Bug 117135

Summary: ASSERTION FAILED: !(forNode(edge).m_type & ~typeFilterFor(edge.useKind())) in JSC::DFG::AbstractState::filterEdgeByUse
Product: WebKit Reporter: Renata Hodovan <rhodovan.u-szeged>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED WORKSFORME    
Severity: Normal CC: fpizlo, oliver, rgabor, zherczeg
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 116980    

Description Renata Hodovan 2013-06-03 01:59:05 PDT 
The following tests fails in debug webkit:

function test() {
    for (var regexp2 = /  /g; ; --regexp2) {
        regexp2[regexp2 >> 2] = regexp2;
    }
}

test();

Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00000000007fb8e5 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:339
339	    *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt 
#0  0x00000000007fb8e5 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:339
#1  0x0000000000549d8f in JSC::DFG::AbstractState::filterEdgeByUse (this=0x7fffffffaef0, node=0x7fffb2110a10, edge=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGAbstractState.h:194
#2  0x0000000000540f3f in JSC::DFG::AbstractState::executeEdges (this=0x7fffffffaef0, node=0x7fffb2110a10)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGAbstractState.cpp:253
#3  0x0000000000546811 in JSC::DFG::AbstractState::execute (this=0x7fffffffaef0, indexInBlock=7)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGAbstractState.cpp:1578
#4  0x000000000058e78b in JSC::DFG::ConstantFoldingPhase::foldConstants (this=0x7fffffffaee0, blockIndex=1)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp:324
#5  0x000000000058d3d1 in JSC::DFG::ConstantFoldingPhase::run (this=0x7fffffffaee0)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp:62
#6  0x000000000058f5a6 in JSC::DFG::runAndLog<JSC::DFG::ConstantFoldingPhase> (phase=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGPhase.h:75
#7  0x000000000058f2a1 in JSC::DFG::runPhase<JSC::DFG::ConstantFoldingPhase> (graph=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGPhase.h:85
#8  0x000000000058cfc3 in JSC::DFG::performConstantFolding (graph=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp:464
#9  0x000000000059aafd in JSC::DFG::compile (compileMode=JSC::DFG::CompileFunction, exec=0x7fffb21c20a0, codeBlock=0xf42e30, jitCode=..., 
    jitCodeWithArityCheck=0x7fffb217fdc0, osrEntryBytecodeIndex=4) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGDriver.cpp:140
#10 0x000000000059a424 in JSC::DFG::tryCompileFunction (exec=0x7fffb21c20a0, codeBlock=0xf42e30, jitCode=..., jitCodeWithArityCheck=..., bytecodeIndex=4)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGDriver.cpp:182
#11 0x00000000007355af in JSC::jitCompileFunctionIfAppropriate (exec=0x7fffb21c20a0, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., 
    jitType=JSC::JITCode::DFGJIT, bytecodeIndex=4, effort=JSC::JITCompilationCanFail)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITDriver.h:95
#12 0x00000000007358a1 in JSC::prepareFunctionForExecution (exec=0x7fffb21c20a0, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., 
    jitType=JSC::JITCode::DFGJIT, bytecodeIndex=4, kind=JSC::CodeForCall)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/ExecutionHarness.h:68
#13 0x0000000000733c40 in JSC::FunctionExecutable::compileForCallInternal (this=0x7fffb217fd70, exec=0x7fffb21c20a0, scope=0x7ffff7f5f970, 
    jitType=JSC::JITCode::DFGJIT, bytecodeIndex=4) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Executable.cpp:539
#14 0x0000000000733441 in JSC::FunctionExecutable::compileOptimizedForCall (this=0x7fffb217fd70, exec=0x7fffb21c20a0, scope=0x7ffff7f5f970, bytecodeIndex=4)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Executable.cpp:464
#15 0x000000000048430c in JSC::FunctionExecutable::compileOptimizedFor (this=0x7fffb217fd70, exec=0x7fffb21c20a0, scope=0x7ffff7f5f970, bytecodeIndex=4, 
    kind=JSC::CodeForCall) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Executable.h:679
#16 0x000000000047e87c in JSC::FunctionCodeBlock::compileOptimized (this=0xf51be0, exec=0x7fffb21c20a0, scope=0x7ffff7f5f970, bytecodeIndex=4)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecode/CodeBlock.cpp:2843
#17 0x0000000000677f24 in JSC::cti_optimize (args=0x7fffffffccd0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITStubs.cpp:1964
#18 0x00000000006750f9 in JSC::tryCacheGetByID (callFrame=0x7fffb21c20a0, codeBlock=0x7ffff7f5f970, returnAddress=..., baseValue=..., propertyName=..., 
    slot=..., stubInfo=0x7ff9000000000004) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITStubs.cpp:1068
Comment 1 Renata Hodovan 2015-06-26 09:46:01 PDT 
Cannot repro this anymore.