[Webkit-unassigned] [Bug 229235] REGRESSION(r??????): Crash in JSC::FTL::saveAllRegisters

Mon Aug 23 11:01:21 PDT 2021

https://bugs.webkit.org/show_bug.cgi?id=229235

--- Comment #7 from Fabian Bornschein <fabiscafe at mailbox.org> ---
Ahh sorry. It's on Arch Linux for me.

my bt
==================================================

#0  __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49
#1  0x00007fbfe89ab862 in __GI_abort () at abort.c:79
#2  0x00007fbfe6e0caca in std::__replacement_assert(char const*, int, char const*, char const*) (__file=<optimized out>, __line=<optimized out>, __function=<optimized out>, __condition=<optimized out>) at /usr/include/c++/11.1.0/x86_64-pc-linux-gnu/bits/c++config.h:504
#3  0x00007fbfe776fb2c in std::array<unsigned int, 1ul>::operator[](unsigned long) const (__n=<optimized out>, this=<optimized out>) at /usr/include/c++/11.1.0/array:196
#4  WTF::Bitmap<32ul, unsigned int>::get(unsigned long, WTF::Dependency) const (dependency=..., n=<optimized out>, this=<optimized out>) at /usr/src/debug/build/WTF/Headers/wtf/Bitmap.h:164
#5  JSC::RegisterSet::get(JSC::Reg) const (reg=..., this=<optimized out>) at /usr/src/debug/webkitgtk-2.33.3/Source/JavaScriptCore/jit/RegisterSet.h:99
#6  JSC::FTL::(anonymous namespace)::Regs::Regs (this=<optimized out>) at /usr/src/debug/webkitgtk-2.33.3/Source/JavaScriptCore/ftl/FTLSaveRestore.cpp:83
#7  JSC::FTL::saveAllRegisters(JSC::AssemblyHelpers&, char*) (jit=..., scratchMemory=scratchMemory at entry=0x7fbfe026e688 "pC_,\277\177") at /usr/src/debug/webkitgtk-2.33.3/Source/JavaScriptCore/ftl/FTLSaveRestore.cpp:111
#8  0x00007fbfe7778f8c in JSC::FTL::genericGenerationThunkGenerator(JSC::VM&, JSC::FunctionPtr<(WTF::PtrTag)1>, char const*, unsigned int, JSC::FTL::FrameAndStackAdjustmentRequirement, JSC::PtrTag)
    (vm=<optimized out>, generationFunction=..., name=<optimized out>, extraPopsToRestore=<optimized out>, frameAndStackAdjustmentRequirement=(unknown: 0xd37fc300), resultTag=<optimized out>) at /usr/src/debug/webkitgtk-2.33.3/Source/JavaScriptCore/ftl/FTLThunks.cpp:81
#9  0x00007fbfe7779a86 in JSC::FTL::osrExitGenerationThunkGenerator(JSC::VM&) (vm=<optimized out>) at /usr/src/debug/build/WTF/Headers/wtf/PtrTag.h:308
#10 0x00007fbfe7952796 in operator() (__closure=<synthetic pointer>) at /usr/src/debug/webkitgtk-2.33.3/Source/JavaScriptCore/jit/JITThunks.cpp:170
#11 JSC::JITThunks::ctiStubImpl<JSC::JITThunks::ctiStub(JSC::VM&, JSC::ThunkGenerator)::<lambda()> >(JSC::ThunkGenerator, struct {...}) (this=0x7fbfe04aaf28, key=<optimized out>, generateThunk=...) at /usr/src/debug/webkitgtk-2.33.3/Source/JavaScriptCore/jit/JITThunks.cpp:159
#12 0x00007fbfe79529d2 in JSC::JITThunks::ctiStub(JSC::VM&, JSC::MacroAssemblerCodeRef<(WTF::PtrTag)26129> (*)(JSC::VM&)) (this=<optimized out>, vm=<optimized out>, generator=<optimized out>) at /usr/src/debug/webkitgtk-2.33.3/Source/JavaScriptCore/jit/JITThunks.cpp:169
#13 0x00007fbfe7e828a3 in JSC::VM::getCTIStub(JSC::MacroAssemblerCodeRef<(WTF::PtrTag)26129> (*)(JSC::VM&)) (this=<optimized out>, generator=<optimized out>) at /usr/include/c++/11.1.0/bits/unique_ptr.h:173
#14 0x00007fbfe775ee65 in operator() (linkBuffer=<optimized out>, __closure=<optimized out>) at /usr/src/debug/webkitgtk-2.33.3/Source/JavaScriptCore/ftl/FTLOSRExitHandle.cpp:52
#15 WTF::SharedTaskFunctor<void(JSC::LinkBuffer&), JSC::FTL::OSRExitHandle::emitExitThunk(JSC::FTL::State&, JSC::CCallHelpers&)::<lambda(JSC::LinkBuffer&)> >::run(JSC::LinkBuffer &) (this=0x7fbef4017630, arguments#0=...) at /usr/src/debug/build/WTF/Headers/wtf/SharedTask.h:91
#16 0x00007fbfe6eb1a70 in JSC::LinkBuffer::performFinalization() (this=this at entry=0x7fbf5c640960) at /usr/src/debug/webkitgtk-2.33.3/Source/JavaScriptCore/assembler/LinkBuffer.cpp:476
#17 0x00007fbfe6eb1ae9 in JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl() (this=0x7fbf5c640960) at /usr/src/debug/webkitgtk-2.33.3/Source/JavaScriptCore/assembler/LinkBuffer.cpp:71
#18 0x00007fbfe7766a0c in JSC::LinkBuffer::finalizeCodeWithoutDisassembly<(WTF::PtrTag)357>() (this=<optimized out>) at /usr/src/debug/webkitgtk-2.33.3/Source/JavaScriptCore/assembler/LinkBuffer.h:310
#19 JSC::FTL::link(JSC::FTL::State&) (state=...) at /usr/src/debug/webkitgtk-2.33.3/Source/JavaScriptCore/ftl/FTLLink.cpp:165
#20 0x00007fbfe743539d in JSC::DFG::Plan::compileInThreadImpl() (this=0x7fbed0434380) at /usr/src/debug/webkitgtk-2.33.3/Source/JavaScriptCore/dfg/DFGPlan.cpp:476
#21 0x00007fbfe7929019 in JSC::JITPlan::compileInThread(JSC::JITWorklistThread*) (this=0x7fbed0434380, thread=thread at entry=0x7fbf5c676a68) at /usr/src/debug/webkitgtk-2.33.3/Source/JavaScriptCore/jit/JITPlan.cpp:165
#22 0x00007fbfe797f28d in JSC::JITWorklistThread::work() (this=0x7fbf5c676a68) at /usr/src/debug/webkitgtk-2.33.3/Source/JavaScriptCore/jit/JITWorklistThread.cpp:123
#23 0x00007fbfe80e4471 in operator() (__closure=0x7fbf3440b038) at /usr/src/debug/webkitgtk-2.33.3/Source/WTF/wtf/AutomaticThread.cpp:229
#24 WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(const WTF::AbstractLocker&)::<lambda()>, void>::call(void) (this=0x7fbf3440b030) at /usr/src/debug/webkitgtk-2.33.3/Source/WTF/wtf/Function.h:53
#25 0x00007fbfe810bd23 in WTF::Function<void ()>::operator()() const (this=<synthetic pointer>) at /usr/src/debug/webkitgtk-2.33.3/Source/WTF/wtf/Function.h:79
#26 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) (newThreadContext=0x7fbf5c676318) at /usr/src/debug/webkitgtk-2.33.3/Source/WTF/wtf/Threading.cpp:187
#27 0x00007fbfe817e45e in WTF::wtfThreadEntryPoint(void*) (context=<optimized out>) at /usr/src/debug/webkitgtk-2.33.3/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:241
#28 0x00007fbfe6755259 in start_thread (arg=0x7fbed37fe640) at pthread_create.c:481
#29 0x00007fbfe8a835e3 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210823/d2018a16/attachment-0001.htm>