[Webkit-unassigned] [Bug 202141] New: Crash in JSC::speculationFromCell
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Sep 24 07:12:49 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=202141
Bug ID: 202141
Summary: Crash in JSC::speculationFromCell
Product: WebKit
Version: WebKit Nightly Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mcatanzaro at gnome.org
CC: bugs-noreply at webkitgtk.org
Created attachment 379450
--> https://bugs.webkit.org/attachment.cgi?id=379450&action=review
Backtrace
Random crash. Truncated backtrace:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 JSC::speculationFromCell (cell=0x80000) at ../Source/JavaScriptCore/runtime/JSCellInlines.h:215
215 return m_type == StringType;
[Current thread is 1 (Thread 0x7f3aa293a9c0 (LWP 1575))]
(gdb) bt
#0 0x00007f3aa68bc0d4 in JSC::speculationFromCell(JSC::JSCell*) (cell=0x80000)
at ../Source/JavaScriptCore/runtime/JSCellInlines.h:215
#1 0x00007f3aa6879275 in JSC::ValueProfileBase<1u>::computeUpdatedPrediction(JSC::ConcurrentJSLocker const&)
(this=<optimized out>) at ../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:392
#2 0x00007f3aa6879275 in JSC::CodeBlock::<lambda(JSC::ValueProfile&, bool)>::operator()
(isArgument=<optimized out>, profile=..., __closure=<optimized out>)
at ../Source/JavaScriptCore/bytecode/CodeBlock.cpp:2710
#3 0x00007f3aa6879275 in JSC::CodeBlock::<lambda(JSC::ValueProfile&, bool)>::operator()
(isArgument=false, profile=..., __closure=<optimized out>)
at ../Source/JavaScriptCore/bytecode/CodeBlock.cpp:2698
#4 0x00007f3aa6879275 in JSC::CodeBlock::<lambda(auto:21&)>::operator()<JSC::OpCall::Metadata>
(this=<optimized out>, metadata=...) at ../Source/JavaScriptCore/bytecode/CodeBlockInlines.h:44
#5 0x00007f3aa6879275 in JSC::MetadataTable::forEach<JSC::OpCall, JSC::CodeBlock::forEachValueProfile(const Functor&) [with Functor = JSC::CodeBlock::updateAllValueProfilePredictionsAndCountLiveness(unsigned int&, unsigned int&)::<lambda(JSC::ValueProfile&, bool)>]::<lambda(auto:21&)> > (func=..., this=<optimized out>)
at ../Source/JavaScriptCore/bytecode/MetadataTable.h:61
#6 0x00007f3aa6879275 in JSC::CodeBlock::forEachValueProfile<JSC::CodeBlock::updateAllValueProfilePredictionsAndCountLiveness(unsigned int&, unsigned int&)::<lambda(JSC::ValueProfile&, bool)> > (func=..., this=0x7f397dedb900)
at ../Source/JavaScriptCore/bytecode/CodeBlockInlines.h:44
#7 0x00007f3aa6879275 in JSC::CodeBlock::updateAllValueProfilePredictionsAndCountLiveness(unsigned int&, unsigned int&)
(this=this at entry=0x7f397dedb900, numberOfLiveNonArgumentValueProfiles=@0x7ffcd84b4a20: 44, numberOfSamplesInProfiles=@0x7ffcd84b4a24: 49) at ../Source/JavaScriptCore/bytecode/CodeBlock.cpp:2698
#8 0x00007f3aa6879b15 in JSC::CodeBlock::updateAllValueProfilePredictions() (this=this at entry=0x7f397dedb900)
at ../Source/JavaScriptCore/bytecode/CodeBlock.cpp:2729
#9 0x00007f3aa687a29d in JSC::CodeBlock::updateAllPredictions() (this=this at entry=0x7f397dedb900)
at ../Source/JavaScriptCore/bytecode/CodeBlock.cpp:2747
#10 0x00007f3aa6887495 in JSC::CodeBlock::finalizeUnconditionally(JSC::VM&) (this=0x7f397dedb900, vm=...)
at ../Source/JavaScriptCore/bytecode/CodeBlock.cpp:1380
Full backtrace attached.
Maybe related: bug #131506 or bug #160027
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190924/03ef1ae1/attachment.html>
More information about the webkit-unassigned
mailing list