Bug 20863

Summary: ASSERTION FAILED: addressOffset < instructions.size() in CodeBlock::getHandlerForVPC
Product: WebKit Reporter: Geoffrey Garen <ggaren>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: mjs, oliver, zwarich
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
Attachments:
Description Flags
Proposed patch mjs: review+

Geoffrey Garen
Reported 2008-09-15 15:45:01 PDT
~/Labyrinth/OpenSource/JavaScriptCore/tests/mozilla$ "/Volumes/Big/ggaren/build/Debug/jsc" -s -f ./js1_5/shell.js -f ./js1_5/Regress/regress-96128-n.js BUGNUMBER: 96128 STATUS: Testing that JS infinite recursion protection works ASSERTION FAILED: addressOffset < instructions.size() (/Volumes/Big/ggaren/Labyrinth/OpenSource/JavaScriptCore/VM/CodeBlock.cpp:978 bool JSC::CodeBlock::getHandlerForVPC(const JSC::Instruction*, JSC::Instruction*&, int&))
Attachments
Proposed patch (1.58 KB, patch)
2008-09-15 19:36 PDT, Cameron Zwarich (cpst) 		mjs: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Geoffrey Garen
Comment 1 2008-09-15 15:45:30 PDT
Only fails in CTI.
Cameron Zwarich (cpst)
Comment 2 2008-09-15 16:20:04 PDT
The problem is that exception range info is not being correctly generated, now that op_get_by_id is emitted before op_construct and op_instanceof (in this case it is op_construct). I tried to make a quick fix to avoid the crash, but it doesn't seem to work. I must leave now for a while, so I am unassigning this to myself.
Cameron Zwarich (cpst)
Comment 3 2008-09-15 19:36:46 PDT
Created attachment 23457 [details] Proposed patch
Maciej Stachowiak
Comment 4 2008-09-15 19:40:22 PDT
Comment on attachment 23457 [details] Proposed patch r=me
Cameron Zwarich (cpst)
Comment 5 2008-09-17 19:57:47 PDT
Landed in r36472.
Note You need to log in before you can comment on or make changes to this bug.