49006 – ASSERTION FAILED: base->index() == m_codeBlock->argumentsRegister() while loading taobao.com

RESOLVED FIXED Bug 49006

ASSERTION FAILED: base->index() == m_codeBlock->argumentsRegister() while loading taobao.com

https://bugs.webkit.org/show_bug.cgi?id=49006

Summary ASSERTION FAILED: base->index() == m_codeBlock->argumentsRegister() while loa...

Kimmo Kinnunen

Reported 2010-11-04 09:42:14 PDT

This might exist on other ports also, but I haven't been able to test. gdb --args WebKitBuild/Debug/bin/QtTestBrowser taobao.com [Thread debugging using libthread_db enabled] [New Thread 0xb06e9b70 (LWP 20812)] [New Thread 0xac4ffb70 (LWP 20813)] [Thread 0xac4ffb70 (LWP 20813) exited] [New Thread 0xa986cb70 (LWP 20822)] [New Thread 0xa586bb70 (LWP 20823)] ASSERTION FAILED: base->index() == m_codeBlock->argumentsRegister() (../../../JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:1467 JSC::RegisterID* JSC::BytecodeGenerator::emitGetArgumentByVal(JSC::RegisterID*, JSC::RegisterID*, JSC::RegisterID*)) Program received signal SIGSEGV, Segmentation fault. 0xb6dbaccd in JSC::BytecodeGenerator::emitGetArgumentByVal (this=0x84df958, dst=0x84dfbf4, base=0x84dfe04, property=0x84dfe10) at ../../../JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:1467 1467 ASSERT(base->index() == m_codeBlock->argumentsRegister()); (gdb) bt #0 0xb6dbaccd in JSC::BytecodeGenerator::emitGetArgumentByVal (this=0x84df958, dst=0x84dfbf4, base=0x84dfe04, property=0x84dfe10) at ../../../JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:1467 #1 0xb6e1a797 in JSC::BracketAccessorNode::emitBytecode (this=0x8c592f8, generator=..., dst=0x0) at ../../../JavaScriptCore/bytecompiler/NodesCodegen.cpp:296 #2 0xb6dc0428 in JSC::BytecodeGenerator::emitNode(JSC::RegisterID*, JSC::Node*) () from /scratchbox/users/kimkinnu/home/kimkinnu/swork/webkit/WebKitBuild/Debug/bin/../lib/libQtWebKit.so.4 #3 0xb6e2743a in JSC::BytecodeGenerator::emitNode(JSC::Node*) () from /scratchbox/users/kimkinnu/home/kimkinnu/swork/webkit/WebKitBuild/Debug/bin/../lib/libQtWebKit.so.4 #4 0xb6e27676 in JSC::BytecodeGenerator::emitNodeForLeftHandSide(JSC::ExpressionNode*, bool, bool) () from /scratchbox/users/kimkinnu/home/kimkinnu/swork/webkit/WebKitBuild/Debug/bin/../lib/libQtWebKit.so.4 #5 0xb6e1fa04 in JSC::StrictEqualNode::emitBytecode (this=0x8c59330, generator=..., dst=0x0) at ../../../JavaScriptCore/bytecompiler/NodesCodegen.cpp:1009 #6 0xb6dc0428 in JSC::BytecodeGenerator::emitNode(JSC::RegisterID*, JSC::Node*) () from /scratchbox/users/kimkinnu/home/kimkinnu/swork/webkit/WebKitBuild/Debug/bin/../lib/libQtWebKit.so.4 #7 0xb6e2743a in JSC::BytecodeGenerator::emitNode(JSC::Node*) () from /scratchbox/users/kimkinnu/home/kimkinnu/swork/webkit/WebKitBuild/Debug/bin/../lib/libQtWebKit.so.4 #8 0xb6e22a14 in JSC::IfElseNode::emitBytecode (this=0x8c59520, generator=..., dst=0x84df988) at ../../../JavaScriptCore/bytecompiler/NodesCodegen.cpp:1464 #9 0xb6dc0428 in JSC::BytecodeGenerator::emitNode(JSC::RegisterID*, JSC::Node*) () from /scratchbox/users/kimkinnu/home/kimkinnu/swork/webkit/WebKitBuild/Debug/bin/../lib/libQtWebKit.so.4 #10 0xb6e27943 in JSC::SourceElements::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) () from /scratchbox/users/kimkinnu/home/kimkinnu/swork/webkit/WebKitBuild/Debug/bin/../lib/libQtWebKit.so.4 #11 0xb6e223bc in JSC::BlockNode::emitBytecode (this=0x8c59538, generator=..., dst=0x84df988) at ../../../JavaScriptCore/bytecompiler/NodesCodegen.cpp:1388 ---Type <return> to continue, or q <return> to quit--- #12 0xb6dc0428 in JSC::BytecodeGenerator::emitNode(JSC::RegisterID*, JSC::Node*) () from /scratchbox/users/kimkinnu/home/kimkinnu/swork/webkit/WebKitBuild/Debug/bin/../lib/libQtWebKit.so.4 #13 0xb6e27943 in JSC::SourceElements::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) () from /scratchbox/users/kimkinnu/home/kimkinnu/swork/webkit/WebKitBuild/Debug/bin/../lib/libQtWebKit.so.4 #14 0xb6e27a2b in JSC::ScopeNode::emitStatementsBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) () from /scratchbox/users/kimkinnu/home/kimkinnu/swork/webkit/WebKitBuild/Debug/bin/../lib/libQtWebKit.so.4 #15 0xb6e2621b in JSC::FunctionBodyNode::emitBytecode (this=0x8c15608, generator=...) at ../../../JavaScriptCore/bytecompiler/NodesCodegen.cpp:2036 #16 0xb6db2347 in JSC::BytecodeGenerator::generate (this=0x84df958) at ../../../JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:144 #17 0xb6d15cc9 in JSC::FunctionExecutable::compileForCallInternal (this=0x85507e8, exec=0xabebe3f8, scopeChainNode=0x8550050) at ../../../JavaScriptCore/runtime/Executable.cpp:197 #18 0xb6ce0ed3 in JSC::FunctionExecutable::compileForCall(JSC::ExecState*, JSC::ScopeChainNode*) () from /scratchbox/users/kimkinnu/home/kimkinnu/swork/webkit/WebKitBuild/Debug/bin/../lib/libQtWebKit.so.4 #19 0xb6cec2a4 in cti_vm_lazyLinkCall (args=0xbfffe1d0) at ../../../JavaScriptCore/jit/JITStubs.cpp:2104 #20 0xb6ce7544 in JSC::JITThunks::tryCacheGetByID (callFrame=0xa18645b4, codeBlock=0x831187c, returnAddress=..., baseValue=..., propertyName=..., slot=..., stubInfo=0xbfffe248) at ../../../JavaScriptCore/jit/JITStubs.cpp:975 #21 0xb6ce0a50 in JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*) () from /scratchbox/users/kimkinnu/home/kimkinnu/swork/webkit/WebKitBuild/Debug/bin/../lib/libQtWebKit.so.4 #22 0xb6cddae4 in JSC::Interpreter::executeCall (this=0x8311870, callFrame=0x83d6ebc, function=0xabe74780, callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../../JavaScriptCore/interpreter/Interpreter.cpp:830 #23 0xb6d0721e in JSC::call (exec=0x83d6ebc, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../../JavaScriptCore/runtime/CallData.cpp:38 #24 0xb61a1840 in WebCore::JSMainThreadExecState::call (exec=0x83d6ebc, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../../WebCore/bindings/js/JSMainThreadExecState.h:48 ---Type <return> to continue, or q <return> to quit--- #25 0xb61ee8e7 in WebCore::JSEventListener::handleEvent (this=0x8b7ef98, scriptExecutionContext=0x83d1e50, event=0x8649b60) at ../../../WebCore/bindings/js/JSEventListener.cpp:124 #26 0xb63c5d56 in WebCore::EventTarget::fireEventListeners (this=0x8b7f108, event=0x8649b60, d=0x8b81540, entry=...) at ../../../WebCore/dom/EventTarget.cpp:335 #27 0xb63c5bdd in WebCore::EventTarget::fireEventListeners (this=0x8b7f108, event=0x8649b60) at ../../../WebCore/dom/EventTarget.cpp:304 #28 0xb63e0543 in WebCore::Node::handleLocalEvents (this=0x8b7f108, event=0x8649b60) at ../../../WebCore/dom/Node.cpp:2484 #29 0xb63e0d8b in WebCore::Node::dispatchGenericEvent (this=0x8b7f108, prpEvent=...) at ../../../WebCore/dom/Node.cpp:2602 #30 0xb63e0928 in WebCore::Node::dispatchEvent (this=0x8b7f108, prpEvent=...) at ../../../WebCore/dom/Node.cpp:2547 #31 0xb6553c24 in WebCore::HTMLScriptElement::dispatchLoadEvent (this=0x8b7f108) at ../../../WebCore/html/HTMLScriptElement.cpp:189 #32 0xb640c9f4 in WebCore::ScriptElementData::execute (this=0x8b7f150, cachedScript=0x8b845c8) at ../../../WebCore/dom/ScriptElement.cpp:223 #33 0xb634927d in WebCore::AsyncScriptRunner::timerFired (this=0x82c4030, timer=0x82c4040) at ../../../WebCore/dom/AsyncScriptRunner.cpp:87 #34 0xb6349db6 in WebCore::Timer<WebCore::AsyncScriptRunner>::fired (this=0x82c4040) at ../../../WebCore/platform/Timer.h:98 #35 0xb67fef8c in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0x82cfc98) at ../../../WebCore/platform/ThreadTimers.cpp:112 #36 0xb67feed3 in WebCore::ThreadTimers::sharedTimerFired () at ../../../WebCore/platform/ThreadTimers.cpp:90 #37 0xb69e6226 in WebCore::SharedTimerQt::timerEvent (this=0x82cfcc8, ev=0xbfffed30) at ../../../WebCore/platform/qt/SharedTimerQt.cpp:116 #38 0xb3dea6f4 in QObject::event (this=0x82cfcc8, e=0xbfffd658) at kernel/qobject.cpp:1175 #39 0xb406c65c in QApplicationPrivate::notify_helper (this=0x8131be0, receiver=0x82cfcc8, e=0xbfffed30) at kernel/qapplication.cpp:4396 #40 0xb4073b4e in QApplication::notify (this=0xbffff0f0, receiver=0x82cfcc8, e=0xbfffed30) at kernel/qapplication.cpp:3798 #41 0xb3dd7deb in QCoreApplication::notifyInternal (this=0xbffff0f0, receiver=0x82cfcc8, event=0xbfffed30) at kernel/qcoreapplication.cpp:732 #42 0xb3e09b16 in QCoreApplication::sendEvent (this=0x81381b4) at kernel/qcoreapplication.h:215 #43 QTimerInfoList::activateTimers (this=0x81381b4) at kernel/qeventdispatcher_unix.cpp:602 #44 0xb3e068d4 in timerSourceDispatch (source=0x8138180) at kernel/qeventdispatcher_glib.cpp:184 #45 0xb304d5e5 in g_main_context_dispatch () from /lib/libglib-2.0.so.0 #46 0xb30512d8 in ?? () from /lib/libglib-2.0.so.0 ---Type <return> to continue, or q <return> to quit---q No reduction yet.

Attachments
Page and content showing the crash (616.73 KB, application/zip) 2010-11-10 14:32 PST, Christian Sejersen	no flags	Details
Patch (13.02 KB, patch) 2010-12-21 14:18 PST, Oliver Hunt	barraclough: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Alexey Proskuryakov

Comment 1 2010-11-04 12:17:48 PDT

This is not a Qt bug, it also occurs on Mac (confirmed with r71185).

Geoffrey Garen

Comment 2 2010-11-08 12:57:32 PST

<rdar://problem/8642952>

Christian Sejersen

Comment 3 2010-11-10 14:32:33 PST

Created attachment 73541 [details] Page and content showing the crash Added the content to reproduce the bug

Oliver Hunt

Comment 4 2010-12-21 10:52:57 PST

Reduced to (function (arguments) { arguments[0]; })()

Oliver Hunt

Comment 5 2010-12-21 14:18:50 PST

Created attachment 77153 [details] Patch

Oliver Hunt

Comment 6 2010-12-21 14:54:33 PST

Committed r74428: <http://trac.webkit.org/changeset/74428>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware All

OS All

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2010-11-04 09:42 PDT

Modified

2010-12-21 14:54 PST History

CC List

4 users Show

URL

http://taobao.com

Keywords InRadar

Depends on

Blocks