Bug 146635 - ASSERTION FAILED: exec->vm().typeProfiler() in functionReturnTypeFor
Summary: ASSERTION FAILED: exec->vm().typeProfiler() in functionReturnTypeFor
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Linux
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks: 116980
  Show dependency treegraph
 
Reported: 2015-07-06 04:01 PDT by Renata Hodovan
Modified: 2015-07-06 18:17 PDT (History)
2 users (show)

See Also:

Attachments
Test case (25 bytes, application/javascript)
2015-07-06 04:01 PDT, Renata Hodovan 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Renata Hodovan 2015-07-06 04:01:58 PDT 
Created attachment 256208 [details]
Test case

Load this test with debug or release jsc:

returnTypeFor(arguments);


Backtrace:

ASSERTION FAILED: exec->vm().typeProfiler()
../../Source/JavaScriptCore/jsc.cpp(1142) : JSC::EncodedJSValue functionReturnTypeFor(JSC::ExecState*)
1   0x7ffff72d46db WTFCrash
2   0x428539
3   0x7fffb0fff0a8
[New Thread 0x7fffaf7fa700 (LWP 12117)]
[New Thread 0x7fffafffb700 (LWP 12116)]
[New Thread 0x7fffb07fc700 (LWP 12114)]
[New Thread 0x7fffb0ffd700 (LWP 12113)]

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff72d46e0 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
321     *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff72d46e0 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
#1  0x0000000000428539 in functionReturnTypeFor (exec=0x7fffffffca70) at ../../Source/JavaScriptCore/jsc.cpp:1142
#2  0x00007fffb0fff0a8 in ?? ()
#3  0x00007fffffffcac0 in ?? ()
#4  0x00007ffff727e8e9 in llint_entry () from webkit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.1
Backtrace stopped: frame did not save the PC
Comment 1 Saam Barati 2015-07-06 18:17:22 PDT 
Did you run this with:
JSC_enableTypeProfiler=1
?
Also, I think this function also will assert if it's argument
is not a function. This is the intention. This function
is used in JSC's stress tests.