[Webkit-unassigned] [Bug 216103] New: ASSERTION FAILED: value.isCell() && value.asCell()->type() == CustomGetterSetterType ./bytecode/ObjectPropertyConditionSet.cpp
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Sep 2 15:42:45 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=216103
Bug ID: 216103
Summary: ASSERTION FAILED: value.isCell() &&
value.asCell()->type() == CustomGetterSetterType
./bytecode/ObjectPropertyConditionSet.cpp
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: msaboff at apple.com
This debug ASSERT happens in the case where we replace a custom getter setter property with a function. The ASSERT can be reworked to an if statement to fix the issue.
Backtrace:
ASSERTION FAILED: value.isCell() && value.asCell()->type() == CustomGetterSetterType
./bytecode/ObjectPropertyConditionSet.cpp(403) : auto JSC::generateConditionsForPrototypePropertyHitCustom(JSC::VM &, JSC::JSCell *, JSC::JSGlobalObject *, JSC::Structure *, JSC::JSObject *, WTF::UniquedStringImpl *, unsigned int)::(anonymous class)::operator()(Vector<JSC::ObjectPropertyCondition> &, JSC::JSObject *) const
1 0x1141ea34c WTFCrash
2 0x114731684 WTFCrashWithInfo(int, char const*, char const*, int)
3 0x114c6b244 JSC::generateConditionsForPrototypePropertyHitCustom(JSC::VM&, JSC::JSCell*, JSC::JSGlobalObject*, JSC::Structure*, JSC::JSObject*, WTF::UniquedStringImpl*, unsigned int)::$_5::operator()(WTF::Vector<JSC::ObjectPropertyCondition, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::JSObject*) const
4 0x114c5ed00 JSC::ObjectPropertyConditionSet JSC::(anonymous namespace)::generateConditions<JSC::generateConditionsForPrototypePropertyHitCustom(JSC::VM&, JSC::JSCell*, JSC::JSGlobalObject*, JSC::Structure*, JSC::JSObject*, WTF::UniquedStringImpl*, unsigned int)::$_5>(JSC::VM&, JSC::JSGlobalObject*, JSC::Structure*, JSC::JSObject*, JSC::generateConditionsForPrototypePropertyHitCustom(JSC::VM&, JSC::JSCell*, JSC::JSGlobalObject*, JSC::Structure*, JSC::JSObject*, WTF::UniquedStringImpl*, unsigned int)::$_5 const&)
5 0x114c5ebdc JSC::generateConditionsForPrototypePropertyHitCustom(JSC::VM&, JSC::JSCell*, JSC::JSGlobalObject*, JSC::Structure*, JSC::JSObject*, WTF::UniquedStringImpl*, unsigned int)
6 0x115623908 JSC::tryCachePutByID(JSC::JSGlobalObject*, JSC::CodeBlock*, JSC::JSValue, JSC::Structure*, JSC::CacheableIdentifier, JSC::PutPropertySlot const&, JSC::StructureStubInfo&, JSC::PutKind)
7 0x115622bf8 JSC::repatchPutByID(JSC::JSGlobalObject*, JSC::CodeBlock*, JSC::JSValue, JSC::Structure*, JSC::CacheableIdentifier, JSC::PutPropertySlot const&, JSC::StructureStubInfo&, JSC::PutKind)
8 0x11558b65c operationPutByIdNonStrictOptimize
9 0xb80140a6c
10 0x114715a48 llint_entry
11 0x114715a48 llint_entry
12 0x114715a48 llint_entry
13 0x114715c84 llint_entry
14 0x114715a48 llint_entry
15 0x114715a48 llint_entry
16 0x114715a48 llint_entry
17 0x114715a48 llint_entry
18 0x114715a48 llint_entry
19 0x114715a48 llint_entry
20 0x1146f0274 vmEntryToJavaScript
21 0x115bcf06c JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
22 0x1154d7438 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*)
23 0x1158b9ad8 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
24 0x1158b9c14 JSC::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
25 0x11d86b414 WebCore::JSExecState::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
26 0x11d86af70 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&)
27 0x11d86ad9c WebCore::ScriptController::evaluateInWorldIgnoringException(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&)
28 0x11d86b85c WebCore::ScriptController::evaluateIgnoringException(WebCore::ScriptSourceCode const&)
29 0x11df9b5ac WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&)
30 0x11def55c0 WebCore::LoadableClassicScript::execute(WebCore::ScriptElement&)
31 0x11df9c32c WebCore::ScriptElement::executeScriptAndDispatchEvent(WebCore::LoadableScript&)
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200902/564b8928/attachment.htm>
More information about the webkit-unassigned
mailing list