Bug 106690

Summary: Python implementation reports "MemoryError" instead of doing things
Product: WebKit Reporter: Oliver Hunt <oliver>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: oliver
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
URL: http://syntensity.com/static/python.html
Bug Depends on: 106715, 106724, 106727    
Bug Blocks:    
Attachments:
Description Flags
the patch oliver: review+

Description Oliver Hunt 2013-01-11 12:53:49 PST 
Going to http://syntensity.com/static/python.html in a debug build crashes reliably for me.  

ASSERTION FAILED: from.isCell() && from.asCell()->JSCell::inherits(&WTF::RemovePointer<To>::Type::s_info)
/Volumes/Data/git/WebKit/OpenSource/Source/JavaScriptCore/runtime/JSCell.h(346) : To JSC::jsCast(JSC::JSValue) [To = JSC::JSObject *]
1   0x1176e72f9 JSC::JSObject* JSC::jsCast<JSC::JSObject*>(JSC::JSValue)
2   0x1176e66c9 JSC::JSScope::resolvePut(JSC::ExecState*, JSC::JSValue, JSC::Identifier const&, JSC::JSValue, JSC::PutToBaseOperation*)
3   0x11765262b cti_op_put_to_base
4   0x117659040 jscGeneratedNativeCode
5   0x117615194 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::JSGlobalData*)
6   0x117612328 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
7   0x117423b3c JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
8   0x11767ac61 JSC::boundFunctionCall(JSC::ExecState*)
9   0x117612352 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
10  0x117423b3c JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
11  0x11904abc2 WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
12  0x119b1ed34 WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext*)
13  0x119b1e8d2 WebCore::ScheduledAction::execute(WebCore::Document*)
14  0x119b1e719 WebCore::ScheduledAction::execute(WebCore::ScriptExecutionContext*)
15  0x118a87057 WebCore::DOMTimer::fired()
16  0x119ec6cfb WebCore::ThreadTimers::sharedTimerFiredInternal()
17  0x119ec6a89 WebCore::ThreadTimers::sharedTimerFired()
18  0x119be65f3 WebCore::timerFired(__CFRunLoopTimer*, void*)
19  0x7fff82f6ae14 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__
20  0x7fff82f6a925 __CFRunLoopDoTimer
21  0x7fff82f50686 __CFRunLoopRun
22  0x7fff82f4fe29 CFRunLoopRunSpecific
23  0x7fff8e5cd524 RunCurrentEventLoopInMode
24  0x7fff8e5cd2c1 ReceiveNextEventCommon
25  0x7fff8e6e0917 _BlockUntilNextEventMatchingListInModeWithFilter
26  0x7fff88d16281 _DPSNextEvent
27  0x7fff88d158ae -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:]
28  0x7fff88d0db2f -[NSApplication run]
29  0x7fff88cb65e6 NSApplicationMain
30  0x7fff8232bfa3 _xpc_main
31  0x7fff8240cee4 xpc_main


It looks like the base in a put_to_base operation is undefined which should not be possible (we should have thrown an exception already if that were the case).

The ResolvePutOperation seems to imply we're putting a global property down, but the base is undefined
Comment 1 Filip Pizlo 2013-01-11 20:31:23 PST 
I fixed the crash, but it appears that we're still doing bad things.  Renaming the bug accordingly.
Comment 2 Filip Pizlo 2013-01-11 22:52:58 PST 
Created attachment 182459 [details]
the patch
Comment 3 Filip Pizlo 2013-01-14 16:55:15 PST 
Landed in http://trac.webkit.org/changeset/139687