgtk-2.12.0/Source/JavaScriptCore/interpreter/StackVisitor.cpp:100
index = <optimized out>
codeOrigin =
{static invalidBytecodeIndex = 4294967295, bytecodeIndex = 2869128288, inlineCallFrame = 0x7ffeab0376f0}
#3 0x00007f08195028f6 in JSC::CodeBlock::noticeIncomingCall(JSC::ExecState*) (this=this at entry=0x7f07694c7840, callerFrame=callerFrame at entry=0x7ffeab0376f0)
at /usr/src/debug/webkitgtk-2.12.0/Source/JavaScriptCore/interpreter/StackVisitor.h:128
functor =
{m_startCallFrame = <optimized out>, m_codeBlock = <optimized out>, m_depthToCheck = 1, m_foundStartCallFrame = true, m_didRecurse = false}
#4 0x00007f0819502a61 in JSC::CodeBlock::linkIncomingPolymorphicCall(JSC::ExecState*, JSC::PolymorphicCallNode*) (this=this at entry=0x7f07694c7840, callerFrame=callerFrame at entry=0x7ffeab0376f0, incoming=0x7f0760db5500)
at /usr/src/debug/webkitgtk-2.12.0/Source/JavaScriptCore/bytecode/CodeBlock.cpp:3169
#5 0x00007f081988e904 in JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine(JSC::MacroAssemblerCodeRef const&, JSC::VM&, JSC::JSCell const*, JSC::ExecState*, JSC::CallLinkInfo&, WTF::Vector<JSC::PolymorphicCallCase, 0ul, WTF::CrashOnOverflow, 16ul> const&, std::unique_ptr<unsigned int [], std::default_delete<unsigned int []> >) (this=0x7f076116d3c0, codeRef=..., vm=..., owner=0x7f0769495a80, callerFrame=0x7ffeab0376f0, info=..., cases=..., fastCounts=std::unique_ptr<unsigned int> containing 0x7ffeab036f00)
at /usr/src/debug/webkitgtk-2.12.0/Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp:82
callCase =
{m_variant = {m_callee = <optimized out>}, m_codeBlock = 0x7f07694c7840}
__for_range =
@0x7ffeab036f10: {<WTF::VectorBuffer<JSC::PolymorphicCallCase, 0ul>> = {<WTF::VectorBufferBase<JSC::PolymorphicCallCase>> = {m_buffer = 0x7f079c9fa200, m_capacity = 16, m_size = 2}, <No data fields>}, <No data fields>}
__for_begin = 0x7f079c9fa210
#6 0x00007f081989674c in JSC::linkPolymorphicCall(JSC::ExecState*, JSC::CallLinkInfo&, JSC::CallVariant) (exec=exec at entry=0x7ffeab037610, callLinkInfo=..., newVariant=...)
at /usr/src/debug/webkitgtk-2.12.0/Source/JavaScriptCore/jit/Repatch.cpp:883
list =
{<WTF::VectorBuffer<JSC::CallVariant, 1ul>> = {<WTF::VectorBufferBase<JSC::CallVariant>> = {m_buffer = 0x7f076b3c3200, m_capacity = 16, m_size = 2}, m_inlineBuffer = {{__data = "\240\341jk\a\177\000", __align = {<No data fields>}}}}, <No data fields>}
isClosureCall = <optimized out>
callCases =
{<WTF::VectorBuffer<JSC::PolymorphicCallCase, 0ul>> = {<WTF::VectorBufferBase<JSC::PolymorphicCallCase>> = {m_buffer = 0x7f079c9fa200, m_capacity = 16, m_size = 2}, <No data fields>}, <No data fields>}
maxPolymorphicCallVariantListSize = <optimized out>
stubJit =
{<JSC::AssemblyHelpers> = {<JSC::MacroAssembler> = {<JSC::MacroAssemblerX86_64> = {<JSC::MacroAssemblerX86Common> = {<JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>> = {m_assembler = {m_formatter = {static maxInstructionSize = 16, static noBase = JSC::X86Registers::ebp, static hasSib = JSC::X86Registers::esp, static noIndex = JSC::X86Registers::esp, static noBase2 = JSC::X86Registers::r13, static hasSib2 = JSC::X86Registers::r12, m_buffer = {static initialCapacity = 128, m_storage = {m_buffer = 0x7f076b3c3280 "H\276`.=\v\030V", m_capacity = 128}, m_index = 106}}, m_indexOfLastWatchpoint = -2147483648, m_indexOfTailOfLastWatchpoint = -2147483648}, m_randomSource = {m_seed = 2351248783, m_low = 2644614111, m_high = 6674715607368803631}, m_tempRegistersValidBits = 0, m_allowScratchRegister = true, m_linkTasks = {<WTF::VectorBuffer<WTF::RefPtr<WTF::SharedTask<void(JSC::LinkBuffer&)> >, 0ul>> = {<WTF::VectorBufferBase<WTF::RefPtr<WTF::SharedTa
slowPath =
{m_jumps = {<WTF::VectorBuffer<JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>::Jump, 2ul>> = {<WTF::VectorBufferBase<JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>::Jump>> = {m_buffer = 0x7ffeab037030, m_capacity = 2, m_size = 0}, m_inlineBuffer = {{__data = "\350\215\024i", __align = {<No data fields>}}, {__data = "\a\177\000", __align = {<No data fields>}}}}, <No data fields>}}
frameShuffler = std::unique_ptr<JSC::CallFrameShuffler> containing 0x0
comparisonValueGPR = <optimized out>
caseValues =
{<WTF::VectorBuffer<long, 0ul>> = {<WTF::VectorBufferBase<long>> = {m_buffer = 0x7f076bdf98b0, m_capacity = 2, m_size = 2}, <No data fields>}, <No data fields>}
calls = <optimized out>
fastCounts = std::unique_ptr<unsigned int> containing 0x0
fastCountsBaseGPR = <optimized out>
binarySwitch =
{m_value = JSC::X86Registers::eax, m_cases = {<WTF::VectorBuffer<JSC::BinarySwitch::Case, 0ul>> = {<WTF::VectorBufferBase<JSC::BinarySwitch::Case>> = {m_buffer = 0x7f079c9fae00, m_capacity = 16, m_size = 2}, <No data fields>}, <No data fields>}, m_weakRandom = {m_seed = 1646, m_low = 1646, m_high = 13807754112}, m_branches = {<WTF::VectorBuffer<JSC::BinarySwitch::BranchCode, 0ul>> = {<WTF::VectorBufferBase<JSC::BinarySwitch::BranchCode>> = {m_buffer = 0x7f076b3c3c00, m_capacity = 16, m_size = 5}, <No data fields>}, <No data fields>}, m_index = 5, m_caseIndex = 0, m_jumpStack = {<WTF::VectorBuffer<JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>::Jump, 0ul>> = {<WTF::VectorBufferBase<JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>::Jump>> = {m_buffer = 0x7f076a163dc0, m_capacity = 16, m_size = 0}, <No data fields>}, <No data fields>}, m_fallThrough = {m_jumps = {<WTF::VectorBuffer<JSC::AbstractMacroAssembler<JSC::X86As
done =
{m_jumps = {<WTF::VectorBuffer<JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>::Jump, 2ul>> = {<WTF::VectorBufferBase<JSC::AbstractMacroAssembler<JSC::X86Assembler, JSC::MacroAssemblerX86Common>::Jump>> = {m_buffer = 0x7ffeab037050, m_capacity = 2, m_size = 2}, m_inlineBuffer = {{__data = "/\000\000", __align = {<No data fields>}}, {__data = "O\000\000", __align = {<No data fields>}}}}, <No data fields>}}
slow = <optimized out>
patchBuffer =
{m_executableMemory = {m_ptr = 0x7f076a935900}, m_size = 106, m_didAllocate = true, m_code = 0x7f07afeac000, m_vm = 0x7f0807604b80, m_alreadyDisassembled = false, m_linkTasks = {<WTF::VectorBuffer<WTF::RefPtr<WTF::SharedTask<void(JSC::LinkBuffer&)> >, 0ul>> = {<WTF::VectorBufferBase<WTF::RefPtr<WTF::SharedTask<void(JSC::LinkBuffer&)> > >> = {m_buffer = 0x0, m_capacity = 0, m_size = 0}, <No data fields>}, <No data fields>}}
stubRoutine = <optimized out>
#7 0x00007f08198786ed in JSC::operationLinkPolymorphicCall(JSC::ExecState*, JSC::CallLinkInfo*) (execCallee=0x7ffeab037610, callLinkInfo=0x7f078f3b7600)
at /usr/src/debug/webkitgtk-2.12.0/Source/JavaScriptCore/jit/JITOperations.cpp:887
calleeAsFunctionCell = 0x7f076bc99c00
result = <optimized out>
#8 0x00007f07afd8a544 in ()
#9 0x00007ffeab0376f0 in ()
#10 0x00007f07afe1b59f in ()
#11 0x00007ffeab0376f0 in ()
#12 0x00007f076bc99c00 in ()
#13 0x00007f0700000004 in ()
#14 0x000000000000000a in ()
#15 0x00007f076b21d440 in ()
#16 0xffffffffffffffff in ()Python Exception <class 'OverflowError'> int too big to convert:
#17 0x00007f0769a9d2b0 in ()
#18 0x00007f0769e5ae90 in ()
#19 0x0000000000000007 in ()
#20 0x00007f076bc99c00 in ()
#21 0x000000000000000a in ()
#22 0x00007f076022ab80 in ()
#23 0xffffffffffffffff in ()Python Exception <class 'OverflowError'> int too big to convert:
#24 0x000000000000000a in ()
#25 0xffffffffffffffff in ()Python Exception <class 'OverflowError'> int too big to convert:
#26 0xffffffffffffffff in ()Python Exception <class 'OverflowError'> int too big to convert:
#27 0x000000000000000a in ()
#28 0x00007f0769a9d290 in ()
#29 0x00007f0769a9d2b0 in ()
#30 0x00007f076022ab80 in ()
#31 0x00007f0769e5ae90 in ()
#32 0x00007f080766b100 in ()
#33 0x00007f080766b100 in ()
#34 0x00007f076b40f408 in ()
#35 0xffffffffffffffff in ()Python Exception <class 'OverflowError'> int too big to convert:
#36 0xffffffffffffffff in ()Python Exception <class 'OverflowError'> int too big to convert:
#37 0x00007ffeab037780 in ()
#38 0x00007f08198ba177 in llint_entry ()
at /lib64/libjavascriptcoregtk-4.0.so.18
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160412/a84b1f1a/attachment-0001.html>
More information about the webkit-unassigned
mailing list