| Summary: | Segfault in JSC::JITCode::execute | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Martin Hodovan <mhodovan.u-szeged> | ||||||
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> | ||||||
| Status: | RESOLVED WORKSFORME | ||||||||
| Severity: | Normal | CC: | ap, bfulgham, ggaren, loki, mhodovan.u-szeged, ossy, rgabor, rhodovan.u-szeged, zan | ||||||
| Priority: | P2 | ||||||||
| Version: | 528+ (Nightly build) | ||||||||
| Hardware: | PC | ||||||||
| OS: | Linux | ||||||||
| Bug Depends on: | |||||||||
| Bug Blocks: | 116980 | ||||||||
| Attachments: |
|
||||||||
Created attachment 222314 [details]
JSC dump
I cannot reproduce this with ToT on Mac. I've double-checked the test again on revision 162921 and the issue still seems valid to me. I can reproduce it on GTK WK1 and WK2. Isn't it related to the cstack merge? |
Created attachment 222311 [details] Test case The failing test: (The test was ran on x86_64, Ubuntu 13.04) function function_0 () { if (!new Array(0, -1).some(function_0)) [ { y : 0 } ], x; } function_0(); The backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007fffaa57b0b0 in ?? () (gdb) bt #0 0x00007fffaa57b0b0 in ?? () #1 0x00007fffea579100 in ?? () #2 0x0000000000651670 in ?? () #3 0xffff000000000002 in ?? () #4 0xffff000000000000 in ?? () #5 0x00007fffffffde70 in ?? () #6 0x00007fffa9d4c0f0 in ?? () #7 0x00007ffffff57790 in ?? () #8 0x00007ffff7248acc in JSC::JITCode::execute (this=0xa, vm=0xffff0000ffffffff, protoCallFrame=0xffff000000000000, topOfStack=0xa) at /home/martin/Data/WebKit/Source/JavaScriptCore/jit/JITCode.cpp:48 Backtrace stopped: previous frame inner to this frame (corrupt stack?)