Bug 20863

Summary: ASSERTION FAILED: addressOffset < instructions.size() in CodeBlock::getHandlerForVPC
Product: WebKit Reporter: Geoffrey Garen <ggaren>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Severity: Normal CC: mjs, oliver, zwarich
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
Description Flags
Proposed patch mjs: review+

Description Geoffrey Garen 2008-09-15 15:45:01 PDT
~/Labyrinth/OpenSource/JavaScriptCore/tests/mozilla$ "/Volumes/Big/ggaren/build/Debug/jsc"  -s  -f ./js1_5/shell.js -f ./js1_5/Regress/regress-96128-n.js

STATUS: Testing that JS infinite recursion protection works
ASSERTION FAILED: addressOffset < instructions.size()
(/Volumes/Big/ggaren/Labyrinth/OpenSource/JavaScriptCore/VM/CodeBlock.cpp:978 bool JSC::CodeBlock::getHandlerForVPC(const JSC::Instruction*, JSC::Instruction*&, int&))
Comment 1 Geoffrey Garen 2008-09-15 15:45:30 PDT
Only fails in CTI.
Comment 2 Cameron Zwarich (cpst) 2008-09-15 16:20:04 PDT
The problem is that exception range info is not being correctly generated, now that op_get_by_id is emitted before op_construct and op_instanceof (in this case it is op_construct). I tried to make a quick fix to avoid the crash, but it doesn't seem to work.

I must leave now for a while, so I am unassigning this to myself.
Comment 3 Cameron Zwarich (cpst) 2008-09-15 19:36:46 PDT
Created attachment 23457 [details]
Proposed patch
Comment 4 Maciej Stachowiak 2008-09-15 19:40:22 PDT
Comment on attachment 23457 [details]
Proposed patch

Comment 5 Cameron Zwarich (cpst) 2008-09-17 19:57:47 PDT
Landed in r36472.