[Webkit-unassigned] [Bug 200863] Crash in JSC::SlotVisitor::visitChildren

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Nov 15 09:34:58 PST 2022 

https://bugs.webkit.org/show_bug.cgi?id=200863

--- Comment #20 from Krzysztof Konopko <kris at youview.com> ---
Now I have the following set:

JSC_useZombieMode=1
JSC_verifyGC=1
JSC_verifyHeap=1

It's still Release with debug symbols, "custom AArch64 platform", attached example with the logging patch.

And it seems to always crash in the same way (although it takes different amount of time between 10-120 seconds):

#0  JSC::JSValue::isHeapBigInt (this=0x7fe6de1a90) at Source/JavaScriptCore/runtime/JSCellInlines.h:227
#1  JSC::JSValue::isBigInt (this=0x7fe6de1a90) at Source/JavaScriptCore/runtime/JSCJSValueInlines.h:675
#2  JSC::JSValue::toBigIntOrInt32 (globalObject=0x7fa0e39068, this=0x7fe6de1a90) at Source/JavaScriptCore/runtime/JSCJSValueInlines.h:868
#3  JSC::bitwiseBinaryOp<JSC::jsBitwiseAnd(JSC::JSGlobalObject*, JSC::JSValue, JSC::JSValue)::{lambda(int, int)#1}&, JSC::jsBitwiseAnd(JSC::JSGlobalObject*, JSC::JSValue, JSC::JSValue)::{lambda(JSC::JSGlobalObject*, auto:1, auto:2)#2}&>(JSC::JSGlobalObject*, JSC::JSValue, JSC::JSValu
e, JSC::jsBitwiseAnd(JSC::JSGlobalObject*, JSC::JSValue, JSC::JSValue)::{lambda(int, int)#1}&, JSC::jsBitwiseAnd(JSC::JSGlobalObject*, JSC::JSValue, JSC::JSValue)::{lambda(int, int)#1}&, char const*) (errorMessage=<optimized out>, bigIntOp=..., int32Op=..., v2=..., v1=...,
    globalObject=0x7fa0e39068) at Source/JavaScriptCore/runtime/Operations.h:823
#4  JSC::jsBitwiseAnd (v2=..., v1=..., globalObject=0x7fa0e39068) at Source/JavaScriptCore/runtime/Operations.h:863
#5  JSC::slow_path_bitand (callFrame=0x7fe6de1b80, pc=0x7fa0ed0c9e) at Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:769
#6  0x0000007f80c0d1e8 in ?? ()
#7  0x0000007f78eeb800 in ?? ()

(gdb) x/i $pc
=> 0x7fa79804cc <JSC::slow_path_bitand(JSC::CallFrame*, JSC::Instruction const*)+236>:  ldrb    w0, [x28, #5]
(gdb) p/x $x28
$2 = 0xbadbeef0

(gdb) x/4xw 0x7fe6de1a90
0x7fe6de1a90:   0xbadbeef0      0x00000000      0x79000000      0x0000007f

Presumabely this originates from the JIT code and crashes on the _first_ call to `JSC::slow_path_bitand()` which is made sooner or later, depending on the timing.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221115/11128dda/attachment.htm>

More information about the webkit-unassigned mailing list