RESOLVED WORKSFORME 127677
Segfault in JSC::JITCode::execute 
https://bugs.webkit.org/show_bug.cgi?id=127677
Summary Segfault in JSC::JITCode::execute
Martin Hodovan
Reported 2014-01-27 01:59:33 PST
Created attachment 222311 [details] Test case The failing test: (The test was ran on x86_64, Ubuntu 13.04) function function_0 () { if (!new Array(0, -1).some(function_0)) [ { y : 0 } ], x; } function_0(); The backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007fffaa57b0b0 in ?? () (gdb) bt #0 0x00007fffaa57b0b0 in ?? () #1 0x00007fffea579100 in ?? () #2 0x0000000000651670 in ?? () #3 0xffff000000000002 in ?? () #4 0xffff000000000000 in ?? () #5 0x00007fffffffde70 in ?? () #6 0x00007fffa9d4c0f0 in ?? () #7 0x00007ffffff57790 in ?? () #8 0x00007ffff7248acc in JSC::JITCode::execute (this=0xa, vm=0xffff0000ffffffff, protoCallFrame=0xffff000000000000, topOfStack=0xa) at /home/martin/Data/WebKit/Source/JavaScriptCore/jit/JITCode.cpp:48 Backtrace stopped: previous frame inner to this frame (corrupt stack?)
Attachments
Test case (115 bytes, application/javascript)
2014-01-27 01:59 PST, Martin Hodovan 		no flags
Details
JSC dump (472.17 KB, text/x-log)
2014-01-27 02:29 PST, Martin Hodovan 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Martin Hodovan
Comment 1 2014-01-27 02:29:00 PST
Created attachment 222314 [details] JSC dump
Alexey Proskuryakov
Comment 2 2014-01-27 09:16:46 PST
I cannot reproduce this with ToT on Mac.
Martin Hodovan
Comment 3 2014-01-28 02:29:15 PST
I've double-checked the test again on revision 162921 and the issue still seems valid to me.
Zan Dobersek
Comment 4 2014-01-28 03:57:07 PST
I can reproduce it on GTK WK1 and WK2.
Csaba Osztrogonác
Comment 5 2014-02-13 03:32:49 PST
Isn't it related to the cstack merge?
Brent Fulgham
Comment 6 2016-08-03 14:00:26 PDT
This does not occur on Mac under r204037. I doubt this is happening on other platforms either, since the fix was in JSC.
Note You need to log in before you can comment on or make changes to this bug.