Bug 129101

Summary: ASSERTION FAILED: isUInt16() on ARMv7 after r113253
Product: WebKit Reporter: Gabor Rapcsanyi <rgabor>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, fpizlo, msaboff, oliver, ossy, zherczeg
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Linux   
Bug Depends on:    
Bug Blocks: 108645, 83191    
Attachments:
Description Flags
proposed patch none

Gabor Rapcsanyi
Reported 2014-02-20 05:38:25 PST
Testcase: var args = "a"; for (var i = 0; i < 600; ++i) args += ",a"; var myFunc = Function(args, "print(myFunc.length)"); myFunc(); #0 0xb69fd2b8 in WTFCrash () at /home/rgabor/WebKit/Source/WTF/wtf/Assertions.cpp:333 #1 0xb6705faa in JSC::ARMThumbImmediate::getUInt16 (this=0xbeffe984) at /home/rgabor/WebKit/Source/JavaScriptCore/assembler/ARMv7Assembler.h:437 #2 0xb67060fa in JSC::ARMv7Assembler::add (this=0xbeffea18, rd=JSC::ARMRegisters::r13, rn=JSC::ARMRegisters::r13, imm=...) at /home/rgabor/WebKit/Source/JavaScriptCore/assembler/ARMv7Assembler.h:861 #3 0xb67075ae in JSC::MacroAssemblerARMv7::add32 (this=0xbeffea18, imm=..., src=JSC::ARMRegisters::r13, dest=JSC::ARMRegisters::r13) at /home/rgabor/WebKit/Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h:182 #4 0xb670754c in JSC::MacroAssemblerARMv7::add32 (this=0xbeffea18, imm=..., dest=JSC::ARMRegisters::r13) at /home/rgabor/WebKit/Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h:161 #5 0xb6707d88 in JSC::MacroAssembler::addPtr (this=0xbeffea18, imm=..., srcDest=JSC::ARMRegisters::r13) at /home/rgabor/WebKit/Source/JavaScriptCore/assembler/MacroAssembler.h:444 #6 0xb681d8b8 in JSC::ArityCheckFailReturnThunks::returnPCsFor (this=0x5b6f8, vm=..., numExpectedArgumentsIncludingThis=524) at /home/rgabor/WebKit/Source/JavaScriptCore/jit/ArityCheckFailReturnThunks.cpp:86 #7 0xb681db82 in JSC::ArityCheckFailReturnThunks::returnPCFor (this=0x5b6f8, vm=..., slotsToAdd=524) at /home/rgabor/WebKit/Source/JavaScriptCore/jit/ArityCheckFailReturnThunks.cpp:128 #8 0xb68e5b4a in JSC::setupArityCheckData (vm=..., slotsToAdd=262) at /home/rgabor/WebKit/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:173 #9 0xb68e5c34 in JSC::slow_path_call_arityCheck (exec=0xbeffec88, pc=0x772c8) at /home/rgabor/WebKit/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:193 #10 0xb69e8516 in llint_function_for_call_arity_check () from /home/rgabor/WebKit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.0 #11 0xb69ec2a2 in llint_op_call () from /home/rgabor/WebKit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.0 #12 0xb69ec2a2 in llint_op_call () from /home/rgabor/WebKit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.0
Attachments
proposed patch (1.36 KB, patch)
2014-02-20 06:00 PST, Gabor Rapcsanyi 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Gabor Rapcsanyi
Comment 1 2014-02-20 06:00:39 PST
Created attachment 224751 [details] proposed patch
Michael Saboff
Comment 2 2014-02-20 08:50:15 PST
Comment on attachment 224751 [details] proposed patch r=me
WebKit Commit Bot
Comment 3 2014-02-20 09:32:57 PST
Comment on attachment 224751 [details] proposed patch Clearing flags on attachment: 224751 Committed r164433: <http://trac.webkit.org/changeset/164433>
WebKit Commit Bot
Comment 4 2014-02-20 09:32:59 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.