Bug 228839

Summary: Assertion failure when checking array in DFG (32 bits)
Product: WebKit Reporter: Mikhail R. Gadelha <mikhail>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Testcase
none
Patch none

Description Mikhail R. Gadelha 2021-08-05 12:40:25 PDT 
Created attachment 435014 [details]
Testcase

The failure:

ASSERTION FAILED: typeFilterFor(node->child1().useKind()) & SpecEmpty
../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp(861) : void JSC::DFG::SpeculativeJIT::checkArray(JSC::DFG::Node*)
Aborted

It happens because in 32 bits empty value doesn't pass the cell check. From SpeculatedType.h:

static constexpr SpeculatedType SpecCellCheck          = is64Bit() ? (SpecCell | SpecEmpty) : SpecCell;

So when we reach the assertion, SpecEmpty is not set.

There is no assertion failure when running jsc in release mode.
Comment 1 Mikhail R. Gadelha 2021-08-05 13:21:58 PDT 
Created attachment 435018 [details]
Patch
Comment 2 Yusuke Suzuki 2021-08-05 18:54:17 PDT 
Comment on attachment 435018 [details]
Patch

r=me
Comment 3 EWS 2021-08-05 18:59:47 PDT 
Committed r280716 (240307@main): <https://commits.webkit.org/240307@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 435018 [details].
Comment 4 Radar WebKit Bug Importer 2021-08-05 19:00:17 PDT 
<rdar://problem/81595896>