#0 0x00007f6fd57bf467 in JSC::JSValue::isString() const (this=0x7fffdd3ad4a8) at /usr/src/debug/webkitgtk-2.16.4/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:576 #1 0x00007f6fd57bf467 in JSC::JSValue::toStringOrNull(JSC::ExecState*) const (exec=0x7fffdd3ad700, this=0x7fffdd3ad4a8) at /usr/src/debug/webkitgtk-2.16.4/Source/JavaScriptCore/runtime/JSString.h:773 #2 0x00007f6fd57bf467 in JSC::toStringView<JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)::<lambda(WTF::StringView)> > (callback=..., value=..., exec=0x7fffdd3ad700) at /usr/src/debug/webkitgtk-2.16.4/Source/JavaScriptCore/runtime/ParseInt.h:219 #3 0x00007f6fd57bf467 in JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t) (exec=0x7fffdd3ad700, value=0, radix=10) at /usr/src/debug/webkitgtk-2.16.4/Source/JavaScriptCore/dfg/DFGOperations.cpp:904 576 return isCell() && asCell()->isString();

I can't reproduce it with trunk

I can reproduce with 2.16.3. I'll try to get a better backtrace.

Tagging [Stable] since Carlos reports it doesn't reproduce in trunk. Additional reproducers with 2.16.3 (note Bastien says above he's tested 2.16.4): http://www.akitaonrails.com/2017/01/10/arch-linux-best-distro-ever http://www.omgubuntu.co.uk/2017/06/quickly-change-folder-color-ubuntu Unfortunately, since it's JSC, it looks like that's pretty much all there is to the stacktrace: (gdb) bt full #0 0x00007f87000f4db6 in JSC::JSValue::isString() const (this=0x7ffce7397080) at /usr/src/debug/webkitgtk-2.16.3/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:576 returnEmptyStringOnError = <optimized out> viewWithString = <optimized out> #1 0x00007f87000f4db6 in JSC::JSValue::toStringOrNull(JSC::ExecState*) const (exec=0x7ffce73972e0, this=0x7ffce7397080) at /usr/src/debug/webkitgtk-2.16.3/Source/JavaScriptCore/runtime/JSString.h:773 returnEmptyStringOnError = <optimized out> viewWithString = <optimized out> #2 0x00007f87000f4db6 in JSC::toStringView<JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)::<lambda(WTF::StringView)> > (callback=..., value=..., exec=0x7ffce73972e0) at /usr/src/debug/webkitgtk-2.16.3/Source/JavaScriptCore/runtime/ParseInt.h:219 viewWithString = <optimized out> #3 0x00007f87000f4db6 in JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t) (exec=0x7ffce73972e0, value=0, radix=10) at /usr/src/debug/webkitgtk-2.16.3/Source/JavaScriptCore/dfg/DFGOperations.cpp:904 #4 0x00007f86942e517f in () But maybe some of this will be useful: (gdb) info registers rax 0xffff000000000002 -281474976710654 rbx 0x7ffce73972e0 140724187788000 rcx 0xa 10 rdx 0xa 10 rsi 0x0 0 rdi 0x7ffce73972e0 140724187788000 rbp 0xa 0xa rsp 0x7ffce7397070 0x7ffce7397070 r8 0x34 52 r9 0x0 0 r10 0x179d708079f688 6647030981719688 r11 0x7f87000f4d50 140217798315344 r12 0x7f86934acca8 140215973498024 r13 0x7f86d8fe8008 140217142902792 r14 0x7f86d9600000 140217149292544 r15 0xffff000000000002 -281474976710654 rip 0x7f87000f4db6 0x7f87000f4db6 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+102> eflags 0x10246 [ PF ZF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) disassemble Dump of assembler code for function JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t): 0x00007f87000f4d96 <+70>: mov 0x18(%rdi),%rax 0x00007f87000f4d9a <+74>: and $0xffffffffffffc000,%rax 0x00007f87000f4da0 <+80>: mov 0x98(%rax),%r14 0x00007f87000f4da7 <+87>: movabs $0xffff000000000002,%rax 0x00007f87000f4db1 <+97>: test %rax,%rsi 0x00007f87000f4db4 <+100>: jne 0x7f87000f4dc0 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+112> => 0x00007f87000f4db6 <+102>: cmpb $0x6,0x5(%rsi) 0x00007f87000f4dba <+106>: je 0x7f87000f5250 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1280> 0x00007f87000f4dc0 <+112>: lea 0x10(%rsp),%rdi 0x00007f87000f4dc5 <+117>: xor %edx,%edx 0x00007f87000f4dc7 <+119>: mov %rbx,%rsi 0x00007f87000f4dca <+122>: callq 0x7f86ffc41b20 <_ZNK3JSC7JSValue16toStringSlowCaseEPNS_9ExecStateEb@plt> 0x00007f87000f4dcf <+127>: test %rax,%rax 0x00007f87000f4dd2 <+130>: mov %rax,%r13 0x00007f87000f4dd5 <+133>: je 0x7f87000f5430 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1760> 0x00007f87000f4ddb <+139>: mov 0x10(%r13),%r12 0x00007f87000f4ddf <+143>: test %r12,%r12 0x00007f87000f4de2 <+146>: jne 0x7f87000f4e07 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+183> 0x00007f87000f4de4 <+148>: cmpq $0x1,0x18(%r13) 0x00007f87000f4de9 <+153>: je 0x7f87000f5210 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1216> 0x00007f87000f4def <+159>: mov %rbx,%rsi 0x00007f87000f4df2 <+162>: mov %r13,%rdi 0x00007f87000f4df5 <+165>: callq 0x7f86ffc30820 <_ZNK3JSC12JSRopeString11resolveRopeEPNS_9ExecStateE@plt> 0x00007f87000f4dfa <+170>: mov 0x10(%r13),%r12 0x00007f87000f4dfe <+174>: test %r12,%r12 0x00007f87000f4e01 <+177>: je 0x7f87000f4ee0 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+400> 0x00007f87000f4e07 <+183>: testb $0x8,0x10(%r12) 0x00007f87000f4e0d <+189>: mov 0x8(%r12),%rcx 0x00007f87000f4e12 <+194>: mov $0x1,%eax 0x00007f87000f4e17 <+199>: mov 0x4(%r12),%ebx 0x00007f87000f4e1c <+204>: jne 0x7f87000f4e20 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+208> 0x00007f87000f4e1e <+206>: xor %eax,%eax 0x00007f87000f4e20 <+208>: addl $0x2,(%r12) 0x00007f87000f4e25 <+213>: mov %rcx,%r13 0x00007f87000f4e28 <+216>: cmpq $0x0,0x81b0(%r14) 0x00007f87000f4e30 <+224>: jne 0x7f87000f54d6 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1926> 0x00007f87000f4e36 <+230>: test %al,%al 0x00007f87000f4e38 <+232>: jne 0x7f87000f4f00 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+432> 0x00007f87000f4e3e <+238>: test %ebx,%ebx 0x00007f87000f4e40 <+240>: mov %r13,0x20(%rsp) 0x00007f87000f4e45 <+245>: mov %ebx,0x28(%rsp) 0x00007f87000f4e49 <+249>: movb $0x0,0x2c(%rsp) 0x00007f87000f4e4e <+254>: mov %ebx,(%rsp) 0x00007f87000f4e51 <+257>: jle 0x7f87000f5200 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1200> 0x00007f87000f4e57 <+263>: mov %r13,%r15 0x00007f87000f4e5a <+266>: xor %r14d,%r14d 0x00007f87000f4e5d <+269>: nopl (%rax) 0x00007f87000f4e60 <+272>: movzwl (%r15),%edi 0x00007f87000f4e64 <+276>: cmp $0xa0,%di 0x00007f87000f4e69 <+281>: je 0x7f87000f4f85 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+565> 0x00007f87000f4e6f <+287>: jbe 0x7f87000f51b0 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1120> 0x00007f87000f4e75 <+293>: cmp $0x2029,%di 0x00007f87000f4e7a <+298>: ja 0x7f87000f51d8 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1160> 0x00007f87000f4e80 <+304>: cmp $0x2028,%di 0x00007f87000f4e85 <+309>: jae 0x7f87000f4f85 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+565> 0x00007f87000f4e8b <+315>: cmp $0x180e,%di 0x00007f87000f4e90 <+320>: je 0x7f87000f4f85 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+565> 0x00007f87000f4e96 <+326>: cmp $0xff,%edi 0x00007f87000f4e9c <+332>: jg 0x7f87000f4f78 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+552> 0x00007f87000f4ea2 <+338>: cmp %r14d,%ebx 0x00007f87000f4ea5 <+341>: jle 0x7f87000f4f99 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+585> 0x00007f87000f4eab <+347>: movzwl (%r15),%eax 0x00007f87000f4eaf <+351>: cmp $0x2b,%ax 0x00007f87000f4eb3 <+355>: je 0x7f87000f5260 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1296> 0x00007f87000f4eb9 <+361>: cmp $0x2d,%ax 0x00007f87000f4ebd <+365>: movsd 0x6b3f6b(%rip),%xmm2 # 0x7f87007a8e30 0x00007f87000f4ec5 <+373>: jne 0x7f87000f4fa1 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+593> 0x00007f87000f4ecb <+379>: add $0x1,%r14d 0x00007f87000f4ecf <+383>: movsd 0x6b4039(%rip),%xmm2 # 0x7f87007a8f10 0x00007f87000f4ed7 <+391>: jmpq 0x7f87000f4fa1 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+593> 0x00007f87000f4edc <+396>: nopl 0x0(%rax) 0x00007f87000f4ee0 <+400>: xor %ebx,%ebx 0x00007f87000f4ee2 <+402>: xor %r13d,%r13d 0x00007f87000f4ee5 <+405>: cmpq $0x0,0x81b0(%r14) 0x00007f87000f4eed <+413>: jne 0x7f87000f5430 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1760> 0x00007f87000f4ef3 <+419>: xor %r12d,%r12d 0x00007f87000f4ef6 <+422>: mov $0x1,%eax 0x00007f87000f4efb <+427>: nopl 0x0(%rax,%rax,1) 0x00007f87000f4f00 <+432>: test %ebx,%ebx 0x00007f87000f4f02 <+434>: mov %r13,0x30(%rsp) 0x00007f87000f4f07 <+439>: mov %ebx,0x38(%rsp) 0x00007f87000f4f0b <+443>: mov %al,0x3c(%rsp) 0x00007f87000f4f0f <+447>: jle 0x7f87000f51f0 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1184> 0x00007f87000f4f15 <+453>: mov %r13,%rax 0x00007f87000f4f18 <+456>: xor %esi,%esi 0x00007f87000f4f1a <+458>: nopw 0x0(%rax,%rax,1) 0x00007f87000f4f20 <+464>: movzbl (%rax),%ecx 0x00007f87000f4f23 <+467>: cmp $0x20,%cl 0x00007f87000f4f26 <+470>: je 0x7f87000f50c1 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+881> 0x00007f87000f4f2c <+476>: ja 0x7f87000f50b8 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+872> 0x00007f87000f4f32 <+482>: lea -0x9(%rcx),%edi 0x00007f87000f4f35 <+485>: cmp $0x4,%dil 0x00007f87000f4f39 <+489>: jbe 0x7f87000f50c1 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+881> 0x00007f87000f4f3f <+495>: cmp %esi,%ebx 0x00007f87000f4f41 <+497>: jle 0x7f87000f50d0 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+896> 0x00007f87000f4f47 <+503>: cmp $0x2b,%cl 0x00007f87000f4f4a <+506>: je 0x7f87000f5278 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1320> 0x00007f87000f4f50 <+512>: cmp $0x2d,%cl 0x00007f87000f4f53 <+515>: movsd 0x6b3ed5(%rip),%xmm2 # 0x7f87007a8e30 0x00007f87000f4f5b <+523>: jne 0x7f87000f50d8 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+904> 0x00007f87000f4f61 <+529>: add $0x1,%esi 0x00007f87000f4f64 <+532>: movsd 0x6b3fa4(%rip),%xmm2 # 0x7f87007a8f10 0x00007f87000f4f6c <+540>: jmpq 0x7f87000f50d8 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+904> 0x00007f87000f4f71 <+545>: nopl 0x0(%rax) 0x00007f87000f4f78 <+552>: callq 0x7f86ffc41b40 <u_charType_57@plt> 0x00007f87000f4f7d <+557>: cmp $0xc,%al 0x00007f87000f4f7f <+559>: jne 0x7f87000f4ea2 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+338> 0x00007f87000f4f85 <+565>: add $0x1,%r14d 0x00007f87000f4f89 <+569>: add $0x2,%r15 0x00007f87000f4f8d <+573>: cmp %r14d,%ebx 0x00007f87000f4f90 <+576>: jne 0x7f87000f4e60 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+272> 0x00007f87000f4f96 <+582>: mov %ebx,%r14d 0x00007f87000f4f99 <+585>: movsd 0x6b3e8f(%rip),%xmm2 # 0x7f87007a8e30 0x00007f87000f4fa1 <+593>: test $0xffffffef,%ebp 0x00007f87000f4fa7 <+599>: jne 0x7f87000f53f8 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1704> 0x00007f87000f4fad <+605>: mov %ebx,%eax 0x00007f87000f4faf <+607>: sub %r14d,%eax 0x00007f87000f4fb2 <+610>: cmp $0x1,%eax 0x00007f87000f4fb5 <+613>: jle 0x7f87000f4fcb <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+635> 0x00007f87000f4fb7 <+615>: movslq %r14d,%rax 0x00007f87000f4fba <+618>: cmpw $0x30,0x0(%r13,%rax,2) 0x00007f87000f4fc1 <+625>: lea (%rax,%rax,1),%rcx 0x00007f87000f4fc5 <+629>: je 0x7f87000f5490 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1856> 0x00007f87000f4fcb <+635>: test %ebp,%ebp 0x00007f87000f4fcd <+637>: jne 0x7f87000f53f8 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1704> 0x00007f87000f4fd3 <+643>: mov $0xa,%ebp 0x00007f87000f4fd8 <+648>: cmp %r14d,%ebx 0x00007f87000f4fdb <+651>: jle 0x7f87000f53b4 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1636> 0x00007f87000f4fe1 <+657>: movslq %r14d,%rax 0x00007f87000f4fe4 <+660>: xor %r8d,%r8d 0x00007f87000f4fe7 <+663>: mov %r14d,%esi 0x00007f87000f4fea <+666>: lea 0x0(%r13,%rax,2),%rcx 0x00007f87000f4fef <+671>: pxor %xmm0,%xmm0 0x00007f87000f4ff3 <+675>: movzwl (%rcx),%eax 0x00007f87000f4ff6 <+678>: lea -0x30(%rax),%edi 0x00007f87000f4ff9 <+681>: mov %eax,%edx 0x00007f87000f4ffb <+683>: cmp $0x9,%di 0x00007f87000f4fff <+687>: ja 0x7f87000f5390 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1600> 0x00007f87000f5005 <+693>: nopl (%rax) 0x00007f87000f5008 <+696>: sub $0x30,%eax 0x00007f87000f500b <+699>: cmp %ebp,%eax 0x00007f87000f500d <+701>: jl 0x7f87000f5348 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1528> 0x00007f87000f5013 <+707>: test %r8b,%r8b 0x00007f87000f5016 <+710>: je 0x7f87000f53b4 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1636> 0x00007f87000f501c <+716>: mov %esi,(%rsp) 0x00007f87000f501f <+719>: ucomisd 0x6b3ef1(%rip),%xmm0 # 0x7f87007a8f18 0x00007f87000f5027 <+727>: jb 0x7f87000f5040 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+752> 0x00007f87000f5029 <+729>: cmp $0xa,%ebp 0x00007f87000f502c <+732>: je 0x7f87000f54dd <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1933> 0x00007f87000f5032 <+738>: cmp $0x20,%ebp 0x00007f87000f5035 <+741>: jle 0x7f87000f5290 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1344> 0x00007f87000f503b <+747>: nopl 0x0(%rax,%rax,1) 0x00007f87000f5040 <+752>: mulsd %xmm2,%xmm0 0x00007f87000f5044 <+756>: pxor %xmm1,%xmm1 0x00007f87000f5048 <+760>: cvttsd2si %xmm0,%eax 0x00007f87000f504c <+764>: cvtsi2sd %eax,%xmm1 0x00007f87000f5050 <+768>: ucomisd %xmm1,%xmm0 0x00007f87000f5054 <+772>: jp 0x7f87000f5440 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1776> 0x00007f87000f505a <+778>: mov %eax,%eax 0x00007f87000f505c <+780>: movabs $0xffff000000000000,%rdx 0x00007f87000f5066 <+790>: or %rdx,%rax 0x00007f87000f5069 <+793>: ucomisd %xmm1,%xmm0 0x00007f87000f506d <+797>: jne 0x7f87000f5440 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1776> 0x00007f87000f5073 <+803>: test %r12,%r12 0x00007f87000f5076 <+806>: je 0x7f87000f5089 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+825> 0x00007f87000f5078 <+808>: mov (%r12),%edx 0x00007f87000f507c <+812>: sub $0x2,%edx 0x00007f87000f507f <+815>: je 0x7f87000f5418 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1736> 0x00007f87000f5085 <+821>: mov %edx,(%r12) 0x00007f87000f5089 <+825>: mov 0x88(%rsp),%rsi 0x00007f87000f5091 <+833>: xor %fs:0x28,%rsi 0x00007f87000f509a <+842>: jne 0x7f87000f5676 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+2342> 0x00007f87000f50a0 <+848>: add $0x98,%rsp 0x00007f87000f50a7 <+855>: pop %rbx 0x00007f87000f50a8 <+856>: pop %rbp 0x00007f87000f50a9 <+857>: pop %r12 0x00007f87000f50ab <+859>: pop %r13 0x00007f87000f50ad <+861>: pop %r14 0x00007f87000f50af <+863>: pop %r15 0x00007f87000f50b1 <+865>: retq 0x00007f87000f50b2 <+866>: nopw 0x0(%rax,%rax,1) 0x00007f87000f50b8 <+872>: cmp $0xa0,%cl 0x00007f87000f50bb <+875>: jne 0x7f87000f4f3f <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+495> 0x00007f87000f50c1 <+881>: add $0x1,%esi 0x00007f87000f50c4 <+884>: add $0x1,%rax 0x00007f87000f50c8 <+888>: cmp %esi,%ebx 0x00007f87000f50ca <+890>: jne 0x7f87000f4f20 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+464> 0x00007f87000f50d0 <+896>: movsd 0x6b3d58(%rip),%xmm2 # 0x7f87007a8e30 0x00007f87000f50d8 <+904>: test $0xffffffef,%ebp 0x00007f87000f50de <+910>: jne 0x7f87000f53a8 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1624> 0x00007f87000f50e4 <+916>: mov %ebx,%eax 0x00007f87000f50e6 <+918>: sub %esi,%eax 0x00007f87000f50e8 <+920>: cmp $0x1,%eax 0x00007f87000f50eb <+923>: jle 0x7f87000f50fc <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+940> 0x00007f87000f50ed <+925>: movslq %esi,%rax 0x00007f87000f50f0 <+928>: cmpb $0x30,0x0(%r13,%rax,1) 0x00007f87000f50f6 <+934>: je 0x7f87000f54b8 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1896> 0x00007f87000f50fc <+940>: test %ebp,%ebp 0x00007f87000f50fe <+942>: jne 0x7f87000f53a8 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1624> 0x00007f87000f5104 <+948>: mov $0xa,%ebp 0x00007f87000f5109 <+953>: cmp %esi,%ebx 0x00007f87000f510b <+955>: jle 0x7f87000f53b4 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1636> 0x00007f87000f5111 <+961>: movslq %esi,%rcx 0x00007f87000f5114 <+964>: xor %r9d,%r9d 0x00007f87000f5117 <+967>: mov %esi,%edx 0x00007f87000f5119 <+969>: add %r13,%rcx 0x00007f87000f511c <+972>: pxor %xmm0,%xmm0 0x00007f87000f5120 <+976>: movzbl (%rcx),%eax 0x00007f87000f5123 <+979>: lea -0x30(%rax),%r8d 0x00007f87000f5127 <+983>: mov %eax,%edi 0x00007f87000f5129 <+985>: cmp $0x9,%r8w 0x00007f87000f512e <+990>: ja 0x7f87000f532a <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1498> 0x00007f87000f5134 <+996>: nopl 0x0(%rax) 0x00007f87000f5138 <+1000>: sub $0x30,%eax 0x00007f87000f513b <+1003>: cmp %ebp,%eax 0x00007f87000f513d <+1005>: jl 0x7f87000f52e0 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1424> 0x00007f87000f5143 <+1011>: test %r9b,%r9b 0x00007f87000f5146 <+1014>: je 0x7f87000f53b4 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1636> 0x00007f87000f514c <+1020>: ucomisd 0x6b3dc4(%rip),%xmm0 # 0x7f87007a8f18 0x00007f87000f5154 <+1028>: jb 0x7f87000f5040 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+752> 0x00007f87000f515a <+1034>: cmp $0xa,%ebp 0x00007f87000f515d <+1037>: je 0x7f87000f5567 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+2071> 0x00007f87000f5163 <+1043>: cmp $0x20,%ebp 0x00007f87000f5166 <+1046>: jg 0x7f87000f5040 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+752> 0x00007f87000f516c <+1052>: movabs $0x100010114,%rax 0x00007f87000f5176 <+1062>: bt %rbp,%rax 0x00007f87000f517a <+1066>: jae 0x7f87000f5040 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+752> 0x00007f87000f5180 <+1072>: lea 0x30(%rsp),%rdi 0x00007f87000f5185 <+1077>: sub %esi,%edx 0x00007f87000f5187 <+1079>: movsd %xmm2,(%rsp) 0x00007f87000f518c <+1084>: callq 0x7f86ffc41b50 <_ZNK3WTF10StringView9substringEjj@plt> 0x00007f87000f5191 <+1089>: mov %ebp,%ecx 0x00007f87000f5193 <+1091>: mov %rdx,%rsi 0x00007f87000f5196 <+1094>: mov %rax,%rdi 0x00007f87000f5199 <+1097>: shr $0x20,%rdx 0x00007f87000f519d <+1101>: callq 0x7f87000eb6e0 <JSC::parseIntOverflow(int)> 0x00007f87000f51a2 <+1106>: movsd (%rsp),%xmm2 0x00007f87000f51a7 <+1111>: jmpq 0x7f87000f5040 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+752> 0x00007f87000f51ac <+1116>: nopl 0x0(%rax) 0x00007f87000f51b0 <+1120>: cmp $0x9,%di 0x00007f87000f51b4 <+1124>: jb 0x7f87000f4e96 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+326> 0x00007f87000f51ba <+1130>: cmp $0xd,%di 0x00007f87000f51be <+1134>: jbe 0x7f87000f4f85 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+565> 0x00007f87000f51c4 <+1140>: cmp $0x20,%di 0x00007f87000f51c8 <+1144>: jne 0x7f87000f4e96 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+326> 0x00007f87000f51ce <+1150>: jmpq 0x7f87000f4f85 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+565> 0x00007f87000f51d3 <+1155>: nopl 0x0(%rax,%rax,1) 0x00007f87000f51d8 <+1160>: cmp $0xfeff,%di 0x00007f87000f51dd <+1165>: jne 0x7f87000f4e96 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+326> 0x00007f87000f51e3 <+1171>: jmpq 0x7f87000f4f85 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+565> 0x00007f87000f51e8 <+1176>: nopl 0x0(%rax,%rax,1) 0x00007f87000f51f0 <+1184>: xor %esi,%esi 0x00007f87000f51f2 <+1186>: jmpq 0x7f87000f50d0 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+896> 0x00007f87000f51f7 <+1191>: nopw 0x0(%rax,%rax,1) 0x00007f87000f5200 <+1200>: xor %r14d,%r14d 0x00007f87000f5203 <+1203>: jmpq 0x7f87000f4f99 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+585> 0x00007f87000f5208 <+1208>: nopl 0x0(%rax,%rax,1) 0x00007f87000f5210 <+1216>: testb $0x1,0x8(%r13) 0x00007f87000f5215 <+1221>: mov 0x20(%r13),%rax 0x00007f87000f5219 <+1225>: mov 0x10(%rax),%r12 0x00007f87000f521d <+1229>: je 0x7f87000f5460 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1808> 0x00007f87000f5223 <+1235>: test %r12,%r12 0x00007f87000f5226 <+1238>: je 0x7f87000f5647 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+2295> 0x00007f87000f522c <+1244>: mov 0x28(%r13),%rcx 0x00007f87000f5230 <+1248>: add 0x8(%r12),%rcx 0x00007f87000f5235 <+1253>: mov $0x1,%eax 0x00007f87000f523a <+1258>: mov 0xc(%r13),%ebx 0x00007f87000f523e <+1262>: addl $0x2,(%r12) 0x00007f87000f5243 <+1267>: mov %rcx,%r13 0x00007f87000f5246 <+1270>: jmpq 0x7f87000f4e28 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+216> 0x00007f87000f524b <+1275>: nopl 0x0(%rax,%rax,1) 0x00007f87000f5250 <+1280>: mov %rsi,%r13 0x00007f87000f5253 <+1283>: jmpq 0x7f87000f4ddb <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+139> 0x00007f87000f5258 <+1288>: nopl 0x0(%rax,%rax,1) 0x00007f87000f5260 <+1296>: add $0x1,%r14d 0x00007f87000f5264 <+1300>: movsd 0x6b3bc4(%rip),%xmm2 # 0x7f87007a8e30 0x00007f87000f526c <+1308>: jmpq 0x7f87000f4fa1 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+593> 0x00007f87000f5271 <+1313>: nopl 0x0(%rax) 0x00007f87000f5278 <+1320>: add $0x1,%esi 0x00007f87000f527b <+1323>: movsd 0x6b3bad(%rip),%xmm2 # 0x7f87007a8e30 0x00007f87000f5283 <+1331>: jmpq 0x7f87000f50d8 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+904> 0x00007f87000f5288 <+1336>: nopl 0x0(%rax,%rax,1) 0x00007f87000f5290 <+1344>: movabs $0x100010114,%rax 0x00007f87000f529a <+1354>: bt %rbp,%rax 0x00007f87000f529e <+1358>: jae 0x7f87000f5040 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+752> 0x00007f87000f52a4 <+1364>: mov (%rsp),%edx 0x00007f87000f52a7 <+1367>: lea 0x20(%rsp),%rdi 0x00007f87000f52ac <+1372>: mov %r14d,%esi 0x00007f87000f52af <+1375>: movsd %xmm2,0x8(%rsp) 0x00007f87000f52b5 <+1381>: sub %r14d,%edx 0x00007f87000f52b8 <+1384>: callq 0x7f86ffc41b50 <_ZNK3WTF10StringView9substringEjj@plt> 0x00007f87000f52bd <+1389>: mov %ebp,%ecx 0x00007f87000f52bf <+1391>: mov %rdx,%rsi 0x00007f87000f52c2 <+1394>: mov %rax,%rdi 0x00007f87000f52c5 <+1397>: shr $0x20,%rdx 0x00007f87000f52c9 <+1401>: callq 0x7f87000eb6e0 <JSC::parseIntOverflow(int)> 0x00007f87000f52ce <+1406>: movsd 0x8(%rsp),%xmm2 0x00007f87000f52d4 <+1412>: jmpq 0x7f87000f5040 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+752> 0x00007f87000f52d9 <+1417>: nopl 0x0(%rax) 0x00007f87000f52e0 <+1424>: cmp $0xffffffff,%eax 0x00007f87000f52e3 <+1427>: je 0x7f87000f5143 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1011> 0x00007f87000f52e9 <+1433>: pxor %xmm1,%xmm1 0x00007f87000f52ed <+1437>: add $0x1,%edx 0x00007f87000f52f0 <+1440>: add $0x1,%rcx 0x00007f87000f52f4 <+1444>: cmp %edx,%ebx 0x00007f87000f52f6 <+1446>: mov $0x1,%r9d 0x00007f87000f52fc <+1452>: cvtsi2sd %ebp,%xmm1 0x00007f87000f5300 <+1456>: mulsd %xmm0,%xmm1 0x00007f87000f5304 <+1460>: pxor %xmm0,%xmm0 0x00007f87000f5308 <+1464>: cvtsi2sd %eax,%xmm0 0x00007f87000f530c <+1468>: addsd %xmm1,%xmm0 0x00007f87000f5310 <+1472>: je 0x7f87000f514c <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1020> 0x00007f87000f5316 <+1478>: movzbl (%rcx),%eax 0x00007f87000f5319 <+1481>: lea -0x30(%rax),%r8d 0x00007f87000f531d <+1485>: mov %eax,%edi 0x00007f87000f531f <+1487>: cmp $0x9,%r8w 0x00007f87000f5324 <+1492>: jbe 0x7f87000f5138 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1000> 0x00007f87000f532a <+1498>: lea -0x41(%rax),%r8d 0x00007f87000f532e <+1502>: cmp $0x19,%r8w 0x00007f87000f5333 <+1507>: ja 0x7f87000f53e0 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1680> 0x00007f87000f5339 <+1513>: sub $0x37,%eax 0x00007f87000f533c <+1516>: jmpq 0x7f87000f513b <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1003> 0x00007f87000f5341 <+1521>: nopl 0x0(%rax) 0x00007f87000f5348 <+1528>: cmp $0xffffffff,%eax 0x00007f87000f534b <+1531>: je 0x7f87000f5013 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+707> 0x00007f87000f5351 <+1537>: pxor %xmm1,%xmm1 0x00007f87000f5355 <+1541>: add $0x1,%esi 0x00007f87000f5358 <+1544>: add $0x2,%rcx 0x00007f87000f535c <+1548>: cmp %esi,%ebx 0x00007f87000f535e <+1550>: mov $0x1,%r8d 0x00007f87000f5364 <+1556>: cvtsi2sd %ebp,%xmm1 0x00007f87000f5368 <+1560>: mulsd %xmm0,%xmm1 0x00007f87000f536c <+1564>: pxor %xmm0,%xmm0 0x00007f87000f5370 <+1568>: cvtsi2sd %eax,%xmm0 0x00007f87000f5374 <+1572>: addsd %xmm1,%xmm0 0x00007f87000f5378 <+1576>: je 0x7f87000f501f <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+719> 0x00007f87000f537e <+1582>: movzwl (%rcx),%eax 0x00007f87000f5381 <+1585>: lea -0x30(%rax),%edi 0x00007f87000f5384 <+1588>: mov %eax,%edx 0x00007f87000f5386 <+1590>: cmp $0x9,%di 0x00007f87000f538a <+1594>: jbe 0x7f87000f5008 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+696> 0x00007f87000f5390 <+1600>: lea -0x41(%rax),%edi 0x00007f87000f5393 <+1603>: cmp $0x19,%di 0x00007f87000f5397 <+1607>: ja 0x7f87000f53c8 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1656> 0x00007f87000f5399 <+1609>: sub $0x37,%eax 0x00007f87000f539c <+1612>: jmpq 0x7f87000f500b <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+699> 0x00007f87000f53a1 <+1617>: nopl 0x0(%rax) 0x00007f87000f53a8 <+1624>: lea -0x2(%rbp),%eax 0x00007f87000f53ab <+1627>: cmp $0x22,%eax 0x00007f87000f53ae <+1630>: jbe 0x7f87000f5109 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+953> 0x00007f87000f53b4 <+1636>: movabs $0x7ff9000000000000,%rax 0x00007f87000f53be <+1646>: jmpq 0x7f87000f5073 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+803> 0x00007f87000f53c3 <+1651>: nopl 0x0(%rax,%rax,1) 0x00007f87000f53c8 <+1656>: sub $0x61,%edx 0x00007f87000f53cb <+1659>: cmp $0x19,%dx 0x00007f87000f53cf <+1663>: ja 0x7f87000f5013 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+707> 0x00007f87000f53d5 <+1669>: sub $0x57,%eax 0x00007f87000f53d8 <+1672>: jmpq 0x7f87000f500b <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+699> 0x00007f87000f53dd <+1677>: nopl (%rax) 0x00007f87000f53e0 <+1680>: sub $0x61,%edi 0x00007f87000f53e3 <+1683>: cmp $0x19,%di 0x00007f87000f53e7 <+1687>: ja 0x7f87000f5143 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1011> 0x00007f87000f53ed <+1693>: sub $0x57,%eax 0x00007f87000f53f0 <+1696>: jmpq 0x7f87000f513b <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1003> 0x00007f87000f53f5 <+1701>: nopl (%rax) 0x00007f87000f53f8 <+1704>: lea -0x2(%rbp),%eax 0x00007f87000f53fb <+1707>: cmp $0x22,%eax 0x00007f87000f53fe <+1710>: jbe 0x7f87000f4fd8 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+648> 0x00007f87000f5404 <+1716>: movabs $0x7ff9000000000000,%rax 0x00007f87000f540e <+1726>: jmpq 0x7f87000f5073 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+803> 0x00007f87000f5413 <+1731>: nopl 0x0(%rax,%rax,1) 0x00007f87000f5418 <+1736>: mov %r12,%rdi 0x00007f87000f541b <+1739>: mov %rax,(%rsp) 0x00007f87000f541f <+1743>: callq 0x7f86ffc2f470 <_ZN3WTF10StringImpl7destroyEPS0_@plt> 0x00007f87000f5424 <+1748>: mov (%rsp),%rax 0x00007f87000f5428 <+1752>: jmpq 0x7f87000f5089 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+825> 0x00007f87000f542d <+1757>: nopl (%rax) 0x00007f87000f5430 <+1760>: xor %eax,%eax 0x00007f87000f5432 <+1762>: jmpq 0x7f87000f5089 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+825> 0x00007f87000f5437 <+1767>: nopw 0x0(%rax,%rax,1) 0x00007f87000f5440 <+1776>: movq %xmm0,%rsi 0x00007f87000f5445 <+1781>: movabs $0x1000000000000,%rax 0x00007f87000f544f <+1791>: add %rax,%rsi 0x00007f87000f5452 <+1794>: mov %rsi,%rax 0x00007f87000f5455 <+1797>: jmpq 0x7f87000f5073 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+803> 0x00007f87000f545a <+1802>: nopw 0x0(%rax,%rax,1) 0x00007f87000f5460 <+1808>: test %r12,%r12 0x00007f87000f5463 <+1811>: je 0x7f87000f5654 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+2308> 0x00007f87000f5469 <+1817>: mov 0x28(%r13),%rdx 0x00007f87000f546d <+1821>: mov 0x8(%r12),%rax 0x00007f87000f5472 <+1826>: mov 0xc(%r13),%ebx 0x00007f87000f5476 <+1830>: addl $0x2,(%r12) 0x00007f87000f547b <+1835>: lea (%rax,%rdx,2),%r13 0x00007f87000f547f <+1839>: xor %eax,%eax 0x00007f87000f5481 <+1841>: jmpq 0x7f87000f4e28 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+216> 0x00007f87000f5486 <+1846>: nopw %cs:0x0(%rax,%rax,1) 0x00007f87000f5490 <+1856>: movzwl 0x2(%r13,%rcx,1),%eax 0x00007f87000f5496 <+1862>: and $0xffffffdf,%eax 0x00007f87000f5499 <+1865>: cmp $0x58,%ax 0x00007f87000f549d <+1869>: jne 0x7f87000f4fcb <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+635> 0x00007f87000f54a3 <+1875>: add $0x2,%r14d 0x00007f87000f54a7 <+1879>: mov $0x10,%ebp 0x00007f87000f54ac <+1884>: jmpq 0x7f87000f4fd8 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+648> 0x00007f87000f54b1 <+1889>: nopl 0x0(%rax) 0x00007f87000f54b8 <+1896>: movzbl 0x1(%r13,%rax,1),%eax 0x00007f87000f54be <+1902>: and $0xffffffdf,%eax 0x00007f87000f54c1 <+1905>: cmp $0x58,%al 0x00007f87000f54c3 <+1907>: jne 0x7f87000f50fc <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+940> 0x00007f87000f54c9 <+1913>: add $0x2,%esi 0x00007f87000f54cc <+1916>: mov $0x10,%ebp 0x00007f87000f54d1 <+1921>: jmpq 0x7f87000f5109 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+953> 0x00007f87000f54d6 <+1926>: xor %eax,%eax 0x00007f87000f54d8 <+1928>: jmpq 0x7f87000f5078 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+808> 0x00007f87000f54dd <+1933>: mov (%rsp),%edx 0x00007f87000f54e0 <+1936>: lea 0x20(%rsp),%rdi 0x00007f87000f54e5 <+1941>: mov %r14d,%esi 0x00007f87000f54e8 <+1944>: movsd %xmm2,0x8(%rsp) 0x00007f87000f54ee <+1950>: sub %r14d,%edx 0x00007f87000f54f1 <+1953>: callq 0x7f86ffc41b50 <_ZNK3WTF10StringView9substringEjj@plt> 0x00007f87000f54f6 <+1958>: mov %rdx,%rcx 0x00007f87000f54f9 <+1961>: movsd 0x8(%rsp),%xmm2 0x00007f87000f54ff <+1967>: shr $0x20,%rcx 0x00007f87000f5503 <+1971>: test %cl,%cl 0x00007f87000f5505 <+1973>: jne 0x7f87000f5603 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+2227> 0x00007f87000f550b <+1979>: mov %edx,%esi 0x00007f87000f550d <+1981>: cmp $0x40,%rsi 0x00007f87000f5511 <+1985>: ja 0x7f87000f560f <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+2239> 0x00007f87000f5517 <+1991>: test %edx,%edx 0x00007f87000f5519 <+1993>: jle 0x7f87000f5685 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+2357> 0x00007f87000f551f <+1999>: lea -0x1(%rdx),%edi 0x00007f87000f5522 <+2002>: lea 0x40(%rsp),%r8 0x00007f87000f5527 <+2007>: xor %edx,%edx 0x00007f87000f5529 <+2009>: xor %r9d,%r9d 0x00007f87000f552c <+2012>: add $0x1,%rdi 0x00007f87000f5530 <+2016>: movzwl (%rax,%rdx,2),%ecx 0x00007f87000f5534 <+2020>: test $0xff80,%ecx 0x00007f87000f553a <+2026>: cmovne %r9d,%ecx 0x00007f87000f553e <+2030>: mov %cl,(%r8,%rdx,1) 0x00007f87000f5542 <+2034>: add $0x1,%rdx 0x00007f87000f5546 <+2038>: cmp %rdi,%rdx 0x00007f87000f5549 <+2041>: jne 0x7f87000f5530 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+2016> 0x00007f87000f554b <+2043>: lea 0x30(%rsp),%rdx 0x00007f87000f5550 <+2048>: mov %r8,%rdi 0x00007f87000f5553 <+2051>: movsd %xmm2,(%rsp) 0x00007f87000f5558 <+2056>: callq 0x7f86ffc41950 <_ZN3WTF17double_conversion23StringToDoubleConverter14StringToDoubleEPKcmPm@plt> 0x00007f87000f555d <+2061>: movsd (%rsp),%xmm2 0x00007f87000f5562 <+2066>: jmpq 0x7f87000f5040 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+752> 0x00007f87000f5567 <+2071>: lea 0x30(%rsp),%rdi 0x00007f87000f556c <+2076>: sub %esi,%edx 0x00007f87000f556e <+2078>: movsd %xmm2,(%rsp) 0x00007f87000f5573 <+2083>: callq 0x7f86ffc41b50 <_ZNK3WTF10StringView9substringEjj@plt> 0x00007f87000f5578 <+2088>: mov %rdx,%rcx 0x00007f87000f557b <+2091>: movsd (%rsp),%xmm2 0x00007f87000f5580 <+2096>: shr $0x20,%rcx 0x00007f87000f5584 <+2100>: test %cl,%cl 0x00007f87000f5586 <+2102>: jne 0x7f87000f55e7 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+2199> 0x00007f87000f5588 <+2104>: mov %edx,%esi 0x00007f87000f558a <+2106>: cmp $0x40,%rsi 0x00007f87000f558e <+2110>: ja 0x7f87000f562b <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+2267> 0x00007f87000f5594 <+2116>: test %edx,%edx 0x00007f87000f5596 <+2118>: jle 0x7f87000f567b <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+2347> 0x00007f87000f559c <+2124>: lea -0x1(%rdx),%edi 0x00007f87000f559f <+2127>: lea 0x40(%rsp),%r8 0x00007f87000f55a4 <+2132>: xor %edx,%edx 0x00007f87000f55a6 <+2134>: xor %r9d,%r9d 0x00007f87000f55a9 <+2137>: add $0x1,%rdi 0x00007f87000f55ad <+2141>: nopl (%rax) 0x00007f87000f55b0 <+2144>: movzwl (%rax,%rdx,2),%ecx 0x00007f87000f55b4 <+2148>: test $0xff80,%ecx 0x00007f87000f55ba <+2154>: cmovne %r9d,%ecx 0x00007f87000f55be <+2158>: mov %cl,(%r8,%rdx,1) 0x00007f87000f55c2 <+2162>: add $0x1,%rdx 0x00007f87000f55c6 <+2166>: cmp %rdi,%rdx 0x00007f87000f55c9 <+2169>: jne 0x7f87000f55b0 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+2144> 0x00007f87000f55cb <+2171>: lea 0x20(%rsp),%rdx 0x00007f87000f55d0 <+2176>: mov %r8,%rdi 0x00007f87000f55d3 <+2179>: movsd %xmm2,(%rsp) 0x00007f87000f55d8 <+2184>: callq 0x7f86ffc41950 <_ZN3WTF17double_conversion23StringToDoubleConverter14StringToDoubleEPKcmPm@plt> 0x00007f87000f55dd <+2189>: movsd (%rsp),%xmm2 0x00007f87000f55e2 <+2194>: jmpq 0x7f87000f5040 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+752> 0x00007f87000f55e7 <+2199>: lea 0x20(%rsp),%rcx 0x00007f87000f55ec <+2204>: mov %edx,%esi 0x00007f87000f55ee <+2206>: mov %rax,%rdi 0x00007f87000f55f1 <+2209>: mov %rcx,%rdx 0x00007f87000f55f4 <+2212>: callq 0x7f86ffc41950 <_ZN3WTF17double_conversion23StringToDoubleConverter14StringToDoubleEPKcmPm@plt> 0x00007f87000f55f9 <+2217>: movsd (%rsp),%xmm2 0x00007f87000f55fe <+2222>: jmpq 0x7f87000f5040 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+752> 0x00007f87000f5603 <+2227>: movsd %xmm2,(%rsp) 0x00007f87000f5608 <+2232>: lea 0x30(%rsp),%rcx 0x00007f87000f560d <+2237>: jmp 0x7f87000f55ec <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+2204> 0x00007f87000f560f <+2239>: lea 0x30(%rsp),%rdx 0x00007f87000f5614 <+2244>: mov %rax,%rdi 0x00007f87000f5617 <+2247>: movsd %xmm2,(%rsp) 0x00007f87000f561c <+2252>: callq 0x7f86ffc41960 <_ZN3WTF8Internal25parseDoubleFromLongStringEPKtmRm@plt> 0x00007f87000f5621 <+2257>: movsd (%rsp),%xmm2 0x00007f87000f5626 <+2262>: jmpq 0x7f87000f5040 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+752> 0x00007f87000f562b <+2267>: lea 0x20(%rsp),%rdx 0x00007f87000f5630 <+2272>: mov %rax,%rdi 0x00007f87000f5633 <+2275>: movsd %xmm2,(%rsp) 0x00007f87000f5638 <+2280>: callq 0x7f86ffc41960 <_ZN3WTF8Internal25parseDoubleFromLongStringEPKtmRm@plt> 0x00007f87000f563d <+2285>: movsd (%rsp),%xmm2 0x00007f87000f5642 <+2290>: jmpq 0x7f87000f5040 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+752> 0x00007f87000f5647 <+2295>: mov 0xc(%r13),%ebx 0x00007f87000f564b <+2299>: mov 0x28(%r13),%r13 0x00007f87000f564f <+2303>: jmpq 0x7f87000f4ee5 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+405> 0x00007f87000f5654 <+2308>: cmpq $0x0,0x81b0(%r14) 0x00007f87000f565c <+2316>: mov 0x28(%r13),%rax 0x00007f87000f5660 <+2320>: mov 0xc(%r13),%ebx 0x00007f87000f5664 <+2324>: lea (%rax,%rax,1),%rdx 0x00007f87000f5668 <+2328>: jne 0x7f87000f5430 <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+1760> 0x00007f87000f566e <+2334>: mov %rdx,%r13 0x00007f87000f5671 <+2337>: jmpq 0x7f87000f4e3e <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+238> 0x00007f87000f5676 <+2342>: callq 0x7f86ffc2f490 <__stack_chk_fail@plt> 0x00007f87000f567b <+2347>: lea 0x40(%rsp),%r8 0x00007f87000f5680 <+2352>: jmpq 0x7f87000f55cb <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+2171> 0x00007f87000f5685 <+2357>: lea 0x40(%rsp),%r8 0x00007f87000f568a <+2362>: jmpq 0x7f87000f554b <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, int32_t)+2043> End of assembler dump.

(In reply to Michael Catanzaro from comment #4) > 0x00007f87000f4db4 <+100>: jne 0x7f87000f4dc0 > <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, > int32_t)+112> > => 0x00007f87000f4db6 <+102>: cmpb $0x6,0x5(%rsi) > 0x00007f87000f4dba <+106>: je 0x7f87000f5250 > <JSC::DFG::operationParseIntGeneric(JSC::ExecState*, JSC::EncodedJSValue, > int32_t)+1280> (Note the crash is at the => line.)

*** Bug 173805 has been marked as a duplicate of this bug. ***

*** Bug 173502 has been marked as a duplicate of this bug. ***

From the duplicates above, this can also be triggered by scrolling on http://joeduffyblog.com/2016/02/07/the-error-model/ or http://www.francetvinfo.fr/politique/la-france-insoumise/vous-ne-pouvez-pas-dire-vive-la-france-une-interview-d-une-deputee-insoumise-suscite-la-polemique_2250759.html. Probably better to test with the reproducers I posted before, which work by just loading the page.

*** Bug 171570 has been marked as a duplicate of this bug. ***

Hey Yusuke, any chance you have time to look into this one? I've found a bunch of duplicates....

(In reply to Michael Catanzaro from comment #10) > Hey Yusuke, any chance you have time to look into this one? I've found a > bunch of duplicates.... I'll check it ;) Maybe it takes a bit time since I'm now in Toronto...

(In reply to Yusuke Suzuki from comment #11) > (In reply to Michael Catanzaro from comment #10) > > Hey Yusuke, any chance you have time to look into this one? I've found a > > bunch of duplicates.... > > I'll check it ;) Maybe it takes a bit time since I'm now in Toronto... I'm not testing it yet. But, is it related? https://bugs.webkit.org/show_bug.cgi?id=170865

(In reply to Yusuke Suzuki from comment #12) > (In reply to Yusuke Suzuki from comment #11) > > (In reply to Michael Catanzaro from comment #10) > > > Hey Yusuke, any chance you have time to look into this one? I've found a > > > bunch of duplicates.... > > > > I'll check it ;) Maybe it takes a bit time since I'm now in Toronto... > > I'm not testing it yet. But, is it related? > https://bugs.webkit.org/show_bug.cgi?id=170865 Yes! I've just merged r215387 and I can't reproduce the crashes anymore in 2.16. Thanks!

Merged <http://trac.webkit.org/changeset/218801>

(In reply to Carlos Garcia Campos from comment #13) > (In reply to Yusuke Suzuki from comment #12) > > (In reply to Yusuke Suzuki from comment #11) > > > (In reply to Michael Catanzaro from comment #10) > > > > Hey Yusuke, any chance you have time to look into this one? I've found a > > > > bunch of duplicates.... > > > > > > I'll check it ;) Maybe it takes a bit time since I'm now in Toronto... > > > > I'm not testing it yet. But, is it related? > > https://bugs.webkit.org/show_bug.cgi?id=170865 > > Yes! I've just merged r215387 and I can't reproduce the crashes anymore in > 2.16. Thanks! Nice!

(In reply to Carlos Garcia Campos from comment #13) > Yes! I've just merged r215387 and I can't reproduce the crashes anymore in > 2.16. Thanks! Maybe we should inform JSC developers of our branch points and ask for help with deciding which commits to backport.