Bug 127043

Created attachment 221259 [details] Test case The failing script: function function_0 (var_0) { for ( ; ; Array(-1, -6).filter(function_0) ) continue ; new Date(1) = { set prop_0(){ switch ( var_0 ) {} } } } function_0(); The backtrace: ASSERTION FAILED: from.isCell() && from.asCell()->JSCell::inherits(std::remove_pointer<To>::type::info()) /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/JSCell.h(187) : To JSC::jsCast(JSC::JSValue) [with To = JSC::JSActivation*] 1 0x7ffff74a3e44 WTFCrash 2 0x7ffff723314f JSC::JSActivation* JSC::jsCast<JSC::JSActivation*>(JSC::JSValue) 3 0x7ffff722d9fc 4 0x7ffff7232b32 JSC::UnwindFunctor::operator()(JSC::StackVisitor&) 5 0x7ffff723410c void JSC::StackVisitor::visit<JSC::UnwindFunctor>(JSC::ExecState*, JSC::UnwindFunctor&) 6 0x7ffff72333ab void JSC::ExecState::iterate<JSC::UnwindFunctor>(JSC::UnwindFunctor&) 7 0x7ffff722e406 JSC::Interpreter::unwind(JSC::ExecState*&, JSC::JSValue&) 8 0x7ffff724ecec JSC::genericUnwind(JSC::VM*, JSC::ExecState*, JSC::JSValue) 9 0x7ffff725da9d 10 0x7fffaa55912a Program received signal SIGSEGV, Segmentation fault. 0x00007ffff74a3e49 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333 333 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff74a3e49 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333 #1 0x00007ffff723314f in JSC::jsCast<JSC::JSActivation*> (from=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/JSCell.h:187 #2 0x00007ffff722d9fc in JSC::unwindCallFrame (visitor=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/Interpreter.cpp:441 #3 0x00007ffff7232b32 in JSC::UnwindFunctor::operator() (this=0x7fffff9f3c90, visitor=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/Interpreter.cpp:645 #4 0x00007ffff723410c in JSC::StackVisitor::visit<JSC::UnwindFunctor> (startFrame=0x7fffa9bdf978, functor=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/StackVisitor.h:123 #5 0x00007ffff72333ab in JSC::ExecState::iterate<JSC::UnwindFunctor> (this=0x7fffa9bdf978, functor=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/CallFrame.h:309 #6 0x00007ffff722e406 in JSC::Interpreter::unwind (this=0x659170, callFrame=@0x7fffff9f3d70: 0x7fffa9bdf978, exceptionValue=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/Interpreter.cpp:709 #7 0x00007ffff724ecec in JSC::genericUnwind (vm=0x6472c0, callFrame=0x7fffa9bdf978, exceptionValue=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITExceptions.cpp:47 #8 0x00007ffff725da9d in JSC::operationVMHandleException (exec=0x7fffa9bdf978) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITOperations.cpp:1750 #9 0x00007fffaa55912a in ?? () #10 0x00007fffaa55a920 in ?? () #11 0x0000000000651628 in ?? () #12 0xffff000000000002 in ?? () #13 0xffff000000000000 in ?? () #14 0x00007fffffffdd70 in ?? () #15 0x00007fffa9bdf9f0 in ?? () #16 0x00007fffff9f3e80 in ?? () #17 0x00007ffff724ca38 in JSC::JITCode::execute (this=0x7fff00000002, vm=0x7fffa983d830, protoCallFrame=0x7fffa98af970, topOfStack=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITCode.cpp:48 Backtrace stopped: previous frame inner to this frame (corrupt stack?)