[Webkit-unassigned] [Bug 195735] New: ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Mar 13 22:03:16 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=195735
Bug ID: 195735
Summary: ASSERTION FAILED: regexp->isValid() or ASSERTION
FAILED: !isCompilationThread()
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Keywords: InRadar
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: msaboff at apple.com
Summary:
with --jitPolicyScale=0 the following asserts on a Debug build:
function foo(a) {
try {
eval('bar(/' + a[0].source + '/)');
} catch(e) {
}
}
function bar(r) {
foo([r]);
foo([r]);
r.exec('x');
}
bar(/((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((x))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))/);
Steps To Reproduce:
jsc --jitPolicyScale=0 repro.js
it's not 100% reproducible, but it shouldn't take more than three attempts.
Results:
ASSERTION FAILED: regexp->isValid()
/Users/user/dev/CleanWebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp(9750) : void JSC::DFG::SpeculativeJIT::compileNewRegexp(JSC::DFG::Node *)
1 0x107f44359 WTFCrash
2 0x107f4731b WTFCrashWithInfo(int, char const*, char const*, int)
3 0x1080df5d9 JSC::DFG::SpeculativeJIT::compileNewRegexp(JSC::DFG::Node*)
4 0x1082c13d2 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*)
5 0x10809633b JSC::DFG::SpeculativeJIT::compileCurrentBlock()
6 0x108097db5 JSC::DFG::SpeculativeJIT::compile()
or
ASSERTION FAILED: !isCompilationThread()
/Users/user/dev/CleanWebKit/Source/JavaScriptCore/runtime/LazyClassStructure.h(80) : JSC::Structure *JSC::LazyClassStructure::get(const JSC::JSGlobalObject *) const
1 0x10b0a9359 WTFCrash
2 0x10b0ac31b WTFCrashWithInfo(int, char const*, char const*, int)
3 0x10b6734c0 JSC::LazyClassStructure::get(JSC::JSGlobalObject const*) const
4 0x10b666e19 JSC::JSGlobalObject::errorStructure()
5 0x10c56a053 JSC::createError(JSC::ExecState*, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred))
6 0x10c56c27d JSC::createOutOfMemoryError(JSC::ExecState*, WTF::String const&)
7 0x10c986364 JSC::Yarr::errorToThrow(JSC::ExecState*, JSC::Yarr::ErrorCode)
8 0x10bec3261 JSC::RegExp::errorToThrow(JSC::ExecState*)
9 0x10c76dec5 int JSC::RegExp::matchInline<WTF::Vector<int, 0ul, WTF::CrashOnOverflow, 16ul> >(JSC::VM&, WTF::String const&, unsigned int, WTF::Vector<int, 0ul, WTF::CrashOnOverflow, 16ul>&)
10 0x10c76dda3 JSC::RegExp::match(JSC::VM&, WTF::String const&, unsigned int, WTF::Vector<int, 0ul, WTF::CrashOnOverflow, 16ul>&)
11 0x10c76e41a JSC::RegExp::matchConcurrently(JSC::VM&, WTF::String const&, unsigned int, int&, WTF::Vector<int, 0ul, WTF::CrashOnOverflow, 16ul>&)
12 0x10bfc6d41 JSC::DFG::StrengthReductionPhase::handleNode()::'lambda'()::operator()() const
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190314/86c12c30/attachment.html>
More information about the webkit-unassigned
mailing list