215841 2020-08-26 00:37:53 -0700 DFG ASSERTION FAILED: m_value.isNumber() in DFGAbstractValue.cpp 2020-08-27 11:15:04 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build All Linux RESOLVED DUPLICATE 215894 InRadar P2 Normal --- 1 zhunkibatu webkit-unassigned fpizlo keith_miller mark.lam saam webkit-bug-importer oldest_to_newest 1682929 0 407279 zhunkibatu 2020-08-26 00:37:53 -0700 Created attachment 407279 the minimal poc The following test case cause a assersion failure in DFGAbstractValue.cpp: function main() { let arr = [1.1]; function opt() { (function (main = arr[0x1000]) {}()) } for (var i = 0; i < 0x1000; i++) opt(() => 0); } main(); 1683237 1 ap 2020-08-26 18:09:05 -0700 DFG ASSERTION FAILED: m_value.isNumber() ./dfg/DFGAbstractValue.cpp(133) : void JSC::DFG::AbstractValue::fixTypeForRepresentation(JSC::DFG::Graph &, JSC::DFG::NodeFlags, JSC::DFG::Node *) undefined >>> 1 0x105130839 WTFCrash 2 0x10675fdbb WTFCrashWithInfo(int, char const*, char const*, int) 3 0x105dd6532 JSC::DFG::AbstractValue::fixTypeForRepresentation(JSC::DFG::Graph&, unsigned int, JSC::DFG::Node*) 4 0x105dd6b83 JSC::DFG::AbstractValue::fixTypeForRepresentation(JSC::DFG::Graph&, JSC::DFG::Node*) 5 0x105390557 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::setBuiltInConstant(JSC::DFG::Node*, JSC::DFG::FrozenValue) 6 0x1053905dc JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::setConstant(JSC::DFG::Node*, JSC::DFG::FrozenValue) 7 0x105393556 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::executeEffects(unsigned int, JSC::DFG::Node*)::'lambda'(JSC::DFG::Edge&, JSC::DFG::Edge&)::operator()(JSC::DFG::Edge&, JSC::DFG::Edge&) const 8 0x105385f83 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::executeEffects(unsigned int, JSC::DFG::Node*) 9 0x105e9316a JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::execute(unsigned int) 10 0x105e916d6 JSC::DFG::CFAPhase::performBlockCFA(JSC::DFG::BasicBlock*) 11 0x105e91029 JSC::DFG::CFAPhase::performForwardCFA() 12 0x105e90cd6 JSC::DFG::CFAPhase::run() 13 0x105e907c4 bool JSC::DFG::runAndLog<JSC::DFG::CFAPhase>(JSC::DFG::CFAPhase&) 14 0x105e5d7ab bool JSC::DFG::runPhase<JSC::DFG::CFAPhase>(JSC::DFG::Graph&) 15 0x105e5d775 JSC::DFG::performCFA(JSC::DFG::Graph&) 16 0x106168aa0 JSC::DFG::Plan::compileInThreadImpl() 17 0x106167348 JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*) 18 0x1062236de JSC::DFG::Worklist::ThreadBody::work() 19 0x105145c73 WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const 20 0x10514587e WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() 21 0x1051578b2 WTF::Function<void ()>::operator()() const 22 0x1052055c8 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) 23 0x105211568 WTF::wtfThreadEntryPoint(void*) 24 0x7fff6a51a109 _pthread_start 25 0x7fff6a515b8b thread_start Segmentation fault: 11 1683238 2 webkit-bug-importer 2020-08-26 18:09:16 -0700 <rdar://problem/67841603> 1683438 3 saam 2020-08-27 11:15:04 -0700 Thanks for the report. Was actually just in the process of fixing this in 215894 *** This bug has been marked as a duplicate of bug 215894 *** 407279 2020-08-26 00:37:53 -0700 2020-08-26 00:37:53 -0700 the minimal poc poc.js text/javascript 181 zhunkibatu ZnVuY3Rpb24gbWFpbigpIHsKICAgIGxldCBhcnIgPSBbMS4xXTsKICAgIGZ1bmN0aW9uIG9wdCgp IHsKICAgICAgICAoZnVuY3Rpb24gKG1haW4gPSBhcnJbMHgxMDAwXSkge30oKSkKICAgIH0KICAg IGZvciAodmFyIGkgPSAwOyBpIDwgMHgxMDAwOyBpKyspCiAgICAgICAgb3B0KCgpID0+IDApOwp9 CgptYWluKCk7Cg==