Bug 127043 - ASSERTION FAILED: from.isCell() && from.asCell()->JSCell::inherits(std::remove_pointer<To>::type::info()) in JSC::jsCast
Summary: ASSERTION FAILED: from.isCell() && from.asCell()->JSCell::inherits(std::remov...
Status: RESOLVED WORKSFORME
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Linux
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks: 116980
  Show dependency treegraph
 
Reported: 2014-01-15 04:32 PST by Renata Hodovan
Modified: 2016-08-03 13:38 PDT (History)
5 users (show)

See Also:

Attachments
Test case (171 bytes, application/javascript)
2014-01-15 04:32 PST, Renata Hodovan 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Renata Hodovan 2014-01-15 04:32:06 PST 
Created attachment 221259 [details]
Test case

The failing script:

function function_0 (var_0) {

	for ( ; ; Array(-1, -6).filter(function_0) )
		continue ;

	new Date(1) = {
		set prop_0(){
			switch ( var_0 ) {}
		}
	}

}

function_0();


The backtrace:

ASSERTION FAILED: from.isCell() && from.asCell()->JSCell::inherits(std::remove_pointer<To>::type::info())
/home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/JSCell.h(187) : To JSC::jsCast(JSC::JSValue) [with To = JSC::JSActivation*]
1   0x7ffff74a3e44 WTFCrash
2   0x7ffff723314f JSC::JSActivation* JSC::jsCast<JSC::JSActivation*>(JSC::JSValue)
3   0x7ffff722d9fc
4   0x7ffff7232b32 JSC::UnwindFunctor::operator()(JSC::StackVisitor&)
5   0x7ffff723410c void JSC::StackVisitor::visit<JSC::UnwindFunctor>(JSC::ExecState*, JSC::UnwindFunctor&)
6   0x7ffff72333ab void JSC::ExecState::iterate<JSC::UnwindFunctor>(JSC::UnwindFunctor&)
7   0x7ffff722e406 JSC::Interpreter::unwind(JSC::ExecState*&, JSC::JSValue&)
8   0x7ffff724ecec JSC::genericUnwind(JSC::VM*, JSC::ExecState*, JSC::JSValue)
9   0x7ffff725da9d
10  0x7fffaa55912a

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff74a3e49 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333
333	    *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff74a3e49 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333
#1  0x00007ffff723314f in JSC::jsCast<JSC::JSActivation*> (from=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/JSCell.h:187
#2  0x00007ffff722d9fc in JSC::unwindCallFrame (visitor=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/Interpreter.cpp:441
#3  0x00007ffff7232b32 in JSC::UnwindFunctor::operator() (this=0x7fffff9f3c90, visitor=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/Interpreter.cpp:645
#4  0x00007ffff723410c in JSC::StackVisitor::visit<JSC::UnwindFunctor> (startFrame=0x7fffa9bdf978, functor=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/StackVisitor.h:123
#5  0x00007ffff72333ab in JSC::ExecState::iterate<JSC::UnwindFunctor> (this=0x7fffa9bdf978, functor=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/CallFrame.h:309
#6  0x00007ffff722e406 in JSC::Interpreter::unwind (this=0x659170, callFrame=@0x7fffff9f3d70: 0x7fffa9bdf978, exceptionValue=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/Interpreter.cpp:709
#7  0x00007ffff724ecec in JSC::genericUnwind (vm=0x6472c0, callFrame=0x7fffa9bdf978, exceptionValue=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITExceptions.cpp:47
#8  0x00007ffff725da9d in JSC::operationVMHandleException (exec=0x7fffa9bdf978)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITOperations.cpp:1750
#9  0x00007fffaa55912a in ?? ()
#10 0x00007fffaa55a920 in ?? ()
#11 0x0000000000651628 in ?? ()
#12 0xffff000000000002 in ?? ()
#13 0xffff000000000000 in ?? ()
#14 0x00007fffffffdd70 in ?? ()
#15 0x00007fffa9bdf9f0 in ?? ()
#16 0x00007fffff9f3e80 in ?? ()
#17 0x00007ffff724ca38 in JSC::JITCode::execute (this=0x7fff00000002, vm=0x7fffa983d830, protoCallFrame=0x7fffa98af970, topOfStack=0x0)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITCode.cpp:48
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
Comment 1 Brent Fulgham 2016-08-03 13:38:29 PDT 
This issue no longer occurs under GuardMalloc or ASAN as of r204037. If you believe there is still a bug, please reopen this issue with a revised test case.