[Webkit-unassigned] [Bug 184549] New: Crash in JSC::CodeBlock::finalizeBaselineJITInlineCaches

Thu Apr 12 11:25:28 PDT 2018

https://bugs.webkit.org/show_bug.cgi?id=184549

            Bug ID: 184549
           Summary: Crash in
                    JSC::CodeBlock::finalizeBaselineJITInlineCaches
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcatanzaro at igalia.com

Created attachment 337812

  --> https://bugs.webkit.org/attachment.cgi?id=337812&action=review

Backtrace

Truncated backtrace:
Thread no. 1 (3 frames)
 #0 JSC::CallLinkInfo::visitWeak at /usr/src/debug/webkitgtk4-2.20.0-1.fc27.x86_64/Source/JavaScriptCore/bytecode/CallLinkInfo.cpp:220
 #1 JSC::CodeBlock::finalizeBaselineJITInlineCaches at /usr/src/debug/webkitgtk4-2.20.0-1.fc27.x86_64/Source/JavaScriptCore/bytecode/CodeBlock.cpp:1359
 #2 JSC::CodeBlock::finalizeUnconditionally at /usr/src/debug/webkitgtk4-2.20.0-1.fc27.x86_64/Source/JavaScriptCore/bytecode/CodeBlock.cpp:1377

I've never seen a crash like this before, so it's probably a regression introduced between 2.18 (branched in August 2017) and 2.20 (branched in February 2018).

I'm attaching a full backtrace with register state and assembler dump.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180412/7b8d5232/attachment-0002.html>