Bug 19024

Summary: SQUIRRELFISH: ASSERTION FAILED: activation->isActivationObject() in Machine::unwindCallFrame
Product: WebKit Reporter: Cameron Zwarich (cpst) <zwarich>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ggaren, mjs, oliver
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
URL: http://blog.wired.com/games/2008/05/for-wiiware-nin.html
Attachments:
Description Flags
Reduction
none
Further reduction
none
Further reduction
none
Further reduction none

Cameron Zwarich (cpst)
Reported 2008-05-12 17:44:49 PDT
SquirrelFish crashes on the site http://blog.wired.com/games/2008/05/for-wiiware-nin.html with the following assertion failure: ASSERTION FAILED: activation->isActivationObject() (/Users/Cameron/sf/JavaScriptCore/VM/Machine.cpp:523 bool KJS::Machine::unwindCallFrame(KJS::ExecState*, KJS::Register**, const KJS::Instruction*&, KJS::CodeBlock*&, KJS::JSValue**&, KJS::ScopeChainNode*&, KJS::Register*&)) I occasionally need to reload to get it to crash.
Attachments
Reduction (1.05 KB, text/html)
2008-05-12 19:20 PDT, Cameron Zwarich (cpst) 		no flags
Details
Further reduction (20.32 KB, text/html)
2008-05-12 20:24 PDT, Cameron Zwarich (cpst) 		no flags
Details
Further reduction (3.15 KB, text/html)
2008-05-12 21:09 PDT, Cameron Zwarich (cpst) 		no flags
Details
Further reduction (362 bytes, text/html)
2008-05-12 22:41 PDT, Cameron Zwarich (cpst) 		no flags
Details
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Cameron Zwarich (cpst)
Comment 1 2008-05-12 19:20:35 PDT
Created attachment 21096 [details] Reduction Here is a partial reduction of this bug. Even though the crash occurs in the SHARETHIS code, I needed to create and add the flash object earlier to get the crash to occur. It should be possible to further reduce the library code to get some idea of what is going on.
Cameron Zwarich (cpst)
Comment 2 2008-05-12 20:24:51 PDT
Created attachment 21098 [details] Further reduction Here is a further reduction, including the library source. When I tried to reduce it more, I sometimes got a plain crash instead of an assertion failure.
Cameron Zwarich (cpst)
Comment 3 2008-05-12 21:09:31 PDT
Created attachment 21100 [details] Further reduction Here's a further reduction of the bug. Most of the library code is irrelevant to the assertion failure. The assertion failure doesn't occur when I replace the eval at the beginning with an eval of the actual JS source produced.
Cameron Zwarich (cpst)
Comment 4 2008-05-12 22:41:49 PDT
Created attachment 21101 [details] Further reduction Here's a further reduction. This one doesn't trigger the same assertion. Instead, it hits this assertion: ASSERTION FAILED: isNumber(v) (/Users/Cameron/sf/JavaScriptCore/kjs/JSImmediate.cpp:44 static KJS::JSObject* KJS::JSImmediate::toObject(const KJS::JSValue*, KJS::ExecState*))
Oliver Hunt
Comment 5 2008-05-14 00:37:25 PDT
Comment on attachment 21101 [details] Further reduction This test is actually a test of bug #19025
Oliver Hunt
Comment 6 2008-05-14 00:39:30 PDT
Comment on attachment 21100 [details] Further reduction I was wrong
Oliver Hunt
Comment 7 2008-05-14 05:15:56 PDT
M JavaScriptCore/ChangeLog M JavaScriptCore/VM/Machine.cpp M JavaScriptCore/VM/RegisterFile.cpp M JavaScriptCore/VM/RegisterFileStack.cpp M JavaScriptCore/VM/RegisterFileStack.h M LayoutTests/ChangeLog A LayoutTests/fast/js/implicit-global-to-global-reentry-expected.txt A LayoutTests/fast/js/implicit-global-to-global-reentry.html Committed r33438
Note You need to log in before you can comment on or make changes to this bug.