Bug 129101

Summary:

ASSERTION FAILED: isUInt16() on ARMv7 after r113253

Product:

WebKit

Reporter:

Gabor Rapcsanyi <rgabor>

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

commit-queue, fpizlo, msaboff, oliver, ossy, zherczeg

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Linux

Bug Depends on:

Bug Blocks:

108645, 83191

Attachments:

Description	Flags
proposed patch	none

Description Gabor Rapcsanyi 2014-02-20 05:38:25 PST

Testcase:
  var args = "a";
  for (var i = 0; i < 600; ++i)
      args += ",a";
  var myFunc = Function(args, "print(myFunc.length)");
  myFunc();



#0  0xb69fd2b8 in WTFCrash () at /home/rgabor/WebKit/Source/WTF/wtf/Assertions.cpp:333
#1  0xb6705faa in JSC::ARMThumbImmediate::getUInt16 (this=0xbeffe984) at /home/rgabor/WebKit/Source/JavaScriptCore/assembler/ARMv7Assembler.h:437
#2  0xb67060fa in JSC::ARMv7Assembler::add (this=0xbeffea18, rd=JSC::ARMRegisters::r13, rn=JSC::ARMRegisters::r13, imm=...)
    at /home/rgabor/WebKit/Source/JavaScriptCore/assembler/ARMv7Assembler.h:861
#3  0xb67075ae in JSC::MacroAssemblerARMv7::add32 (this=0xbeffea18, imm=..., src=JSC::ARMRegisters::r13, dest=JSC::ARMRegisters::r13)
    at /home/rgabor/WebKit/Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h:182
#4  0xb670754c in JSC::MacroAssemblerARMv7::add32 (this=0xbeffea18, imm=..., dest=JSC::ARMRegisters::r13) at /home/rgabor/WebKit/Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h:161
#5  0xb6707d88 in JSC::MacroAssembler::addPtr (this=0xbeffea18, imm=..., srcDest=JSC::ARMRegisters::r13) at /home/rgabor/WebKit/Source/JavaScriptCore/assembler/MacroAssembler.h:444
#6  0xb681d8b8 in JSC::ArityCheckFailReturnThunks::returnPCsFor (this=0x5b6f8, vm=..., numExpectedArgumentsIncludingThis=524)
    at /home/rgabor/WebKit/Source/JavaScriptCore/jit/ArityCheckFailReturnThunks.cpp:86
#7  0xb681db82 in JSC::ArityCheckFailReturnThunks::returnPCFor (this=0x5b6f8, vm=..., slotsToAdd=524) at /home/rgabor/WebKit/Source/JavaScriptCore/jit/ArityCheckFailReturnThunks.cpp:128
#8  0xb68e5b4a in JSC::setupArityCheckData (vm=..., slotsToAdd=262) at /home/rgabor/WebKit/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:173
#9  0xb68e5c34 in JSC::slow_path_call_arityCheck (exec=0xbeffec88, pc=0x772c8) at /home/rgabor/WebKit/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:193
#10 0xb69e8516 in llint_function_for_call_arity_check () from /home/rgabor/WebKit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.0
#11 0xb69ec2a2 in llint_op_call () from /home/rgabor/WebKit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.0
#12 0xb69ec2a2 in llint_op_call () from /home/rgabor/WebKit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.0

Comment 1 Gabor Rapcsanyi 2014-02-20 06:00:39 PST

Created attachment 224751 [details]
proposed patch

Comment 2 Michael Saboff 2014-02-20 08:50:15 PST

Comment on attachment 224751 [details]
proposed patch

r=me

Comment 3 WebKit Commit Bot 2014-02-20 09:32:57 PST

Comment on attachment 224751 [details]
proposed patch

Clearing flags on attachment: 224751

Committed r164433: <http://trac.webkit.org/changeset/164433>

Comment 4 WebKit Commit Bot 2014-02-20 09:32:59 PST

All reviewed patches have been landed.  Closing bug.