Bug 160562

Summary: ASSERTION FAILED: !hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction == hasInstanceValueNode->asCell()
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: JavaScriptCoreAssignee: Keith Miller <keith_miller>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, commit-queue, fpizlo, ggaren, keith_miller, msaboff, ossy, saam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 160620    
Bug Blocks:    
Attachments:
Description Flags
Repro test case.
none
Patch
none
Patch for landing none

Mark Lam
Reported 2016-08-04 12:24:54 PDT
Created attachment 285346 [details] Repro test case. Run jsc against the attached test case. We'll get an assertion failure.
Attachments
Repro test case. (369 bytes, application/x-javascript)
2016-08-04 12:24 PDT, Mark Lam 		no flags
Details
Patch (5.02 KB, patch)
2016-08-04 13:18 PDT, Keith Miller 		no flags
DetailsFormatted DiffDiff
Patch for landing (5.05 KB, patch)
2016-08-04 13:23 PDT, Keith Miller 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2016-08-04 12:26:13 PDT
<rdar://problem/27704825>
Keith Miller
Comment 2 2016-08-04 13:18:18 PDT
Created attachment 285353 [details] Patch
Mark Lam
Comment 3 2016-08-04 13:21:30 PDT
Comment on attachment 285353 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=285353&action=review r=me. > Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:4579 > + // It would be great if constant folding handled automatically handled the case where we knew the hasInstance function typo: /handled automatically handled/automatically handled/.
Keith Miller
Comment 4 2016-08-04 13:23:23 PDT
Created attachment 285356 [details] Patch for landing
WebKit Commit Bot
Comment 5 2016-08-04 14:12:39 PDT
Comment on attachment 285356 [details] Patch for landing Clearing flags on attachment: 285356 Committed r204140: <http://trac.webkit.org/changeset/204140>
WebKit Commit Bot
Comment 6 2016-08-04 14:12:42 PDT
All reviewed patches have been landed. Closing bug.
Csaba Osztrogonác
Comment 7 2016-08-05 02:35:18 PDT
(In reply to comment #5) > Comment on attachment 285356 [details] > Patch for landing > > Clearing flags on attachment: 285356 > > Committed r204140: <http://trac.webkit.org/changeset/204140> still asserting on the 32 bit Apple Mac bots: https://build.webkit.org/builders/Apple%20El%20Capitan%2032-bit%20JSC%20%28BuildAndTest%29/builds/3143/steps/webkit-32bit-jsc-test/logs/stdio
Csaba Osztrogonác
Comment 8 2016-08-11 03:01:42 PDT
(In reply to comment #7) > (In reply to comment #5) > > Comment on attachment 285356 [details] > > Patch for landing > > > > Clearing flags on attachment: 285356 > > > > Committed r204140: <http://trac.webkit.org/changeset/204140> > > still asserting on the 32 bit Apple Mac bots: > > https://build.webkit.org/builders/Apple%20El%20Capitan%2032- > bit%20JSC%20%28BuildAndTest%29/builds/3143/steps/webkit-32bit-jsc-test/logs/ > stdio just to document, fixed by http://trac.webkit.org/changeset/204209
Note You need to log in before you can comment on or make changes to this bug.