[Webkit-unassigned] [Bug 227785] New: Crash in stress/class-subclassing-function.js.ftl-eager-no-cjit

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jul 7 18:32:00 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=227785

            Bug ID: 227785
           Summary: Crash in
                    stress/class-subclassing-function.js.ftl-eager-no-cjit
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sbarati at apple.com

Only observed once. 

stress/class-subclassing-function.js.ftl-eager-no-cjit: test_script_17253: line 2: 37659 Segmentation fault: 11  ( "$@" ../../.vm/JavaScriptCore.framework/Helpers/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --validateExceptionChecks\=true --useDollarVM\=true --maxPerThreadStackUsage\=1572864 --validateGraph\=true --validateBCE\=true --airForceIRCAllocator\=true --useFTLJIT\=true --useConcurrentJIT\=false --thresholdForJITAfterWarmUp\=100 --scribbleFreeCells\=true --thresholdForJITAfterWarmUp\=10 --thresholdForJITSoon\=10 --thresholdForOptimizeAfterWarmUp\=20 --thresholdForOptimizeAfterLongWarmUp\=20 --thresholdForOptimizeSoon\=20 --thresholdForFTLOptimizeAfterWarmUp\=20 --thresholdForFTLOptimizeSoon\=20 --thresholdForOMGOptimizeAfterWarmUp\=20 --thresholdForOMGOptimizeSoon\=20 --maximumEvalCacheableSourceLength\=150000 --useEagerCodeBlockJettisonTiming\=true --repatchBufferingCountdown\=0 --collectContinuously\=true --useGenerationalGC\=false --verifyGC\=true --forceOSRExitToLLInt\=true --useExecutableAllocationFuzz\=true --fireExecutableAllocationFuzzRandomly\=true class-subclassing-function.js )


Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000005


Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   ???                                 0x0000000104415b68 0 + 4366359400
1   ???                                 0x0000000104410008 0 + 4366336008
2   ???                                 0x0000000104410008 0 + 4366336008
3   ???                                 0x00000001044107e8 0 + 4366338024
4   com.apple.JavaScriptCore            0x00000001031311a8 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 76 (JITCodeInlines.h:42) [inlined]
5   com.apple.JavaScriptCore            0x00000001031311a8 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) + 12052 (Interpreter.cpp:836)
6   com.apple.JavaScriptCore            0x00000001033ff83c JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 276 (Completion.cpp:137)
7   jsc                                 0x00000001006ebd20 runWithOptions(GlobalObject*, CommandLine&, bool&) + 1540 (jsc.cpp:3068) [inlined]
8   jsc                                 0x00000001006ebd20 jscmain(int, char**)::$_8::operator()(JSC::VM&, GlobalObject*, bool&) const + 1664 (jsc.cpp:3640) [inlined]
9   jsc                                 0x00000001006ebd20 int runJSC<jscmain(int, char**)::$_8>(CommandLine const&, bool, jscmain(int, char**)::$_8 const&) + 2292 (jsc.cpp:3462) [inlined]
10  jsc                                 0x00000001006ebd20 jscmain(int, char**) + 3152 (jsc.cpp:3633)
11  jsc                                 0x00000001006eb074 main + 44 (jsc.cpp:2856)
12  dyld                                0x00000001009090fc start + 520

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210708/dbabe575/attachment.htm>

More information about the webkit-unassigned mailing list