<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body>

      <p>

        <div>

            <b><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - ASSERTION FAILED: returnAddress &gt;= instructions().begin() &amp;&amp; returnAddress &lt; instructions().end() in JSC::CodeBlock::bytecodeOffset"

   href="https://bugs.webkit.org/show_bug.cgi?id=146636#c1">Comment # 1</a>

              on <a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - ASSERTION FAILED: returnAddress &gt;= instructions().begin() &amp;&amp; returnAddress &lt; instructions().end() in JSC::CodeBlock::bytecodeOffset"

   href="https://bugs.webkit.org/show_bug.cgi?id=146636">bug 146636</a>

              from <span class="vcard"><a class="email" href="mailto:rhodovan.u-szeged&#64;partner.samsung.com" title="Renata Hodovan &lt;rhodovan.u-szeged&#64;partner.samsung.com&gt;"> <span class="fn">Renata Hodovan</span></a>

</span></b>

        <pre>Forgot to say: jsc needs to be run with the --thresholdForJITAfterWarmUp=10 runtime flag to reproduce the assertion fail.

If you leave the flag then another crash happens in llint_entry with the backtrace below:

Program received signal SIGSEGV, Segmentation fault.

0x00007ffff7279a51 in llint_entry () from webkit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.1

(gdb) bt

#0  0x00007ffff7279a51 in llint_entry () from webkit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.1

#1  0x00007ffff727e87e in llint_entry () from webkit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.1

#2  0x00007ffff7278cc6 in vmEntryToJavaScript () from webkit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.1

#3  0x00007ffff6f75702 in JSC::JITCode::execute (this=0x7ffff17e3ed0, vm=0x7ffff1004000, protoCallFrame=0x7fffffffccc0)

    at ../../Source/JavaScriptCore/jit/JITCode.cpp:77

#4  0x00007ffff6f4e1e4 in JSC::Interpreter::execute (this=0x7ffff17f6000, program=0x7ffff1046000, callFrame=0x7ffff102b840, thisObj=0x7ffff107acc0)

    at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:901

#5  0x00007ffff7103f48 in JSC::evaluate (exec=0x7ffff102b840, source=..., thisValue=..., returnedException=...)

    at ../../Source/JavaScriptCore/runtime/Completion.cpp:82

#6  0x0000000000428d38 in runWithScripts (globalObject=0x7ffff102b800, scripts=..., dump=false) at ../../Source/JavaScriptCore/jsc.cpp:1315

#7  0x0000000000429c41 in jscmain (argc=2, argv=0x7fffffffd908) at ../../Source/JavaScriptCore/jsc.cpp:1533

#8  0x0000000000428b0a in main (argc=2, argv=0x7fffffffd908) at ../../Source/JavaScriptCore/jsc.cpp:1273

Further note: to reproduce the latter, the test case can be minimized as follows:

function test() {

    releaseExecutableMemory();

}

for (var i = 0; i &lt; 2; i++)

    test();</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>