[Webkit-unassigned] [Bug 166039] New: REGRESSION(202003): ASSERT(m_inTailPosition) in emitCallForwardArgumentsInTailPosition when useTailCalls=false

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Dec 19 14:46:24 PST 2016 

https://bugs.webkit.org/show_bug.cgi?id=166039

            Bug ID: 166039
           Summary: REGRESSION(202003): ASSERT(m_inTailPosition) in
                    emitCallForwardArgumentsInTailPosition when
                    useTailCalls=false
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: msaboff at apple.com

Looks like when the new builtin opcode tailCallForwardArguments was added, there was no provision for when TailCalls were turned off.

I get this crash trace when running a debug Safari build with useTailCalls=false:

ASSERTION FAILED: m_inTailPosition
/Volumes/Data/src/wk/OpenSource/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp(3395) : JSC::RegisterID *JSC::BytecodeGenerator::emitCallForwardArgumentsInTailPosition(JSC::RegisterID *, JSC::RegisterID *, JSC::RegisterID *, JSC::RegisterID *, int32_t, const JSC::JSTextPosition &, const JSC::JSTextPosition &, const JSC::JSTextPosition &, JSC::DebuggableCall)
1   0x10a1a0b3d WTFCrash
2   0x1093255f5 JSC::BytecodeGenerator::emitCallForwardArgumentsInTailPosition(JSC::RegisterID*, JSC::RegisterID*, JSC::RegisterID*, JSC::RegisterID*, int, JSC::JSTextPosition const&, JSC::JSTextPosition const&, JSC::JSTextPosition const&, JSC::DebuggableCall)
3   0x109dd97fe JSC::BytecodeIntrinsicNode::emit_intrinsic_tailCallForwardArguments(JSC::BytecodeGenerator&, JSC::RegisterID*)
4   0x109dd91c2 JSC::BytecodeIntrinsicNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*)
5   0x10933ae3d JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::ExpressionNode*)
6   0x109deb034 JSC::ReturnNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*)
7   0x109de815d JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::StatementNode*)
8   0x109de729b JSC::SourceElements::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*)
9   0x109de7246 JSC::BlockNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*)
10  0x109de815d JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::StatementNode*)
11  0x109de729b JSC::SourceElements::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*)
12  0x109ded4b7 JSC::ScopeNode::emitStatementsBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*)
13  0x109dee59e JSC::FunctionNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*)
14  0x109307dc1 JSC::BytecodeGenerator::generate()
15  0x10a07b1a5 JSC::ParserError JSC::BytecodeGenerator::generate<JSC::FunctionNode*, JSC::UnlinkedFunctionCodeBlock*&, JSC::DebuggerMode&, JSC::VariableEnvironment const*>(JSC::VM&, JSC::FunctionNode*&&, JSC::UnlinkedFunctionCodeBlock*&&&, JSC::DebuggerMode&&&, JSC::VariableEnvironment const*&&)
16  0x10a07a008 JSC::generateUnlinkedFunctionCodeBlock(JSC::VM&, JSC::UnlinkedFunctionExecutable*, JSC::SourceCode const&, JSC::CodeSpecializationKind, JSC::DebuggerMode, JSC::UnlinkedFunctionKind, JSC::ParserError&, JSC::SourceParseMode)
17  0x10a0798fe JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor(JSC::VM&, JSC::SourceCode const&, JSC::CodeSpecializationKind, JSC::DebuggerMode, JSC::ParserError&, JSC::SourceParseMode)
18  0x109fe7cb9 JSC::ScriptExecutable::newCodeBlockFor(JSC::CodeSpecializationKind, JSC::JSFunction*, JSC::JSScope*, JSC::JSObject*&)
19  0x109fe8c59 JSC::ScriptExecutable::prepareForExecutionImpl(JSC::VM&, JSC::JSFunction*, JSC::JSScope*, JSC::CodeSpecializationKind, JSC::CodeBlock*&)
20  0x109b50ef0 JSC::JSObject* JSC::ScriptExecutable::prepareForExecution<JSC::FunctionExecutable>(JSC::VM&, JSC::JSFunction*, JSC::JSScope*, JSC::CodeSpecializationKind, JSC::CodeBlock*&)
21  0x109d7c984 JSC::LLInt::setUpCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*)
22  0x109d7c310 JSC::LLInt::varargsSetup(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind, JSC::LLInt::SetArgumentsWith)
23  0x109d7c01f llint_slow_path_call_varargs
24  0x109d89fcb llint_entry
25  0x109d89b95 llint_entry
26  0x109d89b95 llint_entry
27  0x109d89f06 llint_entry
28  0x109d89b95 llint_entry
29  0x109d89fdd llint_entry
30  0x109d89b95 llint_entry
31  0x109d89b95 llint_entry

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20161219/637f564a/attachment.html>

More information about the webkit-unassigned mailing list