215639 2020-08-18 21:28:28 -0700 REGRESSION (r265775): DFG ASSERTION FAILED: AI-clobberize disagreement; AI says FoldedClobber while clobberize says (Direct:[], Super:[]) 2020-08-19 13:57:39 -0700 1 1 1 Unclassified WebKit JavaScriptCore Other Unspecified Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=215487 InRadar P2 Normal --- 1 ryanhaddad saam ews-watchlist keith_miller mark.lam msaboff rmorisset saam tzagallo webkit-bot-watchers-bugzilla webkit-bug-importer ysuzuki oldest_to_newest 1681293 0 ryanhaddad 2020-08-18 21:28:28 -0700 Seeing the following assertion failure on the debug JSC bot: DFG ASSERTION FAILED: AI-clobberize disagreement; AI says FoldedClobber while clobberize says (Direct:[], Super:[]) ./dfg/DFGCFAPhase.cpp(240) : void JSC::DFG::CFAPhase::performBlockCFA(JSC::DFG::BasicBlock *) While handling node D@30 Graph at time of failure: 12: DFG for test3#<no-hash>:[0x10d7bcab0->0x10d7bc5f0->0x10d7e5300, DFGFunctionCall, 29 (NeverInline)]: 12: Fixpoint state: FixpointNotConverged; Form: ThreadedCPS; Unification state: GloballyUnified; Ref count state: EverythingIsLive 12: Arguments for block#0: D@0 0 12: Block #0 (bc#0): (OSR target) 0 12: Execution count: 1.000000 0 12: Predecessors: 0 12: Successors: 0 12: Dominated by: #root #0 0 12: Dominates: #0 0 12: Dominance Frontier: 0 12: Iterated Dominance Frontier: 0 12: States: StructuresAreWatched 0 12: Vars Before: arg0:(BytecodeTop, TOP, TOP, none:StructuresAreClobbered) 0 12: Intersected Vars Before: arg0:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc0:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc1:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc2:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc3:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc4:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc5:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc6:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc7:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc8:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc9:(FullTop, TOP, TOP, none:StructuresAreClobbered) 0 12: Var Links: arg0:D@0 0 0 12: D@0:< 1:-> SetArgumentDefinitely(IsFlushed, this(a), W:SideState, bc#0, ExitValid) predicting OtherObj 1 0 12: D@1:< 1:-> JSConstant(JS|PureInt, Other, Undefined, bc#0, ExitValid) 2 0 12: D@2:<!0:-> MovHint(Check:Untyped:D@1, MustGen, loc0, W:SideState, ClobbersExit, bc#0, ExitValid) 3 0 12: D@3:< 1:-> SetLocal(Check:Untyped:D@1, loc0(B~<Other>/FlushedJSValue), W:Stack(loc0), bc#0, ExitInvalid) predicting Other 4 0 12: D@4:<!0:-> MovHint(Check:Untyped:D@1, MustGen, loc1, W:SideState, ClobbersExit, bc#0, ExitInvalid) 5 0 12: D@5:< 1:-> SetLocal(Check:Untyped:D@1, loc1(C~<Other>/FlushedJSValue), W:Stack(loc1), bc#0, ExitInvalid) predicting Other 6 0 12: D@6:<!0:-> MovHint(Check:Untyped:D@1, MustGen, loc2, W:SideState, ClobbersExit, bc#0, ExitInvalid) 7 0 12: D@7:< 1:-> SetLocal(Check:Untyped:D@1, loc2(D~<Other>/FlushedJSValue), W:Stack(loc2), bc#0, ExitInvalid) predicting Other 8 0 12: D@8:<!0:-> MovHint(Check:Untyped:D@1, MustGen, loc3, W:SideState, ClobbersExit, bc#0, ExitInvalid) 9 0 12: D@9:< 1:-> SetLocal(Check:Untyped:D@1, loc3(E~<Other>/FlushedJSValue), W:Stack(loc3), bc#0, ExitInvalid) predicting Other 10 0 12: D@10:<!0:-> MovHint(Check:Untyped:D@1, MustGen, loc4, W:SideState, ClobbersExit, bc#0, ExitInvalid) 11 0 12: D@11:< 1:-> SetLocal(Check:Untyped:D@1, loc4(F~<Other>/FlushedJSValue), W:Stack(loc4), bc#0, ExitInvalid) predicting Other 12 0 12: D@12:<!0:-> MovHint(Check:Untyped:D@1, MustGen, loc5, W:SideState, ClobbersExit, bc#0, ExitInvalid) 13 0 12: D@13:< 1:-> SetLocal(Check:Untyped:D@1, loc5(G~<Other>/FlushedJSValue), W:Stack(loc5), bc#0, ExitInvalid) predicting Other 14 0 12: D@14:< 1:-> JSConstant(JS|PureInt, Function, Weak:Object: 0x10d7f65e0 with butterfly 0x0 (Structure %BO:Function), StructureID: 37855, bc#1, ExitValid) 15 0 12: D@15:< 1:-> JSConstant(JS|UseAsOther, OtherObj, Weak:Object: 0x10d2b4068 with butterfly 0x0 (Structure %BG:JSGlobalLexicalEnvironment), StructureID: 39390, bc#1, ExitValid) 16 0 12: D@16:<!0:-> MovHint(Check:Untyped:D@15, MustGen, loc4, W:SideState, ClobbersExit, bc#1, ExitValid) 17 0 12: D@17:< 1:-> SetLocal(Check:Untyped:D@15, loc4(H~<Object>/FlushedJSValue), W:Stack(loc4), bc#1, exit: bc#3, ExitValid) predicting OtherObj 18 0 12: D@18:<!0:-> MovHint(Check:Untyped:D@15, MustGen, loc5, W:SideState, ClobbersExit, bc#3, ExitValid) 19 0 12: D@19:< 1:-> SetLocal(Check:Untyped:D@15, loc5(I~<Object>/FlushedJSValue), W:Stack(loc5), bc#3, exit: bc#6, ExitValid) predicting OtherObj 20 0 12: D@20:<!0:-> InvalidationPoint(MustGen, W:SideState, Exits, bc#6, ExitValid) 21 0 12: D@21:< 1:-> JSConstant(JS|UseAsOther, OtherObj, Weak:Object: 0x10d5fa068 with butterfly 0x18078e88d8 (Structure %B2:global), StructureID: 32425, bc#7, ExitValid) 22 0 12: D@22:<!0:-> MovHint(Check:Untyped:D@21, MustGen, loc7, W:SideState, ClobbersExit, bc#7, ExitValid) 23 0 12: D@23:<!0:-> Check(MustGen, bc#7, ExitInvalid) 24 0 12: D@24:< 1:-> SetLocal(Check:Untyped:D@21, loc7(J~<Object>/FlushedJSValue), W:Stack(loc7), bc#7, exit: bc#14, ExitValid) predicting OtherObj 25 0 12: D@25:<!0:-> Check(MustGen, bc#14, ExitValid) 26 0 12: D@26:< 1:-> JSConstant(JS|UseAsOther, Array, Weak:Object: 0x10d2979e8 with butterfly 0x18078e40d0 (Structure %EO:Array,ArrayWithContiguous), StructureID: 3285, bc#14, ExitValid) 27 0 12: D@27:<!0:-> MovHint(Check:Untyped:D@26, MustGen, loc8, W:SideState, ClobbersExit, bc#14, ExitValid) 28 0 12: D@28:< 1:-> SetLocal(Check:Untyped:D@26, loc8(K~<Array>/FlushedJSValue), W:Stack(loc8), bc#14, exit: bc#22, ExitValid) predicting Array 29 0 12: D@29:< 1:-> JSConstant(JS|PureNum|UseAsOther|UseAsInt|ReallyWantsInt, NonBoolInt32, Int32: 5, bc#22, ExitValid) 30 0 12: D@35:<!0:-> CheckStructure(Cell:D@26, MustGen, [%EO:Array,ArrayWithContiguous], R:JSCell_structureID, Exits, bc#22, ExitValid) 31 0 12: D@36:< 1:-> GetButterfly(Cell:D@26, Storage|PureInt, R:JSObject_butterfly, Exits, bc#22, ExitValid) 32 0 12: D@30:< 1:-> GetByVal(KnownCell:D@26, Int32:D@29, Check:Untyped:D@36, JS|VarArgs|UseAsOther, Other, Contiguous+OriginalCopyOnWriteArray+OutOfBoundsSaneChain+AsIs+Read, R:Butterfly_publicLength,IndexedContiguousProperties, Exits, bc#22, ExitValid) predicting Other 33 0 12: D@31:<!0:-> MovHint(Check:Untyped:D@30, MustGen, loc6, W:SideState, ClobbersExit, bc#22, ExitInvalid) 34 0 12: D@32:< 1:-> SetLocal(Check:Untyped:D@30, loc6(L~<Other>/FlushedJSValue), W:Stack(loc6), bc#22, exit: bc#27, ExitValid) predicting Other 35 0 12: D@33:<!0:-> Return(Check:Untyped:D@30, MustGen, W:SideState, Exits, bc#27, ExitValid) 36 0 12: D@34:<!0:-> Flush(Check:Untyped:D@0, MustGen|IsFlushed, this(a), R:Stack(this), W:SideState, bc#27, ExitValid) predicting OtherObj 0 12: States: InvalidBranchDirection, StructuresAreWatched 0 12: Vars After: 0 12: Var Links: arg0:D@0 loc0:D@3 loc1:D@5 loc2:D@7 loc3:D@9 loc4:D@17 loc5:D@19 loc6:D@32 loc7:D@24 loc8:D@28 12: GC Values: 12: Weak:Object: 0x10d2979e8 with butterfly 0x18078e40d0 (Structure %EO:Array,ArrayWithContiguous), StructureID: 3285 12: Weak:Object: 0x10d5fa068 with butterfly 0x18078e88d8 (Structure %B2:global), StructureID: 32425 12: Weak:Object: 0x10d2b4068 with butterfly 0x0 (Structure %BG:JSGlobalLexicalEnvironment), StructureID: 39390 12: Weak:Object: 0x10d7f65e0 with butterfly 0x0 (Structure %BO:Function), StructureID: 37855 12: Desired watchpoints: 12: Watchpoint sets: 0x10d29a680 12: Inline watchpoint sets: 0x10d7f9b08, 0x10d2cd0c0, 0x10d7f9788, 0x10d2cd280, 0x10d7f8448, 0x10d7f9478, 0x10d7f91d8, 0x10d7f9f68 12: SymbolTables: 12: FunctionExecutables: 0x10d7e5300 12: Buffer views: 12: Object property conditions: 12: Structures: 12: %B2:global = 0x10d7cd810:[0x7ea9, global, {Object:100, Function:101, Array:102, RegExp:103, String:104, Promise:105, BigInt:106, Intl:107, $vm:108, WebAssembly:109, Symbol.toStringTag:110, debug:111, describe:112, describeArray:113, print:114, printErr:115, quit:116, gc:117, fullGC:118, edenGC:119, gcHeapSize:120, MemoryFootprint:121, resetMemoryPeak:122, addressOf:123, version:124, run:125, runString:126, load:127, loadString:128, readFile:129, read:130, checkSyntax:131, sleepSeconds:132, jscStack:133, readline:134, preciseTime:135, neverInlineFunction:136, noInline:137, noDFG:138, noFTL:139, noOSRExitFuzzing:140, numberOfDFGCompiles:141, callerIsOMGCompiled:142, jscOptions:143, optimizeNextInvocation:144, reoptimizationRetryCount:145, transferArrayBuffer:146, failNextNewCodeBlock:147, OSRExit:148, isFinalTier:149, predictInt32:150, isInt32:151, isPureNaN:152, fiatInt52:153, effectful42:154, makeMasquerader:155, hasCustomProperties:156, createGlobalObject:157, createHeapBigInt:158, useBigInt32:159, isBigInt32:160, isHeapBigInt:161, dumpTypesForAllVariables:162, drainMicrotasks:163, setTimeout:164, releaseWeakRefs:165, finalizationRegistryLiveCount:166, finalizationRegistryDeadCount:167, getRandomSeed:168, setRandomSeed:169, isRope:170, callerSourceOrigin:171, is32BitPlatform:172, checkModuleSyntax:173, platformSupportsSamplingProfiler:174, generateHeapSnapshot:175, generateHeapSnapshotForGCDebugging:176, resetSuperSamplerState:177, ensureArrayStorage:178, startSamplingProfiler:179, samplingProfilerStackTraces:180, stress/folding-get-by-val-with-immutable-butterfly-out-of-bounds-foldable.js.mini-mode: DFG ASSERTION FAILED: AI-clobberize disagreement; AI says FoldedClobber while clobberize says (Direct:[], Super:[]) stress/folding-get-by-val-with-immutable-butterfly-out-of-bounds-foldable.js.mini-mode: ./dfg/DFGCFAPhase.cpp(240) : void JSC::DFG::CFAPhase::performBlockCFA(JSC::DFG::BasicBlock *) stress/folding-get-by-val-with-immutable-butterfly-out-of-bounds-foldable.js.mini-mode: https://build.webkit.org/builders/Apple-Catalina-Debug-JSC-Tests/builds/1366 1681294 1 webkit-bug-importer 2020-08-18 21:28:46 -0700 <rdar://problem/67376432> 1681298 2 ryanhaddad 2020-08-18 21:38:49 -0700 https://trac.webkit.org/changeset/265775/webkit is the only JSC change in the regression range. 1681354 3 saam 2020-08-19 08:56:00 -0700 Should be easy to fix. 1681406 4 saam 2020-08-19 10:54:00 -0700 fix forthcoming 1681408 5 406855 saam 2020-08-19 10:57:50 -0700 Created attachment 406855 patch 1681411 6 406855 rmorisset 2020-08-19 11:01:07 -0700 Comment on attachment 406855 patch r=me 1681466 7 ews-feeder 2020-08-19 13:57:38 -0700 Committed r265893: <https://trac.webkit.org/changeset/265893> All reviewed patches have been landed. Closing bug and clearing flags on attachment 406855. 406855 2020-08-19 10:57:50 -0700 2020-08-19 13:57:39 -0700 patch b-backup.diff text/plain 1554 saam SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMjY1ODYxKQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE0IEBA CisyMDIwLTA4LTE5ICBTYWFtIEJhcmF0aSAgPHNiYXJhdGlAYXBwbGUuY29tPgorCisgICAgICAg IFJFR1JFU1NJT04gKHIyNjU3NzUpOiBERkcgQVNTRVJUSU9OIEZBSUxFRDogQUktY2xvYmJlcml6 ZSBkaXNhZ3JlZW1lbnQ7IEFJIHNheXMgRm9sZGVkQ2xvYmJlciB3aGlsZSBjbG9iYmVyaXplIHNh eXMgKERpcmVjdDpbXSwgU3VwZXI6W10pCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3Jn L3Nob3dfYnVnLmNnaT9pZD0yMTU2MzkKKyAgICAgICAgPHJkYXI6Ly9wcm9ibGVtLzY3Mzc2NDMy PgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgICogZGZn L0RGR0Fic3RyYWN0SW50ZXJwcmV0ZXJJbmxpbmVzLmg6CisgICAgICAgIChKU0M6OkRGRzo6QWJz dHJhY3RJbnRlcnByZXRlcjxBYnN0cmFjdFN0YXRlVHlwZT46OmV4ZWN1dGVFZmZlY3RzKToKKwog MjAyMC0wOC0xOCAgU2FhbSBCYXJhdGkgIDxzYmFyYXRpQGFwcGxlLmNvbT4KIAogICAgICAgICBV cGRhdGUgYnl0ZSBvZmZzZXRzIGluIEpTU3RyaW5nLmggY29tbWVudApJbmRleDogU291cmNlL0ph dmFTY3JpcHRDb3JlL2RmZy9ERkdBYnN0cmFjdEludGVycHJldGVySW5saW5lcy5oCj09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT0KLS0tIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9kZmcvREZHQWJzdHJhY3RJbnRlcnByZXRlcklu bGluZXMuaAkocmV2aXNpb24gMjY1ODYwKQorKysgU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9E RkdBYnN0cmFjdEludGVycHJldGVySW5saW5lcy5oCSh3b3JraW5nIGNvcHkpCkBAIC0yMzAxLDcg KzIzMDEsNyBAQCBib29sIEFic3RyYWN0SW50ZXJwcmV0ZXI8QWJzdHJhY3RTdGF0ZVR5CiAgICAg ICAgICAgICBjYXNlIEFycmF5OjpBcnJheVN0b3JhZ2U6CiAgICAgICAgICAgICBjYXNlIEFycmF5 OjpTbG93UHV0QXJyYXlTdG9yYWdlOgogICAgICAgICAgICAgICAgIGlmIChmb2xkR2V0QnlWYWxP bkNvbnN0YW50UHJvcGVydHkobV9ncmFwaC5jaGlsZChub2RlLCAwKSwgbV9ncmFwaC5jaGlsZChu b2RlLCAxKSkpIHsKLSAgICAgICAgICAgICAgICAgICAgaWYgKCFub2RlLT5hcnJheU1vZGUoKS5p c0luQm91bmRzKCkpCisgICAgICAgICAgICAgICAgICAgIGlmIChub2RlLT5hcnJheU1vZGUoKS5p c0VmZmVjdGZ1bE91dE9mQm91bmRzKCkpCiAgICAgICAgICAgICAgICAgICAgICAgICBkaWRGb2xk Q2xvYmJlcldvcmxkKCk7CiAgICAgICAgICAgICAgICAgICAgIGRpZEZvbGQgPSB0cnVlOwogICAg ICAgICAgICAgICAgIH0K