112067 – Crash beneath operationCreateInlinedArguments running fast/js/dfg-create-inlined-arguments-in-closure-inline.html (32-bit only)

Bug 112067 - Crash beneath operationCreateInlinedArguments running fast/js/dfg-create-inlined-arguments-in-closure-inline.html (32-bit only)

Summary: Crash beneath operationCreateInlinedArguments running fast/js/dfg-create-inli...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P2 Normal
Assignee:	Michael Saboff

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2013-03-11 14:31 PDT by Michael Saboff
Modified:	2013-03-11 15:38 PDT (History)
CC List:	0 users

See Also:

Attachments
Patch (1.56 KB, patch) 2013-03-11 14:44 PDT, Michael Saboff	ggaren: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Saboff 2013-03-11 14:31:43 PDT

If you run run-webkit-tests --32-bit --debug fast/js, you will get a crash in running fast/js/dfg-create-inlined-arguments-in-closure-inline with a traceback like:

ASSERTION FAILED: isCell()
/Volumes/Data/src/webkit/Source/JavaScriptCore/runtime/JSCJSValueInlines.h(298) : JSC::JSCell *JSC::JSValue::asCell() const
1   0xfc657 JSC::JSValue::asCell() const
2   0x107a41 JSC::asObject(JSC::JSValue)
3   0x10c805 JSC::Register::function() const
4   0x109acc JSC::ExecState::callee() const
5   0x1dbc7c JSC::InlineCallFrame::calleeForCallFrame(JSC::ExecState*) const
6   0x2b8b8c JSC::Arguments::finishCreation(JSC::ExecState*, JSC::InlineCallFrame*)
7   0x2b7032 JSC::Arguments::create(JSC::JSGlobalData&, JSC::ExecState*, JSC::InlineCallFrame*)
8   0x2b1c6d operationCreateInlinedArguments
9   0x14bbb3e
10  0x3be164 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::JSGlobalData*)
11  0x3ba5be JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*)
12  0x1e50df JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*)
13  0x8d6a9 functionLoad(JSC::ExecState*)
14  0x14ba68f
15  0x3be164 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::JSGlobalData*)
16  0x3ba5be JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*)
17  0x1e50df JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*)
18  0x8c61e runInteractive(GlobalObject*)
19  0x8b6cc jscmain(int, char**)
20  0x8b4a7 main
21  0x93901725 start

It appears that we aren't setting the tag for the inline callee.

<rdar://problem/13095042>

Comment 1 Michael Saboff 2013-03-11 14:44:02 PDT

Created attachment 192565 [details]
Patch

Comment 2 Geoffrey Garen 2013-03-11 14:45:52 PDT

Comment on attachment 192565 [details]
Patch

r=me

Comment 3 Michael Saboff 2013-03-11 15:38:45 PDT

Committed r145417: <http://trac.webkit.org/changeset/145417>