Bug 232871

Summary: ASSERTION FAILED: isInt32() in jumpForTypedArrayOutOfBounds
Product: WebKit Reporter: Lukas Bernhard <lukas.bernhard>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: lukas.bernhard, vulbugs, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: PC   
OS: Linux   

Description Lukas Bernhard 2021-11-09 02:15:39 PST 
The attached sample triggers an assertion in webkit on git commit 016f88c15b9bf0ebae0090babdad6a34e783d1b5
Build command: ./Tools/Scripts/build-jsc --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang-12' -DCMAKE_CXX_COMPILER='/usr/bin/clang++-12'"
Run command: WebKitBuild/Debug/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useFTLJIT=true sample.js

ASSERTION FAILED: isInt32()
../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h(518) : int32_t JSC::JSValue::asInt32() const

sample.js:
```
function main() {
    const v10 = new Int16Array(16);

    for (const v18 of "06WLndhrZE") {
        let v25 = 0;
        do {
            const v29 = ` 
                let v30 = -4.0;
                v31 = ++v30;
                const v32 = v10[v31];
            `;
            const v34 = eval(v29);
            v48 = v25++;
        } while (v25 < 10);
    }   
}
main();
```

Full backtrace:
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49
#1  0x00007ffff5a27864 in __GI_abort () at abort.c:79
#2  0x000000000042ab0b in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:732
#3  0x000000000045dc3b in JSC::JSValue::asInt32 (this=0x7fffffff3ad0)
    at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:518
#4  0x000000000080c182 in JSC::DFG::Node::asInt32 (this=0x7ffff5084548) at ../../Source/JavaScriptCore/dfg/DFGNode.h:854
#5  0x000000000080b945 in JSC::DFG::Node::asUInt32 (this=0x7ffff5084548) at ../../Source/JavaScriptCore/dfg/DFGNode.h:859
#6  0x0000000000c2d976 in JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds (this=0x7fffb4cf6600, node=0x7ffff5085f08, 
    baseGPR=JSC::X86Registers::esi, indexGPR=JSC::X86Registers::ecx, scratchGPR=JSC::X86Registers::r8)
    at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:3250
#7  0x0000000000c2dad3 in JSC::DFG::SpeculativeJIT::emitTypedArrayBoundsCheck (this=0x7fffb4cf6600, node=0x7ffff5085f08, 
    baseGPR=JSC::X86Registers::esi, indexGPR=JSC::X86Registers::ecx, scratchGPR=JSC::X86Registers::r8)
    at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:3277
#8  0x0000000000c2e6dc in JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray(JSC::DFG::Node*, JSC::TypedArrayType, WTF::ScopedLambda<std::tuple<JSC::JSValueRegs, JSC::DataFormat, JSC::DFG::SpeculativeJIT::CanUseFlush> (JSC::DataFormat)> const&)
    (this=0x7fffb4cf6600, node=0x7ffff5085f08, type=JSC::TypeInt16, prefix=...)
    at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:3417
#9  0x0000000000dc8ac4 in JSC::DFG::SpeculativeJIT::compileGetByVal(JSC::DFG::Node*, WTF::ScopedLambda<std::tuple<JSC::JSValueRegs, JSC::DataFormat, JSC::DFG::SpeculativeJIT::CanUseFlush> (JSC::DataFormat)> const&) (this=0x7fffb4cf6600, 
    node=0x7ffff5085f08, prefix=...) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:2697
#10 0x0000000000dca924 in JSC::DFG::SpeculativeJIT::compile (this=0x7fffb4cf6600, node=0x7ffff5085f08)
    at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:3293
#11 0x0000000000c15e94 in JSC::DFG::SpeculativeJIT::compileCurrentBlock (this=0x7fffb4cf6600)
    at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2297
#12 0x0000000000c29574 in JSC::DFG::SpeculativeJIT::compile (this=0x7fffb4cf6600)
    at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2407
#13 0x0000000000a37524 in JSC::DFG::JITCompiler::compileBody (this=0x7fffffff8dd0)
    at ../../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:135
#14 0x0000000000a38e3e in JSC::DFG::JITCompiler::compile (this=0x7fffffff8dd0)
    at ../../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:365
#15 0x0000000000ae9696 in JSC::DFG::Plan::compileInThreadImpl (this=0x7ffff508d280)
    at ../../Source/JavaScriptCore/dfg/DFGPlan.cpp:343
#16 0x000000000121beef in JSC::JITPlan::compileInThread (this=0x7ffff508d280, thread=0x0)
    at ../../Source/JavaScriptCore/jit/JITPlan.cpp:170
#17 0x000000000128f577 in JSC::JITWorklist::enqueue (this=0x7ffff509a2e0, plan=...)
    at ../../Source/JavaScriptCore/jit/JITWorklist.cpp:83
#18 0x00000000009bbd46 in JSC::DFG::compileImpl (vm=..., codeBlock=0x7fffb46c04c0, profiledDFGCodeBlock=0x0, 
    mode=JSC::JITCompilationMode::DFG, osrEntryBytecodeIndex=..., mustHandleValues=..., callback=...)
    at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:90
#19 0x00000000009bb913 in JSC::DFG::compile (vm=..., codeBlock=0x7fffb46c04c0, profiledDFGCodeBlock=0x0, 
    mode=JSC::JITCompilationMode::DFG, osrEntryBytecodeIndex=..., mustHandleValues=..., callback=...)
    at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:106
#20 0x00000000011fc5a8 in JSC::operationOptimize (vmPointer=0x7fffb4e00000, bytecodeIndexBits=0)
    at ../../Source/JavaScriptCore/jit/JITOperations.cpp:2095
#21 0x00007fffb4fff7de in ?? ()
#22 0x00007fffffffaed0 in ?? ()
#23 0x00007fffb5000338 in ?? ()
#24 0x00007fffffffae90 in ?? ()
#25 0x000000000042fde5 in std::_Tuple_impl<0ul, JSC::StructureIDTable::StructureOrOffset*, WTF::UniqueArrayFree<JSC::StructureIDTable::StructureOrOffset []> >::_M_head (__t=...)
    at /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/tuple:204
#26 0x0000000001d0043e in vmEntryToJavaScript ()
#27 0x000000000115c372 in JSC::JITCode::execute (this=0x7ffff50f2260, vm=0x7fffb4e00000, protoCallFrame=0x7fffffffb1d8)
    at ../../Source/JavaScriptCore/jit/JITCodeInlines.h:42
#28 0x000000000114e0e8 in JSC::Interpreter::execute (this=0x7ffff50fe250, eval=0x7ffff50f9ae8, 
    lexicalGlobalObject=0x7fffb4af6068, thisValue=..., scope=0x7fffb46b0fc0)
--Type <RET> for more, q to quit, c to continue without paging--
    at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:1244
#29 0x000000000114c0ea in JSC::eval (globalObject=0x7fffb4af6068, callFrame=0x7fffffffc430, ecmaMode=...)
    at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:164
#30 0x000000000120ccca in JSC::operationCallEval (globalObject=0x7fffb4af6068, calleeFrame=0x7fffffffc430, ecmaMode=...)
    at ../../Source/JavaScriptCore/jit/JITOperations.cpp:1443
#31 0x00007fffb500288b in ?? ()
#32 0x00007fffffffc530 in ?? ()
#33 0x00007ffff50bad18 in ?? ()
#34 0x0000000000000000 in ?? ()
Comment 1 Radar WebKit Bug Importer 2021-11-16 02:16:23 PST 
<rdar://problem/85449644>
Comment 2 Yusuke Suzuki 2022-09-19 19:25:10 PDT 
This is fixed in bug 233610, thanks!

*** This bug has been marked as a duplicate of bug 233610 ***