232871 2021-11-09 02:15:39 -0800 ASSERTION FAILED: isInt32() in jumpForTypedArrayOutOfBounds 2022-09-19 19:25:10 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Local Build PC Linux RESOLVED DUPLICATE 233610 InRadar P2 Normal --- 1 lukas.bernhard webkit-unassigned lukas.bernhard vulbugs webkit-bug-importer ysuzuki oldest_to_newest 1813039 0 lukas.bernhard 2021-11-09 02:15:39 -0800 The attached sample triggers an assertion in webkit on git commit 016f88c15b9bf0ebae0090babdad6a34e783d1b5 Build command: ./Tools/Scripts/build-jsc --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang-12' -DCMAKE_CXX_COMPILER='/usr/bin/clang++-12'" Run command: WebKitBuild/Debug/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useFTLJIT=true sample.js ASSERTION FAILED: isInt32() ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h(518) : int32_t JSC::JSValue::asInt32() const sample.js: ``` function main() { const v10 = new Int16Array(16); for (const v18 of "06WLndhrZE") { let v25 = 0; do { const v29 = ` let v30 = -4.0; v31 = ++v30; const v32 = v10[v31]; `; const v34 = eval(v29); v48 = v25++; } while (v25 < 10); } } main(); ``` Full backtrace: #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49 #1 0x00007ffff5a27864 in __GI_abort () at abort.c:79 #2 0x000000000042ab0b in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:732 #3 0x000000000045dc3b in JSC::JSValue::asInt32 (this=0x7fffffff3ad0) at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:518 #4 0x000000000080c182 in JSC::DFG::Node::asInt32 (this=0x7ffff5084548) at ../../Source/JavaScriptCore/dfg/DFGNode.h:854 #5 0x000000000080b945 in JSC::DFG::Node::asUInt32 (this=0x7ffff5084548) at ../../Source/JavaScriptCore/dfg/DFGNode.h:859 #6 0x0000000000c2d976 in JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds (this=0x7fffb4cf6600, node=0x7ffff5085f08, baseGPR=JSC::X86Registers::esi, indexGPR=JSC::X86Registers::ecx, scratchGPR=JSC::X86Registers::r8) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:3250 #7 0x0000000000c2dad3 in JSC::DFG::SpeculativeJIT::emitTypedArrayBoundsCheck (this=0x7fffb4cf6600, node=0x7ffff5085f08, baseGPR=JSC::X86Registers::esi, indexGPR=JSC::X86Registers::ecx, scratchGPR=JSC::X86Registers::r8) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:3277 #8 0x0000000000c2e6dc in JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray(JSC::DFG::Node*, JSC::TypedArrayType, WTF::ScopedLambda<std::tuple<JSC::JSValueRegs, JSC::DataFormat, JSC::DFG::SpeculativeJIT::CanUseFlush> (JSC::DataFormat)> const&) (this=0x7fffb4cf6600, node=0x7ffff5085f08, type=JSC::TypeInt16, prefix=...) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:3417 #9 0x0000000000dc8ac4 in JSC::DFG::SpeculativeJIT::compileGetByVal(JSC::DFG::Node*, WTF::ScopedLambda<std::tuple<JSC::JSValueRegs, JSC::DataFormat, JSC::DFG::SpeculativeJIT::CanUseFlush> (JSC::DataFormat)> const&) (this=0x7fffb4cf6600, node=0x7ffff5085f08, prefix=...) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:2697 #10 0x0000000000dca924 in JSC::DFG::SpeculativeJIT::compile (this=0x7fffb4cf6600, node=0x7ffff5085f08) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:3293 #11 0x0000000000c15e94 in JSC::DFG::SpeculativeJIT::compileCurrentBlock (this=0x7fffb4cf6600) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2297 #12 0x0000000000c29574 in JSC::DFG::SpeculativeJIT::compile (this=0x7fffb4cf6600) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2407 #13 0x0000000000a37524 in JSC::DFG::JITCompiler::compileBody (this=0x7fffffff8dd0) at ../../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:135 #14 0x0000000000a38e3e in JSC::DFG::JITCompiler::compile (this=0x7fffffff8dd0) at ../../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:365 #15 0x0000000000ae9696 in JSC::DFG::Plan::compileInThreadImpl (this=0x7ffff508d280) at ../../Source/JavaScriptCore/dfg/DFGPlan.cpp:343 #16 0x000000000121beef in JSC::JITPlan::compileInThread (this=0x7ffff508d280, thread=0x0) at ../../Source/JavaScriptCore/jit/JITPlan.cpp:170 #17 0x000000000128f577 in JSC::JITWorklist::enqueue (this=0x7ffff509a2e0, plan=...) at ../../Source/JavaScriptCore/jit/JITWorklist.cpp:83 #18 0x00000000009bbd46 in JSC::DFG::compileImpl (vm=..., codeBlock=0x7fffb46c04c0, profiledDFGCodeBlock=0x0, mode=JSC::JITCompilationMode::DFG, osrEntryBytecodeIndex=..., mustHandleValues=..., callback=...) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:90 #19 0x00000000009bb913 in JSC::DFG::compile (vm=..., codeBlock=0x7fffb46c04c0, profiledDFGCodeBlock=0x0, mode=JSC::JITCompilationMode::DFG, osrEntryBytecodeIndex=..., mustHandleValues=..., callback=...) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:106 #20 0x00000000011fc5a8 in JSC::operationOptimize (vmPointer=0x7fffb4e00000, bytecodeIndexBits=0) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:2095 #21 0x00007fffb4fff7de in ?? () #22 0x00007fffffffaed0 in ?? () #23 0x00007fffb5000338 in ?? () #24 0x00007fffffffae90 in ?? () #25 0x000000000042fde5 in std::_Tuple_impl<0ul, JSC::StructureIDTable::StructureOrOffset*, WTF::UniqueArrayFree<JSC::StructureIDTable::StructureOrOffset []> >::_M_head (__t=...) at /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/tuple:204 #26 0x0000000001d0043e in vmEntryToJavaScript () #27 0x000000000115c372 in JSC::JITCode::execute (this=0x7ffff50f2260, vm=0x7fffb4e00000, protoCallFrame=0x7fffffffb1d8) at ../../Source/JavaScriptCore/jit/JITCodeInlines.h:42 #28 0x000000000114e0e8 in JSC::Interpreter::execute (this=0x7ffff50fe250, eval=0x7ffff50f9ae8, lexicalGlobalObject=0x7fffb4af6068, thisValue=..., scope=0x7fffb46b0fc0) --Type <RET> for more, q to quit, c to continue without paging-- at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:1244 #29 0x000000000114c0ea in JSC::eval (globalObject=0x7fffb4af6068, callFrame=0x7fffffffc430, ecmaMode=...) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:164 #30 0x000000000120ccca in JSC::operationCallEval (globalObject=0x7fffb4af6068, calleeFrame=0x7fffffffc430, ecmaMode=...) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:1443 #31 0x00007fffb500288b in ?? () #32 0x00007fffffffc530 in ?? () #33 0x00007ffff50bad18 in ?? () #34 0x0000000000000000 in ?? () 1815407 1 webkit-bug-importer 2021-11-16 02:16:23 -0800 <rdar://problem/85449644> 1899695 2 ysuzuki 2022-09-19 19:25:10 -0700 This is fixed in bug 233610, thanks! *** This bug has been marked as a duplicate of bug 233610 ***