146636 2015-07-06 05:50:26 -0700 ASSERTION FAILED: returnAddress >= instructions().begin() && returnAddress < instructions().end() in JSC::CodeBlock::bytecodeOffset 2015-07-06 06:04:13 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified NEW P2 Normal --- 116980 1 rhodovan.u-szeged webkit-unassigned fpizlo oliver oldest_to_newest 1107078 0 256210 rhodovan.u-szeged 2015-07-06 05:50:26 -0700 Created attachment 256210 Test case Loading this with debug jsc ends in a release assert failure: function test() { try { releaseExecutableMemory(); Array.from(Object); Array.from(); } catch(err) {} } for (var i = 0; i < 2; i++) test(); Backtrace: ASSERTION FAILED: returnAddress >= instructions().begin() && returnAddress < instructions().end() ../../Source/JavaScriptCore/bytecode/CodeBlock.h(252) : unsigned int JSC::CodeBlock::bytecodeOffset(JSC::Instruction*) 1 0x7ffff72d46db WTFCrash 2 0x7ffff7103737 JSC::CodeBlock::bytecodeOffset(JSC::Instruction*) 3 0x7ffff70fe7aa 4 0x7fffb10007f5 [New Thread 0x7fffaf7fa700 (LWP 4629)] [New Thread 0x7fffafffb700 (LWP 4628)] [New Thread 0x7fffb07fc700 (LWP 4627)] [New Thread 0x7fffb0ffd700 (LWP 4626)] Program received signal SIGSEGV, Segmentation fault. 0x00007ffff72d46e0 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 321 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff72d46e0 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 #1 0x00007ffff7103737 in JSC::CodeBlock::bytecodeOffset (this=0x7ffff15de4c0, returnAddress=0x7ffff10380f8) at ../../Source/JavaScriptCore/bytecode/CodeBlock.h:252 #2 0x00007ffff70fe7aa in JSC::slow_path_nstricteq (exec=0x7fffffffca00, pc=0x7ffff10380f8) at ../../Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:300 #3 0x00007fffb10007f5 in ?? () #4 0x00007fffffffc9b0 in ?? () #5 0x00007ffff6f8b958 in JSC::getHostCallReturnValueWithExecState (exec=0x7ffff10342e0) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:2057 #6 0x00007fffb0fffafa in ?? () #7 0x00007ffff15de4c0 in ?? () #8 0x00007ffff1050c10 in ?? () #9 0x0000001f00000001 in ?? () #10 0x00007ffff1034480 in ?? () #11 0x000000000000000a in ?? () #12 0x00007ffff727e87e in llint_entry () from webkit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.1 #13 0x00007ffff727e87e in llint_entry () from webkit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.1 #14 0x00007ffff7278cc6 in vmEntryToJavaScript () from webkit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.1 #15 0x00007ffff6f75702 in JSC::JITCode::execute (this=0x7ffff17e3ed0, vm=0x7ffff1004000, protoCallFrame=0x7fffffffcca0) at ../../Source/JavaScriptCore/jit/JITCode.cpp:77 #16 0x00007ffff6f4e1e4 in JSC::Interpreter::execute (this=0x7ffff17f6000, program=0x7ffff1046000, callFrame=0x7ffff102b840, thisObj=0x7ffff107acc0) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:901 #17 0x00007ffff7103f48 in JSC::evaluate (exec=0x7ffff102b840, source=..., thisValue=..., returnedException=...) at ../../Source/JavaScriptCore/runtime/Completion.cpp:82 #18 0x0000000000428d38 in runWithScripts (globalObject=0x7ffff102b800, scripts=..., dump=false) at ../../Source/JavaScriptCore/jsc.cpp:1315 #19 0x0000000000429c41 in jscmain (argc=3, argv=0x7fffffffd8e8) at ../../Source/JavaScriptCore/jsc.cpp:1533 #20 0x0000000000428b0a in main (argc=3, argv=0x7fffffffd8e8) at ../../Source/JavaScriptCore/jsc.cpp:1273 1107082 1 rhodovan.u-szeged 2015-07-06 06:04:13 -0700 Forgot to say: jsc needs to be run with the --thresholdForJITAfterWarmUp=10 runtime flag to reproduce the assertion fail. If you leave the flag then another crash happens in llint_entry with the backtrace below: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7279a51 in llint_entry () from webkit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.1 (gdb) bt #0 0x00007ffff7279a51 in llint_entry () from webkit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.1 #1 0x00007ffff727e87e in llint_entry () from webkit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.1 #2 0x00007ffff7278cc6 in vmEntryToJavaScript () from webkit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.1 #3 0x00007ffff6f75702 in JSC::JITCode::execute (this=0x7ffff17e3ed0, vm=0x7ffff1004000, protoCallFrame=0x7fffffffccc0) at ../../Source/JavaScriptCore/jit/JITCode.cpp:77 #4 0x00007ffff6f4e1e4 in JSC::Interpreter::execute (this=0x7ffff17f6000, program=0x7ffff1046000, callFrame=0x7ffff102b840, thisObj=0x7ffff107acc0) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:901 #5 0x00007ffff7103f48 in JSC::evaluate (exec=0x7ffff102b840, source=..., thisValue=..., returnedException=...) at ../../Source/JavaScriptCore/runtime/Completion.cpp:82 #6 0x0000000000428d38 in runWithScripts (globalObject=0x7ffff102b800, scripts=..., dump=false) at ../../Source/JavaScriptCore/jsc.cpp:1315 #7 0x0000000000429c41 in jscmain (argc=2, argv=0x7fffffffd908) at ../../Source/JavaScriptCore/jsc.cpp:1533 #8 0x0000000000428b0a in main (argc=2, argv=0x7fffffffd908) at ../../Source/JavaScriptCore/jsc.cpp:1273 Further note: to reproduce the latter, the test case can be minimized as follows: function test() { releaseExecutableMemory(); } for (var i = 0; i < 2; i++) test(); 256210 2015-07-06 05:50:26 -0700 2015-07-06 05:50:26 -0700 Test case crash.js application/javascript 175 rhodovan.u-szeged ZnVuY3Rpb24gdGVzdCgpIHsKICAgIHRyeSB7CiAgICAgICAgcmVsZWFzZUV4ZWN1dGFibGVNZW1v cnkoKTsKICAgICAgICBBcnJheS5mcm9tKE9iamVjdCk7CiAgICAgICAgQXJyYXkuZnJvbSgpOwog ICAgfSBjYXRjaChlcnIpIHt9Cn0KCmZvciAodmFyIGkgPSAwOyBpIDwgMjsgaSsrKQogICAgdGVz dCgpOw==