Bug 20863 - ASSERTION FAILED: addressOffset < instructions.size() in CodeBlock::getHandlerForVPC
Summary: ASSERTION FAILED: addressOffset < instructions.size() in CodeBlock::getHandle...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac OS X 10.5
: P1 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-09-15 15:45 PDT by Geoffrey Garen
Modified: 2008-09-17 19:57 PDT (History)
3 users (show)

See Also:


Attachments
Proposed patch (1.58 KB, patch)
2008-09-15 19:36 PDT, Cameron Zwarich (cpst)
mjs: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Geoffrey Garen 2008-09-15 15:45:01 PDT
~/Labyrinth/OpenSource/JavaScriptCore/tests/mozilla$ "/Volumes/Big/ggaren/build/Debug/jsc"  -s  -f ./js1_5/shell.js -f ./js1_5/Regress/regress-96128-n.js

BUGNUMBER: 96128
STATUS: Testing that JS infinite recursion protection works
ASSERTION FAILED: addressOffset < instructions.size()
(/Volumes/Big/ggaren/Labyrinth/OpenSource/JavaScriptCore/VM/CodeBlock.cpp:978 bool JSC::CodeBlock::getHandlerForVPC(const JSC::Instruction*, JSC::Instruction*&, int&))
Comment 1 Geoffrey Garen 2008-09-15 15:45:30 PDT
Only fails in CTI.
Comment 2 Cameron Zwarich (cpst) 2008-09-15 16:20:04 PDT
The problem is that exception range info is not being correctly generated, now that op_get_by_id is emitted before op_construct and op_instanceof (in this case it is op_construct). I tried to make a quick fix to avoid the crash, but it doesn't seem to work.

I must leave now for a while, so I am unassigning this to myself.
Comment 3 Cameron Zwarich (cpst) 2008-09-15 19:36:46 PDT
Created attachment 23457 [details]
Proposed patch
Comment 4 Maciej Stachowiak 2008-09-15 19:40:22 PDT
Comment on attachment 23457 [details]
Proposed patch

r=me
Comment 5 Cameron Zwarich (cpst) 2008-09-17 19:57:47 PDT
Landed in r36472.