RESOLVED FIXED 146632
ASSERTION FAILED: arguments.isObject() in JSC::sizeOfVarargs 
https://bugs.webkit.org/show_bug.cgi?id=146632
Summary ASSERTION FAILED: arguments.isObject() in JSC::sizeOfVarargs
Renata Hodovan
Reported 2015-07-06 03:33:53 PDT
Created attachment 256204 [details] Test case Load this test with debug jsc: Array.from.apply(encodeURI,Symbol(17725)); Note: the failure was experienced with an EFL jsc build but it does not seem like a port specific issue. Backtrace: ASSERTION FAILED: arguments.isObject() ../../Source/JavaScriptCore/interpreter/Interpreter.cpp(203) : unsigned int JSC::sizeOfVarargs(JSC::CallFrame*, JSC::JSValue, uint32_t) 1 0x7ffff72d46db WTFCrash 2 0x7ffff6f4b6b7 JSC::sizeOfVarargs(JSC::ExecState*, JSC::JSValue, unsigned int) 3 0x7ffff6f4b7a5 JSC::sizeFrameForVarargs(JSC::ExecState*, JSC::JSStack*, JSC::JSValue, unsigned int, unsigned int) 4 0x7ffff7275378 5 0x7ffff727ea46 [New Thread 0x7fffaaffd700 (LWP 13153)] [New Thread 0x7fffab7fe700 (LWP 13152)] [New Thread 0x7fffabfff700 (LWP 13151)] [New Thread 0x7fffb0ffd700 (LWP 13150)] Program received signal SIGSEGV, Segmentation fault. 0x00007ffff72d46e0 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 321 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff72d46e0 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 #1 0x00007ffff6f4b6b7 in JSC::sizeOfVarargs (callFrame=0x7fffffffcac0, arguments=..., firstVarArgOffset=0) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:203 #2 0x00007ffff6f4b7a5 in JSC::sizeFrameForVarargs (callFrame=0x7fffffffcac0, stack=0x7ffff17f6018, arguments=..., numUsedStackSlots=9, firstVarArgOffset=0) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:221 #3 0x00007ffff7275378 in JSC::LLInt::llint_slow_path_size_frame_for_varargs (exec=0x7fffffffcac0, pc=0x7ffff1017dc8) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1202 #4 0x00007ffff727ea46 in llint_entry () from webkit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.1 #5 0x00007ffff7278cc6 in vmEntryToJavaScript () from webkit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.1 #6 0x00007ffff6f75702 in JSC::JITCode::execute (this=0x7ffff17e3e70, vm=0x7ffff1004000, protoCallFrame=0x7fffffffccb0) at ../../Source/JavaScriptCore/jit/JITCode.cpp:77 #7 0x00007ffff6f4e1e4 in JSC::Interpreter::execute (this=0x7ffff17f6000, program=0x7ffff1046000, callFrame=0x7ffff102b840, thisObj=0x7ffff107acc0) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:901 #8 0x00007ffff7103f48 in JSC::evaluate (exec=0x7ffff102b840, source=..., thisValue=..., returnedException=...) at ../../Source/JavaScriptCore/runtime/Completion.cpp:82 #9 0x0000000000428d38 in runWithScripts (globalObject=0x7ffff102b800, scripts=..., dump=false) at ../../Source/JavaScriptCore/jsc.cpp:1315 #10 0x0000000000429c41 in jscmain (argc=2, argv=0x7fffffffd8f8) at ../../Source/JavaScriptCore/jsc.cpp:1533 #11 0x0000000000428b0a in main (argc=2, argv=0x7fffffffd8f8) at ../../Source/JavaScriptCore/jsc.cpp:1273
Attachments
Test case (42 bytes, application/javascript)
2015-07-06 03:33 PDT, Renata Hodovan 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Brent Fulgham
Comment 1 2016-08-04 17:14:18 PDT
This does not reproduce under r204037, due to changes in the JavaScript implementation. If you believe there is still a problem, please reopen this bug with a revised test case.
Note You need to log in before you can comment on or make changes to this bug.