<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - ASSERTION FAILED: arguments.isObject() in JSC::sizeOfVarargs"
href="https://bugs.webkit.org/show_bug.cgi?id=146632">146632</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>ASSERTION FAILED: arguments.isObject() in JSC::sizeOfVarargs
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>528+ (Nightly build)
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>JavaScriptCore
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>rhodovan.u-szeged@partner.samsung.com
</td>
</tr>
<tr>
<th>CC</th>
<td>fpizlo@apple.com, ggaren@apple.com
</td>
</tr>
<tr>
<th>Blocks</th>
<td>116980
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=256204" name="attach_256204" title="Test case">attachment 256204</a> <a href="attachment.cgi?id=256204&action=edit" title="Test case">[details]</a></span>
Test case
Load this test with debug jsc:
Array.from.apply(encodeURI,Symbol(17725));
Note: the failure was experienced with an EFL jsc build but it does not seem like a port specific issue.
Backtrace:
ASSERTION FAILED: arguments.isObject()
../../Source/JavaScriptCore/interpreter/Interpreter.cpp(203) : unsigned int JSC::sizeOfVarargs(JSC::CallFrame*, JSC::JSValue, uint32_t)
1 0x7ffff72d46db WTFCrash
2 0x7ffff6f4b6b7 JSC::sizeOfVarargs(JSC::ExecState*, JSC::JSValue, unsigned int)
3 0x7ffff6f4b7a5 JSC::sizeFrameForVarargs(JSC::ExecState*, JSC::JSStack*, JSC::JSValue, unsigned int, unsigned int)
4 0x7ffff7275378
5 0x7ffff727ea46
[New Thread 0x7fffaaffd700 (LWP 13153)]
[New Thread 0x7fffab7fe700 (LWP 13152)]
[New Thread 0x7fffabfff700 (LWP 13151)]
[New Thread 0x7fffb0ffd700 (LWP 13150)]
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff72d46e0 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
321 *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0 0x00007ffff72d46e0 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
#1 0x00007ffff6f4b6b7 in JSC::sizeOfVarargs (callFrame=0x7fffffffcac0, arguments=..., firstVarArgOffset=0)
at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:203
#2 0x00007ffff6f4b7a5 in JSC::sizeFrameForVarargs (callFrame=0x7fffffffcac0, stack=0x7ffff17f6018, arguments=..., numUsedStackSlots=9, firstVarArgOffset=0)
at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:221
#3 0x00007ffff7275378 in JSC::LLInt::llint_slow_path_size_frame_for_varargs (exec=0x7fffffffcac0, pc=0x7ffff1017dc8)
at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1202
#4 0x00007ffff727ea46 in llint_entry () from webkit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.1
#5 0x00007ffff7278cc6 in vmEntryToJavaScript () from webkit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.1
#6 0x00007ffff6f75702 in JSC::JITCode::execute (this=0x7ffff17e3e70, vm=0x7ffff1004000, protoCallFrame=0x7fffffffccb0)
at ../../Source/JavaScriptCore/jit/JITCode.cpp:77
#7 0x00007ffff6f4e1e4 in JSC::Interpreter::execute (this=0x7ffff17f6000, program=0x7ffff1046000, callFrame=0x7ffff102b840, thisObj=0x7ffff107acc0)
at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:901
#8 0x00007ffff7103f48 in JSC::evaluate (exec=0x7ffff102b840, source=..., thisValue=..., returnedException=...)
at ../../Source/JavaScriptCore/runtime/Completion.cpp:82
#9 0x0000000000428d38 in runWithScripts (globalObject=0x7ffff102b800, scripts=..., dump=false) at ../../Source/JavaScriptCore/jsc.cpp:1315
#10 0x0000000000429c41 in jscmain (argc=2, argv=0x7fffffffd8f8) at ../../Source/JavaScriptCore/jsc.cpp:1533
#11 0x0000000000428b0a in main (argc=2, argv=0x7fffffffd8f8) at ../../Source/JavaScriptCore/jsc.cpp:1273</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>