RESOLVED FIXED 120591
ASSERTION FAILED: to.isSet() in JSC::X86Assembler::linkJump 
https://bugs.webkit.org/show_bug.cgi?id=120591
Summary ASSERTION FAILED: to.isSet() in JSC::X86Assembler::linkJump
Renata Hodovan
Reported 2013-09-01 23:47:47 PDT
Created attachment 210263 [details] Test case The failing test was checked on x86_64 linux (Ubuntu 13.04): function foo() {} function test() { var start = true; while (start++) if (+start.push) foo(); return function() { return start; }; } test(); The backtrace: Program received signal SIGSEGV, Segmentation fault. 0x000000000088e079 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342 342 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x000000000088e079 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342 #1 0x00000000005386a6 in JSC::X86Assembler::linkJump (this=0x7fffffffc360, from=..., to=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/assembler/X86Assembler.h:1886 #2 0x00000000005cb01f in JSC::AbstractMacroAssembler<JSC::X86Assembler>::Jump::linkTo (this=0x10d4618, label=..., masm=0x7fffffffc360) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:592 #3 0x000000000064176c in JSC::DFG::SpeculativeJIT::linkBranches (this=0x10d4100) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:5370 #4 0x00000000006315d2 in JSC::DFG::SpeculativeJIT::compile (this=0x10d4100) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1883 #5 0x00000000005c63ac in JSC::DFG::JITCompiler::compileBody (this=0x7fffffffc360) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:117 #6 0x00000000005c7f6c in JSC::DFG::JITCompiler::compileFunction (this=0x7fffffffc360) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:382 #7 0x0000000000618e05 in JSC::DFG::Plan::compileInThreadImpl (this=0x10d1e50, longLivedState=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGPlan.cpp:259 #8 0x00000000006188a9 in JSC::DFG::Plan::compileInThread (this=0x10d1e50, longLivedState=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGPlan.cpp:114 #9 0x00000000005a93e2 in JSC::DFG::compileImpl (exec=0x7fffb1fa20a0, codeBlock=0x10d0620, mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=14, callback=..., worklist=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGDriver.cpp:128 #10 0x00000000005a9481 in JSC::DFG::compile (exec=0x7fffb1fa20a0, codeBlock=0x10d0620, mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=14, passedCallback=..., worklist=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGDriver.cpp:147 #11 0x00000000006d6644 in JSC::cti_optimize (args=0x7fffffffcb30) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITStubs.cpp:1048 #12 0x00000000006d377f in JSC::tryCacheGetByID (callFrame=0x10d17b0, codeBlock=0x7fffffffca50, returnAddress=..., baseValue=..., propertyName=..., slot=..., stubInfo=0x7ff900000000000e) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITStubs.cpp:280 #13 0x00007fffb1fa2058 in ?? () #14 0x7ff900000000000e in ?? () #15 0x00000000010d2b00 in ?? () #16 0x00000000006a67ad in JSC::JSStack::installTrapsAfterFrame (this=0x48f88949c1894d24, frame=0xc8948b04d8b4808) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/JSStackInlines.h:212 Backtrace stopped: previous frame inner to this frame (corrupt stack?)
Attachments
Test case (188 bytes, application/javascript)
2013-09-01 23:47 PDT, Renata Hodovan 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2013-09-04 08:50:37 PDT
<rdar://problem/14907540>
Geoffrey Garen
Comment 2 2014-01-27 14:11:21 PST
I could not reproduce a crash as of r162850.
Note You need to log in before you can comment on or make changes to this bug.