Bug 164775

Summary: REGRESSION (r208711-r208722): ASSERTION FAILED: hasInlineStorage()
Product: WebKit Reporter: Ryan Haddad <ryanhaddad>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, fpizlo, ggaren, keith_miller, mark.lam, msaboff, saam
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
the patch mark.lam: review+

Description Ryan Haddad 2016-11-15 08:29:48 PST
ASSERTION FAILED: hasInlineStorage()

https://build.webkit.org/builders/Apple%20Yosemite%20Debug%20JSC%20%28Tests%29/builds/7323

stress/object-constructor-should-be-new-target-aware.js.default: ASSERTION FAILED: hasInlineStorage()
stress/object-constructor-should-be-new-target-aware.js.default: /Volumes/Data/slave/yosemite-debug/build/Source/JavaScriptCore/runtime/JSObject.h(660) : PropertyStorage JSC::JSObject::inlineStorage()
stress/object-constructor-should-be-new-target-aware.js.default: 1   0x10ba055a0 WTFCrash
stress/object-constructor-should-be-new-target-aware.js.default: 2   0x10a972d09 JSC::JSObject::inlineStorage()
stress/object-constructor-should-be-new-target-aware.js.default: 3   0x10a9860ae JSC::JSFinalObject::JSFinalObject(JSC::VM&, JSC::Structure*, JSC::Butterfly*)
stress/object-constructor-should-be-new-target-aware.js.default: 4   0x10a985f3d JSC::JSFinalObject::JSFinalObject(JSC::VM&, JSC::Structure*, JSC::Butterfly*)
stress/object-constructor-should-be-new-target-aware.js.default: 5   0x10a985d71 JSC::JSFinalObject::create(JSC::ExecState*, JSC::Structure*, JSC::Butterfly*)
stress/object-constructor-should-be-new-target-aware.js.default: 6   0x10a9826f1 JSC::constructEmptyObject(JSC::ExecState*, JSC::Structure*)
stress/object-constructor-should-be-new-target-aware.js.default: 7   0x10b634b2d JSC::constructObject(JSC::ExecState*, JSC::JSValue)
stress/object-constructor-should-be-new-target-aware.js.default: 8   0x10b632771 JSC::constructWithObjectConstructor(JSC::ExecState*)
stress/object-constructor-should-be-new-target-aware.js.default: 9   0x10b58cd0a JSC::LLInt::handleHostCall(JSC::ExecState*, JSC::Instruction*, JSC::JSValue, JSC::CodeSpecializationKind)
stress/object-constructor-should-be-new-target-aware.js.default: 10  0x10b58dbcc JSC::LLInt::setUpCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*)
stress/object-constructor-should-be-new-target-aware.js.default: 11  0x10b58d7c6 JSC::LLInt::genericCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind)
stress/object-constructor-should-be-new-target-aware.js.default: 12  0x10b58a0ac llint_slow_path_construct
stress/object-constructor-should-be-new-target-aware.js.default: 13  0x10b598474 llint_entry
stress/object-constructor-should-be-new-target-aware.js.default: 14  0x10b598486 llint_entry
stress/object-constructor-should-be-new-target-aware.js.default: 15  0x10b5909de vmEntryToJavaScript
stress/object-constructor-should-be-new-target-aware.js.default: 16  0x10b360efc JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
stress/object-constructor-should-be-new-target-aware.js.default: 17  0x10b2dc58e JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*)
stress/object-constructor-should-be-new-target-aware.js.default: 18  0x10abad855 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
stress/object-constructor-should-be-new-target-aware.js.default: 19  0x10a6417c4 runWithScripts(GlobalObject*, WTF::Vector<Script, 0ul, WTF::CrashOnOverflow, 16ul> const&, WTF::String const&, bool, bool, bool)
stress/object-constructor-should-be-new-target-aware.js.default: 20  0x10a6409e3 runJSC(JSC::VM*, CommandLine)
stress/object-constructor-should-be-new-target-aware.js.default: 21  0x10a63f93f jscmain(int, char**)
stress/object-constructor-should-be-new-target-aware.js.default: 22  0x10a63f80b main
stress/object-constructor-should-be-new-target-aware.js.default: 23  0x7fff878515c9 start

** The following JSC stress test failures have been introduced:
	stress/object-constructor-should-be-new-target-aware.js.default
	stress/object-constructor-should-be-new-target-aware.js.dfg-eager
	stress/object-constructor-should-be-new-target-aware.js.dfg-eager-no-cjit-validate
	stress/object-constructor-should-be-new-target-aware.js.dfg-maximal-flush-validate-no-cjit
	stress/object-constructor-should-be-new-target-aware.js.ftl-eager
	stress/object-constructor-should-be-new-target-aware.js.ftl-eager-no-cjit
	stress/object-constructor-should-be-new-target-aware.js.ftl-no-cjit-no-inline-validate
	stress/object-constructor-should-be-new-target-aware.js.ftl-no-cjit-no-put-stack-validate
	stress/object-constructor-should-be-new-target-aware.js.ftl-no-cjit-small-pool
	stress/object-constructor-should-be-new-target-aware.js.ftl-no-cjit-validate-sampling-profiler
	stress/object-constructor-should-be-new-target-aware.js.no-cjit-validate-phases
	stress/object-constructor-should-be-new-target-aware.js.no-ftl
	stress/object-constructor-should-be-new-target-aware.js.no-llint
Comment 1 Filip Pizlo 2016-11-15 09:06:51 PST
Oh shoot!

I'm looking at this now.
Comment 2 Filip Pizlo 2016-11-15 09:18:11 PST
Created attachment 294841 [details]
the patch
Comment 3 Mark Lam 2016-11-15 09:20:40 PST
Comment on attachment 294841 [details]
the patch

r=me
Comment 4 Filip Pizlo 2016-11-15 09:33:25 PST
Landed in https://trac.webkit.org/changeset/208734