RESOLVED WORKSFORME 117136
ASSERTION FAILED: !resolveResult.isStatic() in JSC::BytecodeGenerator::emitResolveWithBaseForPut 
https://bugs.webkit.org/show_bug.cgi?id=117136
Summary ASSERTION FAILED: !resolveResult.isStatic() in JSC::BytecodeGenerator::emitRe...
Renata Hodovan
Reported 2013-06-03 02:29:45 PDT
The following test fails in debug webkit: function test() { const f = function() { if (f) { f[f--] = new f(); } }; return new f(); } test(); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00000000007fb8e5 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:339 339 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00000000007fb8e5 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:339 #1 0x00000000004ca244 in JSC::BytecodeGenerator::emitResolveWithBaseForPut (this=0xf5b0c0, baseDst=0xf5b448, propDst=0xf5b43c, resolveResult=..., property=..., verifier=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:1307 #2 0x00000000004fd638 in JSC::PostfixNode::emitResolve (this=0xf51cd0, generator=..., dst=0xf5b430) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:647 #3 0x00000000004fdd11 in JSC::PostfixNode::emitBytecode (this=0xf51cd0, generator=..., dst=0xf5b430) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:697 #4 0x00000000004d3040 in JSC::BytecodeGenerator::emitNode (this=0xf5b0c0, dst=0xf5b430, n=0xf51cd0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:361 #5 0x00000000005076a5 in JSC::BytecodeGenerator::emitNodeForLeftHandSide (this=0xf5b0c0, n=0xf51cd0, rightHasAssignments=true, rightIsPure=false) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:418 #6 0x0000000000502060 in JSC::AssignBracketNode::emitBytecode (this=0xf51d98, generator=..., dst=0xf5b120) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1406 #7 0x00000000004d3040 in JSC::BytecodeGenerator::emitNode (this=0xf5b0c0, dst=0xf5b120, n=0xf51d98) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:361 #8 0x0000000000502b08 in JSC::ExprStatementNode::emitBytecode (this=0xf51dd8, generator=..., dst=0xf5b120) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1542 #9 0x00000000004d2f3e in JSC::BytecodeGenerator::emitNode (this=0xf5b0c0, dst=0xf5b120, n=0xf51dd8) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:346 #10 0x0000000000507d15 in JSC::SourceElements::emitBytecode (this=0xf51c68, generator=..., dst=0xf5b120) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1500 #11 0x000000000050299a in JSC::BlockNode::emitBytecode (this=0xf51df8, generator=..., dst=0xf5b120) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1519 #12 0x00000000004d2f3e in JSC::BytecodeGenerator::emitNode (this=0xf5b0c0, dst=0xf5b120, n=0xf51df8) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:346 #13 0x0000000000502f20 in JSC::IfElseNode::emitBytecode (this=0xf51e18, generator=..., dst=0xf5b120) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1610 #14 0x00000000004d2f3e in JSC::BytecodeGenerator::emitNode (this=0xf5b0c0, dst=0xf5b120, n=0xf51e18) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:346 #15 0x0000000000507d15 in JSC::SourceElements::emitBytecode (this=0xf51c28, generator=..., dst=0xf5b120) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1500 #16 0x000000000050299a in JSC::BlockNode::emitBytecode (this=0xf51e48, generator=..., dst=0xf5b120) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1519 #17 0x00000000004d2f3e in JSC::BytecodeGenerator::emitNode (this=0xf5b0c0, dst=0xf5b120, n=0xf51e48) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:346 ---Type <return> to continue, or q <return> to quit--- #18 0x0000000000507d15 in JSC::SourceElements::emitBytecode (this=0xf51c10, generator=..., dst=0xf5b120) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1500 #19 0x0000000000507e14 in JSC::ScopeNode::emitStatementsBytecode (this=0xf44ba0, generator=..., dst=0xf5b120) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2135 #20 0x00000000005061a6 in JSC::FunctionBodyNode::emitBytecode (this=0xf44ba0, generator=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2171 #21 0x00000000004c3bf1 in JSC::BytecodeGenerator::generate (this=0xf5b0c0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:86 #22 0x00000000004bcece in JSC::generateFunctionCodeBlock (vm=..., scope=0x7fffb211ffb0, executable=0x7fffb213ff20, source=..., kind=JSC::CodeForConstruct, debuggerMode=JSC::DebuggerOff, profilerMode=JSC::ProfilerOff, error=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp:66 #23 0x00000000004bd677 in JSC::UnlinkedFunctionExecutable::codeBlockFor (this=0x7fffb213ff20, vm=..., scope=0x7fffb211ffb0, source=..., specializationKind=JSC::CodeForConstruct, debuggerMode=JSC::DebuggerOff, profilerMode=JSC::ProfilerOff, error=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp:155 #24 0x00000000007337f5 in JSC::FunctionExecutable::produceCodeBlockFor (this=0x7fffb217fc70, scope=0x7fffb211ffb0, specializationKind=JSC::CodeForConstruct, exception=@0x7fffffffca00: 0x0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Executable.cpp:502 #25 0x0000000000733d5a in JSC::FunctionExecutable::compileForConstructInternal (this=0x7fffb217fc70, exec=0x7fffb21c20e8, scope=0x7fffb211ffb0, jitType=JSC::JITCode::BaselineJIT, bytecodeIndex=4294967295) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Executable.cpp:564 #26 0x00000000005bd456 in JSC::FunctionExecutable::compileForConstruct (this=0x7fffb217fc70, exec=0x7fffb21c20e8, scope=0x7fffb211ffb0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Executable.h:637 #27 0x00000000005bd5eb in JSC::FunctionExecutable::compileFor (this=0x7fffb217fc70, exec=0x7fffb21c20e8, scope=0x7fffb211ffb0, kind=JSC::CodeForConstruct) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Executable.h:669 #28 0x000000000069abac in JSC::LLInt::setUpCall (execCallee=0x7fffb21c20e8, pc=0xf56598, kind=JSC::CodeForConstruct, calleeAsValue=..., callLinkInfo=0xf42ed0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1392 #29 0x000000000069afeb in JSC::LLInt::genericCall (exec=0x7fffb21c20a0, pc=0xf56598, kind=JSC::CodeForConstruct) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1434 #30 0x00000000006980ec in JSC::LLInt::llint_slow_path_construct (exec=0x7fffb21c20a0, pc=0xf56598) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1446 #31 0x000000000069ef3e in llint_op_construct () #32 0x00007fffb21c2058 in ?? () #33 0x0000000000f40950 in ?? () #34 0x00007fffffffcd30 in ?? () #35 0x00000000006483c7 in JSC::JSStack::installTrapsAfterFrame (this=0x0, frame=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/JSStackInlines.h:212 #36 0x0000000000647226 in JSC::JITCode::execute (this=0x7fffb217fe90, stack=0xf40950, callFrame=0x7fffb21c2058, vm=0xf317e0) ---Type <return> to continue, or q <return> to quit--- at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITCode.h:135 #37 0x0000000000644747 in JSC::Interpreter::execute (this=0xf40940, program=0x7fffb217fe70, callFrame=0x7ffff7f5fb78, thisObj=0x7ffff7e6feb0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/Interpreter.cpp:976 #38 0x00000000007292c0 in JSC::evaluate (exec=0x7ffff7f5fb78, source=..., thisValue=..., returnedException=0x7fffffffda10) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Completion.cpp:83 #39 0x000000000040fdcd in runWithScripts (globalObject=0x7ffff7f5f970, scripts=..., dump=false) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jsc.cpp:587 #40 0x0000000000410b3d in jscmain (argc=2, argv=0x7fffffffdc98) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jsc.cpp:803
Attachments
Patch (49.35 KB, patch)
2013-06-06 13:31 PDT, Oliver Hunt 		ggaren: review+
buildbot: commit-queue-
DetailsFormatted DiffDiff
Archive of layout-test-results from webkit-ews-08 for mac-mountainlion (497.51 KB, application/zip)
2013-06-06 14:49 PDT, Build Bot 		no flags
Details
Archive of layout-test-results from webkit-ews-05 for mac-mountainlion (601.88 KB, application/zip)
2013-06-06 15:34 PDT, Build Bot 		no flags
Details
Archive of layout-test-results from webkit-ews-12 for mac-mountainlion-wk2 (927.92 KB, application/zip)
2013-06-07 05:31 PDT, Build Bot 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Geoffrey Garen
Comment 1 2013-06-03 15:28:43 PDT
<rdar://problem/14052248>
Oliver Hunt
Comment 3 2013-06-06 11:51:58 PDT
fixing
Oliver Hunt
Comment 4 2013-06-06 13:31:09 PDT
Created attachment 203963 [details] Patch
Geoffrey Garen
Comment 5 2013-06-06 14:11:25 PDT
Comment on attachment 203963 [details] Patch This should go on the branch, unless you have a test case or reasonable expectation that it would cause a crash or similar in a release build.
Build Bot
Comment 6 2013-06-06 14:49:23 PDT
Comment on attachment 203963 [details] Patch Attachment 203963 [details] did not pass mac-ews (mac): Output: http://webkit-queues.appspot.com/results/712763 New failing tests: fast/regex/lastIndex.html
Build Bot
Comment 7 2013-06-06 14:49:25 PDT
Created attachment 203969 [details] Archive of layout-test-results from webkit-ews-08 for mac-mountainlion The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: webkit-ews-08 Port: mac-mountainlion Platform: Mac OS X 10.8.3
Build Bot
Comment 8 2013-06-06 15:34:46 PDT
Comment on attachment 203963 [details] Patch Attachment 203963 [details] did not pass mac-ews (mac): Output: http://webkit-queues.appspot.com/results/745562 New failing tests: fast/regex/lastIndex.html
Build Bot
Comment 9 2013-06-06 15:34:48 PDT
Created attachment 203973 [details] Archive of layout-test-results from webkit-ews-05 for mac-mountainlion The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: webkit-ews-05 Port: mac-mountainlion Platform: Mac OS X 10.8.3
Build Bot
Comment 10 2013-06-07 05:31:26 PDT
Comment on attachment 203963 [details] Patch Attachment 203963 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.appspot.com/results/712897 New failing tests: fast/regex/lastIndex.html
Build Bot
Comment 11 2013-06-07 05:31:28 PDT
Created attachment 204030 [details] Archive of layout-test-results from webkit-ews-12 for mac-mountainlion-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: webkit-ews-12 Port: mac-mountainlion-wk2 Platform: Mac OS X 10.8.3
Renata Hodovan
Comment 12 2015-06-26 09:47:34 PDT
Cannot repro this anymore.
Note You need to log in before you can comment on or make changes to this bug.