122665 2013-10-11 11:29:57 -0700 Intermittent Trap 5 (int $3) in get_by_val (or GetByVal) from an Int32 array in sunspider-1.0/math-spectral-norm.js.dfg-eager 2013-10-11 12:30:25 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) All All RESOLVED DUPLICATE 122462 P2 Normal --- 1 fpizlo fpizlo ap barraclough ggaren mark.lam mhahnenberg msaboff oliver sam oldest_to_newest 938892 0 fpizlo 2013-10-11 11:29:57 -0700 Here's the machine code, it looks like it's gotta be a get_by_val int32 load stub in the baseline JIT, or a GetByVal in the DFG. Not sure which it is. 0x3576f7a051dc: movq 8(%rax), %rdx 0x3576f7a051e0: movl -56(%r13), %ecx 0x3576f7a051e4: cmpl -8(%rdx), %ecx 0x3576f7a051e7: jae 0x3576f7a05632 0x3576f7a051ed: movq (%rdx,%rcx,8), %rbx 0x3576f7a051f1: testq %rbx, %rbx 0x3576f7a051f4: je 0x3576f7a05653 0x3576f7a051fa: cmpq %r14, %rbx 0x3576f7a051fd: jae 0x3576f7a05204 0x3576f7a05203: int3 -> 0x3576f7a05204: cvtsi2sdl %ebx, %xmm1 0x3576f7a05208: mulsd %xmm1, %xmm2 The reason why we trap is that we load this garbage from the array: (lldb) register read General Purpose Registers: rax = 0x000000010471fe80 rbx = 0x40657d68d5cbd169 rcx = 0x0000000000000000 rdx = 0x00000001017b2428 rdi = 0x0000000000000006 rsi = 0x00003576f7a0501f rbp = 0x00007fff5fbfdfe0 rsp = 0x00007fff5fbfdf40 r8 = 0x0000000000000040 r9 = 0x00007fff5fbfda00 r10 = 0x00003576f7a04c22 r11 = 0x00000000ffffffff r12 = 0x0000000000000200 r13 = 0x00000001046ffe68 r14 = 0xffff000000000000 r15 = 0xffff000000000002 rip = 0x00003576f7a05204 rflags = 0x0000000000000207 cs = 0x000000000000002b fs = 0x0000000000000000 gs = 0x0000000004010000 Notice rbx has a ridiculous value. 938896 1 fpizlo 2013-10-11 11:31:22 -0700 It takes hundreds of runs, at least, to get this to reproduce. This is starting to look like a memory corruption bug. The DFG's assertions are exactly what they should be. And we're loading nonsense from an array. That's why we're crashing. 938920 2 ap 2013-10-11 12:06:52 -0700 Is this the same as bug 122462? 938931 3 fpizlo 2013-10-11 12:30:25 -0700 (In reply to comment #2) > Is this the same as bug 122462? You're right, I forgot about that one. *** This bug has been marked as a duplicate of bug 122462 ***