UNCONFIRMED 70433
Assert failure in JSC::WriteBarrierBase<JSC::Structure>::operator->() 
https://bugs.webkit.org/show_bug.cgi?id=70433
Summary Assert failure in JSC::WriteBarrierBase<JSC::Structure>::operator->()
Dimitris Apostolou
Reported 2011-10-19 11:40:59 PDT
Created attachment 111654 [details] Crash log. Reproducibility: always Steps: 1. Open any webpage. 2. Open a 2nd tab and navigate to http://www.google.com/intl/el/landing/transit/#dmy What happened: Assert failure and crash. ASSERTION FAILED: m_cell /Users/rex/WebKit/Source/JavaScriptCore/runtime/WriteBarrier.h(108) : JSC::Structure *JSC::WriteBarrierBase<JSC::Structure>::operator->() const 1 0x108efd667 JSC::WriteBarrierBase<JSC::Structure>::operator->() const 2 0x108f08f1c JSC::JSCell::isString() const 3 0x108f09a42 JSC::JSValue::isString() const 4 0x108f0981b JSC::JSValue::toString(JSC::ExecState*) const 5 0x10911dd28 _ZN3JSCL29objectProtoFuncHasOwnPropertyEPNS_9ExecStateE 6 0x2c750de011f8 7 0x108ff6f09 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*) 8 0x108ff3812 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 9 0x108f52151 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 10 0x10a4ac4e3 WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 11 0x10ad694f3 WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext*) 12 0x10ad68fd9 WebCore::ScheduledAction::execute(WebCore::Document*) 13 0x10ad68e04 WebCore::ScheduledAction::execute(WebCore::ScriptExecutionContext*) 14 0x10a0248cf WebCore::DOMTimer::fired() 15 0x10afc09f7 WebCore::ThreadTimers::sharedTimerFiredInternal() 16 0x10afc07c9 WebCore::ThreadTimers::sharedTimerFired() 17 0x10adea5b3 _ZN7WebCoreL10timerFiredEP16__CFRunLoopTimerPv 18 0x107950f84 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ 19 0x107950ad6 __CFRunLoopDoTimer 20 0x107931471 __CFRunLoopRun 21 0x107930ae6 CFRunLoopRunSpecific 22 0x1135c63d3 RunCurrentEventLoopInMode 23 0x1135cd63d ReceiveNextEventCommon 24 0x1135cd4ca BlockUntilNextEventMatchingListInMode 25 0x10f1dc3f1 _DPSNextEvent 26 0x10f1dbcf5 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] 27 0x10f1d862d -[NSApplication run] 28 0x108154d5c RunLoop::run() 29 0x10823ea9f WebKit::WebProcessMain(WebKit::CommandLine const&) 30 0x1081aa68f _ZL10WebKitMainRKN6WebKit11CommandLineE 31 0x1081aa57d WebKitMain Expected result: WebKit does not crash.
Attachments
Crash log. (44.07 KB, text/plain)
2011-10-19 11:40 PDT, Dimitris Apostolou 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2011-10-19 14:57:56 PDT
Could be the same as bug 70201.
Oliver Hunt
Comment 2 2011-10-19 15:08:26 PDT
(In reply to comment #1) > Could be the same as bug 70201. Seems highly likely. A quick look in the debugger claims that we're trying to get the default value of a ScopeChainNode which means either a GC bug (so scope chain got allocated in place of an object that should be live) or a jit bug
Note You need to log in before you can comment on or make changes to this bug.