WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
NEW
119895
ASSERTION FAILED: item.cell()->structure()->classInfo()->methodTable.copyBackingStore == JSObject::copyBackingStore
https://bugs.webkit.org/show_bug.cgi?id=119895
Summary
ASSERTION FAILED: item.cell()->structure()->classInfo()->methodTable.copyBack...
Simon Pena
Reported
2013-08-16 09:07:51 PDT
The Quake 3 WebGL Demo at
http://media.tojicode.com/q3bsp/
crashes in an assertion in WebKitGTK (in both WK1 and WK2) ASSERT(item.cell()->structure()->classInfo()->methodTable.copyBackingStore == JSObject::copyBackingStore) #0 0x00007ffff2113d51 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:342 #1 0x00007ffff1edba02 in JSC::CopyVisitor::visitItem (this=0x7fff7000bee0, item=...) at ../../Source/JavaScriptCore/heap/CopyVisitorInlines.h:40 #2 0x00007ffff1edb4d6 in JSC::CopyVisitor::copyFromShared (this=0x7fff7000bee0) at ../../Source/JavaScriptCore/heap/CopyVisitor.cpp:57 #3 0x00007ffff1ee7294 in JSC::Heap::copyBackingStores (this=0x7fff70003018) at ../../Source/JavaScriptCore/heap/Heap.cpp:618 #4 0x00007ffff1ee7994 in JSC::Heap::collect (this=0x7fff70003018, sweepToggle=JSC::Heap::DoNotSweep) at ../../Source/JavaScriptCore/heap/Heap.cpp:780 #5 0x00007ffff1ee7cde in JSC::Heap::collectIfNecessaryOrDefer (this=0x7fff70003018) at ../../Source/JavaScriptCore/heap/Heap.cpp:862 #6 0x00007ffff1ef7d1a in JSC::MarkedAllocator::allocateSlowCase (this=0x7fff70008d90, bytes=16) at ../../Source/JavaScriptCore/heap/MarkedAllocator.cpp:87 #7 0x00007ffff1cc00de in JSC::MarkedAllocator::allocate (this=0x7fff70008d90, bytes=16) at ../../Source/JavaScriptCore/heap/MarkedAllocator.h:82 #8 0x00007ffff1cc10f2 in JSC::MarkedSpace::allocateWithoutDestructor (this=0x7fff700032a0, bytes=16) at ../../Source/JavaScriptCore/heap/MarkedSpace.h:205 #9 0x00007ffff1cc1380 in JSC::Heap::allocateWithoutDestructor (this=0x7fff70003018, bytes=16) at ../../Source/JavaScriptCore/heap/Heap.h:420 #10 0x00007ffff1cdd4b1 in JSC::allocateCell<JSC::JSArray> (heap=..., size=16) at ../../Source/JavaScriptCore/runtime/JSCellInlines.h:99 #11 0x00007ffff1cdc4fe in JSC::allocateCell<JSC::JSArray> (heap=...) at ../../Source/JavaScriptCore/runtime/JSCellInlines.h:107 #12 0x00007ffff1cda98f in JSC::JSArray::create (vm=..., structure=0x7fff8010cf70, initialLength=3) at ../../Source/JavaScriptCore/runtime/JSArray.h:225 #13 0x00007ffff1e3b339 in JSC::DFG::operationNewArrayWithSize (exec=0x7fff47c00408, arrayStructure=0x7fff8010cf70, size=3) at ../../Source/JavaScriptCore/dfg/DFGOperations.cpp:1359 With JSC_useDFGJIT=false, the stack trace is different: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff1ae8088 in JSC::IndexingHeader::vectorLength (this=0x7fff3c168040) at ../../Source/JavaScriptCore/runtime/IndexingHeader.h:57 57 uint32_t vectorLength() const { return u.lengths.vectorLength; } (gdb) bt #0 0x00007ffff1ae8088 in JSC::IndexingHeader::vectorLength (this=0x7fff3c168040) at ../../Source/JavaScriptCore/runtime/IndexingHeader.h:57 #1 0x00007ffff1c4cf40 in JSC::ArrayStorage::vectorLength (this=0x7fff3c168048) at ../../Source/JavaScriptCore/runtime/ArrayStorage.h:61 #2 0x00007ffff1e72c61 in JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage (this=0x7fff9404b170, exec=0x7fff77c000a8, i=100000, value=..., attributes=0, mode=JSC::PutDirectIndexLikePutDirect, storage=0x7fff3c168048) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:2062 #3 0x00007ffff1e735f6 in JSC::JSObject::putDirectIndexBeyondVectorLength (this=0x7fff9404b170, exec=0x7fff77c000a8, i=100000, value=..., attributes=0, mode=JSC::PutDirectIndexLikePutDirect) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:2196 #4 0x00007ffff3a2919d in JSC::JSObject::putDirectIndex (this=0x7fff9404b170, exec=0x7fff77c000a8, propertyName=100000, value=..., attributes=0, mode=JSC::PutDirectIndexLikePutDirect) at ../../Source/JavaScriptCore/runtime/JSObject.h:182 #5 0x00007ffff3a291da in JSC::JSObject::putDirectIndex (this=0x7fff9404b170, exec=0x7fff77c000a8, propertyName=100000, value=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:186 #6 0x00007ffff3ad3743 in WebCore::CloneDeserializer::putProperty (this=0x7fffffffbec0, object=0x7fff9404b170, index=100000, value=...) at ../../Source/WebCore/bindings/js/SerializedScriptValue.cpp:1256 #7 0x00007ffff3acea97 in WebCore::CloneDeserializer::deserialize (this=0x7fffffffbec0) at ../../Source/WebCore/bindings/js/SerializedScriptValue.cpp:1611 #8 0x00007ffff3ad2f94 in WebCore::CloneDeserializer::deserialize (exec=0x7fff77c000a8, globalObject=0x7fff9402f970, messagePorts=0x7fffffffc040, arrayBufferContentsArray=0x7fff540f5fc0, buffer=WTF::Vector of length 5587771, capacity 5593233 = {...}) at ../../Source/WebCore/bindings/js/SerializedScriptValue.cpp:1006 #9 0x00007ffff3acfb2b in WebCore::SerializedScriptValue::deserialize (this=0x7fff540f5fe0, exec=0x7fff77c000a8, globalObject=0x7fff9402f970, messagePorts=0x7fffffffc040, throwExceptions=WebCore::NonThrowing) at ../../Source/WebCore/bindings/js/SerializedScriptValue.cpp:1836 #10 0x00007ffff3a8b7a6 in WebCore::JSMessageEvent::data (this=0x7fff9406b910, exec=0x7fff77c000a8) at ../../Source/WebCore/bindings/js/JSMessageEventCustom.cpp:67 #11 0x00007ffff480ecd2 in WebCore::jsMessageEventData (exec=0x7fff77c000a8, slotBase=...) at DerivedSources/WebCore/JSMessageEvent.cpp:251 #12 0x00007ffff1d4f8d9 in JSC::cti_op_get_by_id_custom_stub (args=0x7fffffffc150) at ../../Source/JavaScriptCore/jit/JITStubs.cpp:730 #13 0x00007ffff1d4e011 in JSC::tryCacheGetByID (callFrame=0x7fff9406b910, codeBlock=0xc4b610, returnAddress=..., baseValue=..., propertyName="\000=\000\000\000\000\000\000\000>\001=\000\000\000\000$\000\000\000=\000\000\000\000=\000>\002=>\002==\000\000\000\000\000\001\000\000\000\001\000\000\002\000\000=\000\000\000\001\000\000\001\000\001%\000\001\000\000\000\001\000\000\000\002\000\000\000\000\002\000\000>\002=>\002=\001\000\000\000\006\001\000\000\a\005\006\004\000=\025\000\000\000\000\000\000\000\002\001>\003=\000\000\001\000\000\000\000\000\000\000\000\000\000\000\000\000\000=\000\000\000\000\000\000\000B\000====\000==\000\000\006\000\000\000\000\000>\003=\000\000\000=\000\004\000\000\000\000\000==\000\000\004\000===\000\000\000\000==\000===\000\000\002>\004=\000\000\000\000=\000\000\000\000"..., slot=..., stubInfo=0x7fff9406b910) at ../../Source/JavaScriptCore/jit/JITStubs.cpp:276 #14 0x00007fffffffc1a0 in ?? () #15 0x00007fff9406b910 in ?? () #16 0x00007ffff480ec93 in WebCore::jsMessageEventSource (exec=0x7fffa4d4e6af, slotBase=...) at DerivedSources/WebCore/JSMessageEvent.cpp:245 #17 0x0000000000c9d510 in ?? () #18 0x00007fffa4d4cf05 in ?? () #19 0x0000000000f4a290 in ?? () #20 0x00007fffffffc1a0 in ?? () #21 0x00007ffff1d32410 in JSC::MacroAssemblerCodeRef::operator! (this=0xc35d5b48c48348d0) at ../../Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.h:409
Attachments
Add attachment
proposed patch, testcase, etc.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug