[Webkit-unassigned] [Bug 227286] New: Assertion failure in gecko-dev/js/src/vm/SelfHosting.cpp

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jun 23 05:11:03 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=227286

            Bug ID: 227286
           Summary: Assertion failure in
                    gecko-dev/js/src/vm/SelfHosting.cpp
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: anbu1024.me at gmail.com

version
```
commit 20df2033c26bc4f5e4c78572259f3e46335d307d (HEAD -> main, origin/main, origin/HEAD)
Author: Darin Adler <darin at apple.com>
Date:   Wed Jun 23 01:33:57 2021 +0000
```

build
```
Tools/Scripts/build-jsc --jsc-only --debug
```

testcase
```
function foo() {
    let x = new Array(117440512);
    x['SyntaxError'] = 1.1;
    var y = foo();
}
foo();
```

error message
```
ASSERTION FAILED: result
../../Source/JavaScriptCore/heap/CompleteSubspace.cpp(116) : void* JSC::CompleteSubspace::allocateSlow(JSC::VM&, size_t, JSC::GCDeferralContext*, JSC::AllocationFailureMode)
Aborted (core dumped)
```


backtrace
```
#0  __GI_raise (sig=sig at entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff42d1859 in __GI_abort () at abort.c:79
#2  0x00007ffff4a7ef20 in CRASH_WITH_INFO(...) () at WTF/Headers/wtf/Assertions.h:744
#3  0x00007ffff5959714 in JSC::CompleteSubspace::allocateSlow (this=0x7fffb1701750, vm=..., size=0x38000028, deferralContext=0x0, failureMode=JSC::AllocationFailureMode::Assert) at ../../Source/JavaScriptCore/heap/CompleteSubspace.cpp:116
#4  0x00007ffff4afae28 in JSC::CompleteSubspace::allocateNonVirtual (this=0x7fffb1701750, vm=..., size=0x38000028, deferralContext=0x0, failureMode=JSC::AllocationFailureMode::Assert) at ../../Source/JavaScriptCore/heap/CompleteSubspaceInlines.h:40
#5  0x00007ffff545d51c in JSC::Butterfly::createUninitialized (vm=..., preCapacity=0x0, propertyCapacity=0x4, hasIndexingHeader=0x1, indexingPayloadSizeInBytes=0x38000000) at ../../Source/JavaScriptCore/runtime/ButterflyInlines.h:92
#6  0x00007ffff60b2456 in JSC::Butterfly::createOrGrowPropertyStorage (oldButterfly=0x7fe36960f070, vm=..., intendedOwner=0x7fffb0fbfeb0, structure=0x7fffb0ff9c00, oldPropertyCapacity=0x0, newPropertyCapacity=0x4) at ../../Source/JavaScriptCore/runtime/ButterflyInlines.h:141
#7  0x00007ffff60a8396 in JSC::JSObject::allocateMoreOutOfLineStorage (this=0x7fffb0fbfeb0, vm=..., oldSize=0x0, newSize=0x4) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:3586
#8  0x00007ffff546b705 in JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)0> (this=0x7fffb0fbfeb0, vm=..., propertyName=..., value=..., attributes=0x0, slot=...) at ../../Source/JavaScriptCore/runtime/JSObjectInlines.h:367
#9  0x00007ffff545f8f8 in JSC::JSObject::putInlineFast (this=0x7fffb0fbfeb0, globalObject=0x7fffb13f6068, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObjectInlines.h:286
#10 0x00007ffff609ac3f in JSC::JSObject::definePropertyOnReceiver (globalObject=0x7fffb13f6068, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:911
#11 0x00007ffff609a63a in JSC::JSObject::putInlineSlow (this=0x7ffff19b57e8, globalObject=0x7fffb13f6068, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:863
#12 0x00007ffff545f76c in JSC::JSObject::putInlineForJSObject (cell=0x7ffff19b57e8, globalObject=0x7fffb13f6068, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObjectInlines.h:272
#13 0x00007ffff6099cdf in JSC::JSObject::put (cell=0x7ffff19b57e8, globalObject=0x7fffb13f6068, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:760
#14 0x00007ffff5fb3977 in JSC::JSArray::put (cell=0x7ffff19b57e8, globalObject=0x7fffb13f6068, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSArray.cpp:264
#15 0x00007ffff6099ed1 in JSC::JSObject::putInlineSlow (this=0x7fffb0fbfeb0, globalObject=0x7fffb13f6068, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:779
#16 0x00007ffff545f76c in JSC::JSObject::putInlineForJSObject (cell=0x7fffb0fbfeb0, globalObject=0x7fffb13f6068, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObjectInlines.h:272
#17 0x00007ffff6099cdf in JSC::JSObject::put (cell=0x7fffb0fbfeb0, globalObject=0x7fffb13f6068, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:760
#18 0x00007ffff5fb3977 in JSC::JSArray::put (cell=0x7fffb0fbfeb0, globalObject=0x7fffb13f6068, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSArray.cpp:264
#19 0x00007ffff5458a03 in JSC::JSCell::putInline (this=0x7fffb0fbfeb0, globalObject=0x7fffb13f6068, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSCellInlines.h:448
#20 0x00007ffff545a4d7 in JSC::JSValue::putInline (this=0x7fffffffc608, globalObject=0x7fffb13f6068, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:1072
#21 0x00007ffff5c9cf4d in JSC::LLInt::llint_slow_path_put_by_id (callFrame=0x7fffffffc7e0, pc=0x7ffff19f7530) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:918
#22 0x00007ffff4a3f6e2 in llint_op_put_by_id () at /media/Store/Project/js-engines/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:97
#23 0x0000000000000000 in ?? ()
```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210623/087dab9b/attachment.htm>

More information about the webkit-unassigned mailing list