NEW 202141
Crash in JSC::speculationFromCell 
https://bugs.webkit.org/show_bug.cgi?id=202141
Summary Crash in JSC::speculationFromCell
Michael Catanzaro
Reported 2019-09-24 07:12:49 PDT
Created attachment 379450 [details] Backtrace Random crash. Truncated backtrace: Program terminated with signal SIGSEGV, Segmentation fault. #0 JSC::speculationFromCell (cell=0x80000) at ../Source/JavaScriptCore/runtime/JSCellInlines.h:215 215 return m_type == StringType; [Current thread is 1 (Thread 0x7f3aa293a9c0 (LWP 1575))] (gdb) bt #0 0x00007f3aa68bc0d4 in JSC::speculationFromCell(JSC::JSCell*) (cell=0x80000) at ../Source/JavaScriptCore/runtime/JSCellInlines.h:215 #1 0x00007f3aa6879275 in JSC::ValueProfileBase<1u>::computeUpdatedPrediction(JSC::ConcurrentJSLocker const&) (this=<optimized out>) at ../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:392 #2 0x00007f3aa6879275 in JSC::CodeBlock::<lambda(JSC::ValueProfile&, bool)>::operator() (isArgument=<optimized out>, profile=..., __closure=<optimized out>) at ../Source/JavaScriptCore/bytecode/CodeBlock.cpp:2710 #3 0x00007f3aa6879275 in JSC::CodeBlock::<lambda(JSC::ValueProfile&, bool)>::operator() (isArgument=false, profile=..., __closure=<optimized out>) at ../Source/JavaScriptCore/bytecode/CodeBlock.cpp:2698 #4 0x00007f3aa6879275 in JSC::CodeBlock::<lambda(auto:21&)>::operator()<JSC::OpCall::Metadata> (this=<optimized out>, metadata=...) at ../Source/JavaScriptCore/bytecode/CodeBlockInlines.h:44 #5 0x00007f3aa6879275 in JSC::MetadataTable::forEach<JSC::OpCall, JSC::CodeBlock::forEachValueProfile(const Functor&) [with Functor = JSC::CodeBlock::updateAllValueProfilePredictionsAndCountLiveness(unsigned int&, unsigned int&)::<lambda(JSC::ValueProfile&, bool)>]::<lambda(auto:21&)> > (func=..., this=<optimized out>) at ../Source/JavaScriptCore/bytecode/MetadataTable.h:61 #6 0x00007f3aa6879275 in JSC::CodeBlock::forEachValueProfile<JSC::CodeBlock::updateAllValueProfilePredictionsAndCountLiveness(unsigned int&, unsigned int&)::<lambda(JSC::ValueProfile&, bool)> > (func=..., this=0x7f397dedb900) at ../Source/JavaScriptCore/bytecode/CodeBlockInlines.h:44 #7 0x00007f3aa6879275 in JSC::CodeBlock::updateAllValueProfilePredictionsAndCountLiveness(unsigned int&, unsigned int&) (this=this@entry=0x7f397dedb900, numberOfLiveNonArgumentValueProfiles=@0x7ffcd84b4a20: 44, numberOfSamplesInProfiles=@0x7ffcd84b4a24: 49) at ../Source/JavaScriptCore/bytecode/CodeBlock.cpp:2698 #8 0x00007f3aa6879b15 in JSC::CodeBlock::updateAllValueProfilePredictions() (this=this@entry=0x7f397dedb900) at ../Source/JavaScriptCore/bytecode/CodeBlock.cpp:2729 #9 0x00007f3aa687a29d in JSC::CodeBlock::updateAllPredictions() (this=this@entry=0x7f397dedb900) at ../Source/JavaScriptCore/bytecode/CodeBlock.cpp:2747 #10 0x00007f3aa6887495 in JSC::CodeBlock::finalizeUnconditionally(JSC::VM&) (this=0x7f397dedb900, vm=...) at ../Source/JavaScriptCore/bytecode/CodeBlock.cpp:1380 Full backtrace attached. Maybe related: bug #131506 or bug #160027
Attachments
Backtrace (1.34 MB, text/plain)
2019-09-24 07:12 PDT, Michael Catanzaro 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Note You need to log in before you can comment on or make changes to this bug.