This piece of code crashes, as far as i can tell it appears to be due to CodeBlock::bytecodeOffset(CallFrame, ReturnAddressPtr) returning the bytecodeOffset from a ClosureCallStubRoutine that isn't in the target code block: var value = 0; function f(x) { var result = 0; function g(a) { function throwEventually() { if (value++ > 10000) throw new Error; return 5; } return a * throwEventually(); } for (var i = 0; i < 3; i++) i += g(x); return i; } while (true) f(5)
(In reply to comment #0) > This piece of code crashes, as far as i can tell it appears to be due to CodeBlock::bytecodeOffset(CallFrame, ReturnAddressPtr) returning the bytecodeOffset from a ClosureCallStubRoutine that isn't in the target code block: > var value = 0; > function f(x) { > var result = 0; > function g(a) { > function throwEventually() { > if (value++ > 10000) > throw new Error; > return 5; > } > return a * throwEventually(); > } > for (var i = 0; i < 3; i++) > i += g(x); > return i; > } > > while (true) > f(5) What happens if the closure call cache is cleared while one of the closure calls is still on the stack? Maybe that's what's going on?
(In reply to comment #1) > (In reply to comment #0) > > This piece of code crashes, as far as i can tell it appears to be due to CodeBlock::bytecodeOffset(CallFrame, ReturnAddressPtr) returning the bytecodeOffset from a ClosureCallStubRoutine that isn't in the target code block: > > var value = 0; > > function f(x) { > > var result = 0; > > function g(a) { > > function throwEventually() { > > if (value++ > 10000) > > throw new Error; > > return 5; > > } > > return a * throwEventually(); > > } > > for (var i = 0; i < 3; i++) > > i += g(x); > > return i; > > } > > > > while (true) > > f(5) > > What happens if the closure call cache is cleared while one of the closure calls is still on the stack? > > Maybe that's what's going on? Alas the crash i'm getting isn't in the above test case, i had an incorrect tree in my change.