RESOLVED FIXED 22287
ASSERTION FAILED: Not enough jumps linked in slow case codegen in CTI::privateCompileSlowCases()) 
https://bugs.webkit.org/show_bug.cgi?id=22287
Summary ASSERTION FAILED: Not enough jumps linked in slow case codegen in CTI::privat...
Jim Oase
Reported 2008-11-15 18:12:32 PST
Select this site and it will crash in seconds http://www.foxnews.com/specialreport/index.html I am using Webkit build r38386
Attachments
Reduction (83 bytes, text/html)
2008-11-16 16:31 PST, Cameron Zwarich (cpst) 		no flags
Details
Crash log... (26.07 KB, text/plain)
2008-11-18 11:53 PST, Jim Oase 		no flags
Details
crash log (26.07 KB, text/plain)
2008-11-18 17:28 PST, Jim Oase 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Matt Lilek
Comment 1 2008-11-16 08:45:52 PST
Confirmed with r38440: ASSERTION FAILED: Not enough jumps linked in slow case codegen. (iter + 1) == m_slowCases.end() || firstTo != (iter + 1)->to (/Users/matt/Code/WebKit/JavaScriptCore/VM/CTI.cpp:2995 void JSC::CTI::privateCompileSlowCases()) Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x0057293e JSC::CTI::privateCompileSlowCases() + 15856 (CTI.cpp:2995) 1 com.apple.JavaScriptCore 0x0057aa77 JSC::CTI::privateCompile() + 315 (CTI.cpp:3035) 2 com.apple.JavaScriptCore 0x00542ce7 JSC::CTI::compile(JSC::JSGlobalData*, JSC::CodeBlock*) + 45 (CTI.h:289) 3 com.apple.JavaScriptCore 0x00529479 JSC::BytecodeInterpreter::cti_op_call_JSFunction(void*, ...) + 211 (Machine.cpp:4693) 4 com.apple.JavaScriptCore 0x00524126 jscGeneratedNativeCode + 0 (Machine.cpp:4261) 5 com.apple.JavaScriptCore 0x0052af5d JSC::BytecodeInterpreter::execute(JSC::FunctionBodyNode*, JSC::ExecState*, JSC::JSFunction*, JSC::JSObject*, JSC::ArgList const&, JSC::ScopeChainNode*, JSC::JSValue**) + 789 (Machine.cpp:1008) 6 com.apple.JavaScriptCore 0x004805bb JSC::JSFunction::call(JSC::ExecState*, JSC::JSValue*, JSC::ArgList const&) + 139 (JSFunction.cpp:83) 7 com.apple.JavaScriptCore 0x0048066c JSC::call(JSC::ExecState*, JSC::JSValue*, JSC::CallType, JSC::CallData const&, JSC::JSValue*, JSC::ArgList const&) + 170 (CallData.cpp:39) 8 com.apple.JavaScriptCore 0x0048e48a __ZN3JSCL22functionProtoFuncApplyEPNS_9ExecStateEPNS_8JSObjectEPNS_7JSValueERKNS_7ArgListE + 684 (FunctionPrototype.cpp:113) 9 com.apple.JavaScriptCore 0x00529188 JSC::BytecodeInterpreter::cti_op_call_NotJSFunction(void*, ...) + 454 (Machine.cpp:4813) 10 com.apple.JavaScriptCore 0x00524126 jscGeneratedNativeCode + 0 (Machine.cpp:4261) 11 com.apple.JavaScriptCore 0x0052af5d JSC::BytecodeInterpreter::execute(JSC::FunctionBodyNode*, JSC::ExecState*, JSC::JSFunction*, JSC::JSObject*, JSC::ArgList const&, JSC::ScopeChainNode*, JSC::JSValue**) + 789 (Machine.cpp:1008) 12 com.apple.JavaScriptCore 0x004805bb JSC::JSFunction::call(JSC::ExecState*, JSC::JSValue*, JSC::ArgList const&) + 139 (JSFunction.cpp:83) 13 com.apple.JavaScriptCore 0x0048066c JSC::call(JSC::ExecState*, JSC::JSValue*, JSC::CallType, JSC::CallData const&, JSC::JSValue*, JSC::ArgList const&) + 170 (CallData.cpp:39) 14 com.apple.WebCore 0x039934e9 WebCore::JSAbstractEventListener::handleEvent(WebCore::Event*, bool) + 793 (JSEventListener.cpp:110)
Matt Lilek
Comment 2 2008-11-16 08:56:33 PST
*** Bug 22291 has been marked as a duplicate of this bug. ***
Cameron Zwarich (cpst)
Comment 3 2008-11-16 13:25:38 PST
I am not sure if these two are really duplicates, because it may be for two different opcodes, but thanks a lot for finding this. I'll assign this to myself.
Matt Lilek
Comment 4 2008-11-16 15:05:29 PST
(In reply to comment #3) > I am not sure if these two are really duplicates, because it may be for two > different opcodes, but thanks a lot for finding this. > The stack traces for both bugs are identical once they enter JSCore (frame 13 and up).
Matt Lilek
Comment 5 2008-11-16 15:07:07 PST
(In reply to comment #4) > The stack traces for both bugs are identical once they enter JSCore (frame 13 > and up). > Actually, I should be more specific: the stacks aren't just identical, but also have the exact same line numbers in my debug build.
Cameron Zwarich (cpst)
Comment 6 2008-11-16 16:27:15 PST
(In reply to comment #5) > (In reply to comment #4) > > The stack traces for both bugs are identical once they enter JSCore (frame 13 > > and up). > > > > Actually, I should be more specific: the stacks aren't just identical, but also > have the exact same line numbers in my debug build. That one assertion that is failing is responsible for checking quite a bit of code. It is the same class of bug, but a fix for one case may not fix the other, so I just made a note here to double check the other bug that got marked as a duplicate.
Cameron Zwarich (cpst)
Comment 7 2008-11-16 16:31:52 PST
Created attachment 25202 [details] Reduction Here is a reduction. It also works in the jsc shell.
Jim Oase
Comment 8 2008-11-17 08:32:04 PST
This page still crashes with build r38492 http://www.foxnews.com/specialreport/index.html Animation on site does not work either http://radar.weather.gov/Conus/full_loop.php
Cameron Zwarich (cpst)
Comment 9 2008-11-17 11:20:25 PST
I have a fix for this, but I might not be able to land it for a while because my MacBook Pro just died. :(
Jim Oase
Comment 10 2008-11-18 11:53:43 PST
Created attachment 25242 [details] Crash log...
Jim Oase
Comment 11 2008-11-18 17:28:36 PST
Created attachment 25253 [details] crash log This crash occurred with nightly build r38586
Cameron Zwarich (cpst)
Comment 12 2008-11-18 17:43:41 PST
Thanks for the crash logs, but no additional crash logs are needed.
Cameron Zwarich (cpst)
Comment 13 2008-11-18 20:06:30 PST
This bug (along with all of the duplicates mentioned here) was fixed in r38590.
Note You need to log in before you can comment on or make changes to this bug.