Bug 191058

Summary:	Reproducible RELEASE_ASSERT(materialization->properties().size() - 2 == table->scopeSize()) in FTLOperations.cpp
Product:	WebKit	Reporter:	zhunkibatu
Component:	JavaScriptCore	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED WORKSFORME
Severity:	Normal	CC:	keith_miller, rmorisset, webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	PC
OS:	Linux

zhunkibatu

Reported 2018-10-30 01:24:41 PDT

the following poc triggered an assertion failure: RELEASE_ASSERT(materialization->properties().size() - 2 == table->scopeSize()); at ../../Source/JavaScriptCore/ftl/FTLOperations.cpp:236 poc: function f(x,x,x,x){eval;} for(var i=0;i<100000;i++){f();} f(0,1,2,3);

Attachments
Add attachment proposed patch, testcase, etc.

Alexey Proskuryakov

Comment 1 2018-10-30 14:48:27 PDT

I can reproduce with latest shipping Safari.

Radar WebKit Bug Importer

Comment 2 2018-10-30 14:48:52 PDT

<rdar://problem/45681780>

Keith Miller

Comment 3 2018-12-10 14:40:03 PST

I can't reproduce this on ToT.

Robin Morisset

Comment 4 2019-02-15 16:29:26 PST

I could not reproduce it either, and I tried it on several versions of Safari going back all the way to March 2018.. not sure what is going on.

Note You need to log in before you can comment on or make changes to this bug.