Bug 117605

The following failure occurs on Linux (tested on armel/Qt) and on QNX ARM, while loading the desktop version of Google Maps: ASSERTION FAILED: !(forNode(edge).m_type & ~typeFilterFor(edge.useKind())) ~/WebKit/Source/JavaScriptCore/dfg/DFGAbstractState.cpp(263) : void JSC::DFG::AbstractState::verifyEdge(JSC::DFG::Node*, JSC::DFG::Edge) Program received signal SIGSEGV, Segmentation fault. 0x73e8249a in WTFCrash () from ~/WebKit/WebKitBuild/Debug/lib/libWTF.so.1 (gdb) bt #0 0x73e8249a in WTFCrash () from ~/WebKit/WebKitBuild/Debug/lib/libWTF.so.1 #1 0x73893218 in JSC::DFG::AbstractState::verifyEdge (this=0x7effcd18, edge=...) at ~/WebKit/Source/JavaScriptCore/dfg/DFGAbstractState.cpp:263 #2 0x73893342 in JSC::DFG::AbstractState::verifyEdges (this=0x7effcd18, node=0x6ec70688) at ~/WebKit/Source/JavaScriptCore/dfg/DFGAbstractState.cpp:268 #3 0x7389341c in JSC::DFG::AbstractState::executeEffects (this=0x7effcd18, indexInBlock=18, node=0x6ec70688) at ~/WebKit/Source/JavaScriptCore/dfg/DFGAbstractState.cpp:274 #4 0x73897b26 in JSC::DFG::AbstractState::executeEffects (this=0x7effcd18, indexInBlock=18) at ~/WebKit/Source/JavaScriptCore/dfg/DFGAbstractState.cpp:1569 #5 0x7391bbc8 in JSC::DFG::SpeculativeJIT::compile (this=0x7effc800, block=...) at ~/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1833 #6 0x7391c0c4 in JSC::DFG::SpeculativeJIT::compile (this=0x7effc800) at ~/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1913 #7 0x738ef5a4 in JSC::DFG::JITCompiler::compileBody (this=0x7effdb70, speculative=...) at ~/WebKit/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:108 #8 0x738f03ac in JSC::DFG::JITCompiler::compileFunction (this=0x7effdb70, entry=..., entryWithArityCheck=...) at ~/WebKit/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:302 #9 0x738e0f9c in JSC::DFG::compile (compileMode=JSC::DFG::CompileFunction, exec=0x70b98de0, codeBlock=0xcd3188, jitCode=..., jitCodeWithArityCheck=0x6ea4a0c4, osrEntryBytecodeIndex=0) at ~/WebKit/Source/JavaScriptCore/dfg/DFGDriver.cpp:164 #10 0x738e092c in JSC::DFG::tryCompileFunction (exec=0x70b98de0, codeBlock=0xcd3188, jitCode=..., jitCodeWithArityCheck=..., bytecodeIndex=0) at ~/WebKit/Source/JavaScriptCore/dfg/DFGDriver.cpp:182 #11 0x73a3df06 in JSC::jitCompileFunctionIfAppropriate (exec=0x70b98de0, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., jitType=JSC::JITCode::DFGJIT, bytecodeIndex=0, effort=JSC::JITCompilationCanFail) at ~/WebKit/Source/JavaScriptCore/jit/JITDriver.h:95 #12 0x73a3e112 in JSC::prepareFunctionForExecution (exec=0x70b98de0, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., jitType=JSC::JITCode::DFGJIT, bytecodeIndex=0, kind=JSC::CodeForCall) at ~/WebKit/Source/JavaScriptCore/runtime/ExecutionHarness.h:68 #13 0x73a3c994 in JSC::FunctionExecutable::compileForCallInternal (this=0x6ea4a098, exec=0x70b98de0, scope=0x6ed1efb8, jitType=JSC::JITCode::DFGJIT, bytecodeIndex=0) at ~/WebKit/Source/JavaScriptCore/runtime/Executable.cpp:539 #14 0x73a3c39a in JSC::FunctionExecutable::compileOptimizedForCall (this=0x6ea4a098, exec=0x70b98de0, scope=0x6ed1efb8, bytecodeIndex=0) at ~/WebKit/Source/JavaScriptCore/runtime/Executable.cpp:464 #15 0x737f5912 in JSC::FunctionExecutable::compileOptimizedFor (this=0x6ea4a098, exec=0x70b98de0, scope=0x6ed1efb8, bytecodeIndex=0, kind=JSC::CodeForCall) at ~/WebKit/Source/JavaScriptCore/runtime/Executable.h:679 #16 0x737f00ec in JSC::FunctionCodeBlock::compileOptimized (this=0xbdcb80, exec=0x70b98de0, scope=0x6ed1efb8, bytecodeIndex=0) at ~/WebKit/Source/JavaScriptCore/bytecode/CodeBlock.cpp:2843 #17 0x739a7e8c in JSC::JITStubThunked_optimize (args=0x7effe138) at ~/WebKit/Source/JavaScriptCore/jit/JITStubs.cpp:1964 #18 0x739a7dcc in cti_optimize () at ~/WebKit/Source/JavaScriptCore/jit/JITStubs.cpp:1895 #19 0x739a5894 in JSC::tryCacheGetByID (callFrame=0x7effe1e8, codeBlock=0x6ee0920c, returnAddress=..., baseValue=..., propertyName=..., slot=..., stubInfo=0x0) at ~/WebKit/Source/JavaScriptCore/jit/JITStubs.cpp:1068 #20 0x00000000 in ?? ()