Bug 246930

Summary: REGRESSION(255859@main) dfg/DFGCFAPhase.cpp(240) : JSC::DFG::CFAPhase::performBlockCFA: DFG ASSERTION FAILED: AI-clobberize disagreement; AI says ClobberedStructures while clobberize says (Direct:[SideState], Super:[World])
Product: WebKit Reporter: Fujii Hironori <fujii.hironori>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: ysuzuki
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Fujii Hironori
Reported 2022-10-23 20:34:02 PDT
dfg/DFGCFAPhase.cpp(240) : JSC::DFG::CFAPhase::performBlockCFA: DFG ASSERTION FAILED: AI-clobberize disagreement; AI says ClobberedStructures while clobberize says (Direct:[SideState], Super:[World]) I'm testing with WinCairo WK1/WK2 255897@main Debug build. Loading results.html of layout tests is causing an assertion failure. 1. Start WinCairo WK1/WK2 MiniBrowser (Debug build) 2. Load https://build.webkit.org/results/WinCairo-64-bit-WKL-Release-Tests/255899@main%20(8495)/results.html 3. Crash due to an assertion failure DFG ASSERTION FAILED: AI-clobberize disagreement; AI says ClobberedStructures while clobberize says (Direct:[SideState], Super:[World]) C:\home\webkit\gc\Source\JavaScriptCore\dfg/DFGCFAPhase.cpp(240) : JSC::DFG::CFAPhase::performBlockCFA While handling node D@50 Graph at time of failure: 11: DFG for #<no-hash>:[000001A8F73A25E0->000001A8F73A24B0->000001A8B0B26350, DFGFunctionCall, 30 (StrictMode)]: 11: Fixpoint state: FixpointNotConverged; Form: ThreadedCPS; Unification state: GloballyUnified; Ref count state: EverythingIsLive 11: Arguments for block#0: D@0, D@1, D@2 0 11: Block #0 (bc#0): (OSR target) 0 11: Execution count: 1.000000 0 11: Predecessors: 0 11: Successors: #1 0 11: Dominated by: #root #0 0 11: Dominates: #0 #1 0 11: Dominance Frontier: 0 11: Iterated Dominance Frontier: 0 11: States: StructuresAreWatched 0 11: Vars Before: arg2:(Cell|Empty, TOP, TOP, none:StructuresAreClobbered) arg1:(Cell|Empty, TOP, TOP, none:StructuresAreClobbered) arg0:(BytecodeTop, TOP, TOP, none:StructuresAreClobbered) 0 11: Intersected Vars Before: arg2:(FullTop, TOP, TOP, none:StructuresAreClobbered) arg1:(FullTop, TOP, TOP, none:StructuresAreClobbered) arg0:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc0:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc1:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc2:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc3:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc4:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc5:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc6:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc7:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc8:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc9:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc10:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc11:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc12:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc13:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc14:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc15:(FullTop, TOP, TOP, none:StructuresAreClobbered) 0 11: Var Links: arg2:D@2 arg1:D@1 arg0:D@0 0 0 11: D@0:< 1:-> SetArgumentDefinitely(IsFlushed, this(A~<Other>/FlushedJSValue), W:SideState, bc#0, ExitValid) predicting Other 1 0 11: D@1:< 1:-> SetArgumentDefinitely(IsFlushed, arg1(B<Final>/FlushedCell), W:SideState, bc#0, ExitValid) predicting Final 2 0 11: D@63:<!0:-> GetLocal(Check:Untyped:D@1, JS|MustGen|PureInt, Final, arg1(B<Final>/FlushedCell), R:Stack(arg1), bc#0, ExitValid) predicting Final 3 0 11: D@64:<!0:-> CheckStructure(Cell:D@63, MustGen, [%Bb:Object], R:JSCell_structureID, Exits, bc#0, ExitValid) 4 0 11: D@2:< 1:-> SetArgumentDefinitely(IsFlushed, arg2(C<Final>/FlushedCell), W:SideState, bc#0, ExitValid) predicting Final 5 0 11: D@65:<!0:-> GetLocal(Check:Untyped:D@2, JS|MustGen|PureInt, Final, arg2(C<Final>/FlushedCell), R:Stack(arg2), bc#0, ExitValid) predicting Final 6 0 11: D@66:<!0:-> CheckStructure(Cell:D@65, MustGen, [%Bb:Object], R:JSCell_structureID, Exits, bc#0, ExitValid) 7 0 11: D@3:< 1:-> JSConstant(JS|PureInt, Other, Undefined, bc#0, ExitValid) 8 0 11: D@4:<!0:-> MovHint(Check:Untyped:D@3, MustGen, loc0, W:SideState, ClobbersExit, bc#0, ExitValid) 9 0 11: D@5:< 1:-> SetLocal(Check:Untyped:D@3, loc0(D~<Other>/FlushedJSValue), W:Stack(loc0), bc#0, ExitInvalid) predicting Other 10 0 11: D@6:<!0:-> MovHint(Check:Untyped:D@3, MustGen, loc1, W:SideState, ClobbersExit, bc#0, ExitInvalid) 11 0 11: D@7:< 1:-> SetLocal(Check:Untyped:D@3, loc1(E~<Other>/FlushedJSValue), W:Stack(loc1), bc#0, ExitInvalid) predicting Other 12 0 11: D@8:<!0:-> MovHint(Check:Untyped:D@3, MustGen, loc2, W:SideState, ClobbersExit, bc#0, ExitInvalid) 13 0 11: D@9:< 1:-> SetLocal(Check:Untyped:D@3, loc2(F~<Other>/FlushedJSValue), W:Stack(loc2), bc#0, ExitInvalid) predicting Other 14 0 11: D@10:<!0:-> MovHint(Check:Untyped:D@3, MustGen, loc3, W:SideState, ClobbersExit, bc#0, ExitInvalid) 15 0 11: D@11:< 1:-> SetLocal(Check:Untyped:D@3, loc3(G~<Other>/FlushedJSValue), W:Stack(loc3), bc#0, ExitInvalid) predicting Other 16 0 11: D@12:<!0:-> MovHint(Check:Untyped:D@3, MustGen, loc4, W:SideState, ClobbersExit, bc#0, ExitInvalid) 17 0 11: D@13:< 1:-> SetLocal(Check:Untyped:D@3, loc4(H~<Other>/FlushedJSValue), W:Stack(loc4), bc#0, ExitInvalid) predicting Other 18 0 11: D@14:<!0:-> MovHint(Check:Untyped:D@3, MustGen, loc5, W:SideState, ClobbersExit, bc#0, ExitInvalid) 19 0 11: D@15:< 1:-> SetLocal(Check:Untyped:D@3, loc5(I~<Other>/FlushedJSValue), W:Stack(loc5), bc#0, ExitInvalid) predicting Other 20 0 11: D@16:<!0:-> Jump(MustGen, T:#1, W:SideState, bc#1, ExitValid) 0 11: States: InvalidBranchDirection, StructuresAreWatched 0 11: Vars After: arg2:(Final, NonArray, [%Bb:Object], 1:StructuresAreWatched) arg1:(Final, NonArray, [%Bb:Object], 1:StructuresAreWatched) arg0:(BytecodeTop, TOP, TOP, 1:StructuresAreWatched) loc0:(Other, Undefined, 1:StructuresAreWatched) loc1:(Other, Undefined, 1:StructuresAreWatched) loc2:(Other, Undefined, 1:StructuresAreWatched) loc3:(Other, Undefined, 1:StructuresAreWatched) loc4:(Other, Undefined, 1:StructuresAreWatched) loc5:(Other, Undefined, 1:StructuresAreWatched) 0 11: Var Links: arg2:D@65 arg1:D@63 arg0:D@0 loc0:D@5 loc1:D@7 loc2:D@9 loc3:D@11 loc4:D@13 loc5:D@15 1 11: Block #1 (bc#1): 1 11: Execution count: 1.000000 1 11: Predecessors: #0 1 11: Successors: 1 11: Dominated by: #root #0 #1 1 11: Dominates: #1 1 11: Dominance Frontier: 1 11: Iterated Dominance Frontier: 1 11: Phi Nodes: D@60<arg1,1, IsFlushed>->(D@1), D@61<arg2,1, IsFlushed>->(D@2), D@62<this,1, IsFlushed>->(D@0) 1 11: States: StructuresAreWatched 1 11: Vars Before: arg2:(Final, NonArray, [%Bb:Object], 1:StructuresAreWatched) arg1:(Final, NonArray, [%Bb:Object], 1:StructuresAreWatched) arg0:(BytecodeTop, TOP, TOP, 1:StructuresAreWatched) 1 11: Intersected Vars Before: arg2:(FullTop, TOP, TOP, none:StructuresAreClobbered) arg1:(FullTop, TOP, TOP, none:StructuresAreClobbered) arg0:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc0:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc1:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc2:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc3:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc4:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc5:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc6:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc7:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc8:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc9:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc10:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc11:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc12:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc13:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc14:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc15:(FullTop, TOP, TOP, none:StructuresAreClobbered) 1 11: Var Links: arg2:D@61 arg1:D@60 arg0:D@62 0 1 11: D@17:< 1:-> GetCallee(JS|UseAsOther, Function, R:Stack(callee), bc#1, ExitValid) 1 1 11: D@18:< 1:-> GetScope(KnownCell:D@17, JS|PureInt, OtherObj, bc#1, ExitValid) 2 1 11: D@19:<!0:-> MovHint(Check:Untyped:D@18, MustGen, loc4, W:SideState, ClobbersExit, bc#1, ExitValid) 3 1 11: D@20:< 1:-> SetLocal(Check:Untyped:D@18, loc4(J~<Object>/FlushedJSValue), W:Stack(loc4), bc#1, exit: bc#3, ExitValid) predicting OtherObj 4 1 11: D@21:<!0:-> MovHint(Check:Untyped:D@18, MustGen, loc5, W:SideState, ClobbersExit, bc#3, ExitValid) 5 1 11: D@22:< 1:-> SetLocal(Check:Untyped:D@18, loc5(K~<Object>/FlushedJSValue), W:Stack(loc5), bc#3, exit: bc#6, ExitValid) predicting OtherObj 6 1 11: D@23:<!0:-> CheckTraps(MustGen, R:InternalState, W:InternalState, Exits, ClobbersExit, bc#6, ExitValid) 7 1 11: D@24:<!0:-> GetLocal(Check:Untyped:D@60, JS|MustGen|UseAsOther, Final, arg1(B<Final>/FlushedCell), R:Stack(arg1), bc#7, ExitValid) predicting Final 8 1 11: D@25:<!0:-> FilterGetByStatus(Check:Untyped:D@24, MustGen, (Simple, <id='uid:(name)', [000001A900040800:[0000000000040800/264192, Object, (2/2, 1/4){name:0, info:1, isExpected:64}, NonArray, Proto:000001A8B0A50200, Leaf (Watched)]], [], offset = 0>, seenInJIT = true), W:SideState, bc#7, ExitValid) 9 1 11: D@26:<!0:-> Check(MustGen, bc#7, ExitValid) 10 1 11: D@27:<!0:-> CheckStructure(Cell:D@24, MustGen, [%Bb:Object], R:JSCell_structureID, Exits, bc#7, ExitValid) 11 1 11: D@28:< 1:-> GetByOffset(KnownCell:D@24, KnownCell:D@24, JS|UseAsOther, String, id0{name}, 0, R:NamedProperties(0), Exits, bc#7, ExitValid) predicting String 12 1 11: D@29:<!0:-> MovHint(Check:Untyped:D@28, MustGen, loc10, W:SideState, ClobbersExit, bc#7, ExitValid) 13 1 11: D@30:< 1:-> SetLocal(Check:Untyped:D@28, loc10(M~<String>/FlushedJSValue), W:Stack(loc10), bc#7, exit: bc#12, ExitValid) predicting String 14 1 11: D@31:<!0:-> FilterGetByStatus(Check:Untyped:D@28, MustGen, (Simple, <id='uid:(localeCompare)', [000001A900004250:[0000000000004250/16976, string, (0/0, 0/0){}, NonArray, Leaf (Watched)]], [<Object: 000001A8B07E18C8 with butterfly 000001A8B0A486A8(base=000001A8B0A484A0) (Structure 000001A900040790:[0000000000040790/264080, String, (0/0, 34/64){toString:64, valueOf:65, charAt:66, charCodeAt:67, codePointAt:68, indexOf:69, lastIndexOf:70, replaceUsingRegExp:71, replaceUsingStringSearch:72, replaceAllUsingStringSearch:73, slice:74, substr:75, substring:76, toLowerCase:77, toUpperCase:78, localeCompare:79, toLocaleLowerCase:80, toLocaleUpperCase:81, trim:82, startsWith:83, endsWith:84, includes:85, normalize:86, charCodeAt:87, at:88, trimStart:89, trimLeft:90, trimEnd:91, trimRight:92, Symbol.iterator:93, substr:94, endsWith:95, constructor:96, split:97}, NonArray, Proto:000001A8B08260E8, Leaf (Watched)]), StructureID: 264080: Presence of localeCompare at 79 with attributes 4>], offset = 79>, seenInJIT = true), W:SideState, bc#12, ExitValid) 15 1 11: D@32:<!0:-> Check(MustGen, bc#12, ExitValid) 16 1 11: D@33:<!0:-> CheckStructure(Check:Cell:D@28, MustGen, [%Am:string], R:JSCell_structureID, Exits, bc#12, ExitValid) 17 1 11: D@34:< 1:-> JSConstant(JS|UseAsOther, Function, Weak:Object: 000001A8B0960C80 with butterfly 000001A8B0A14AA8(base=000001A8B0A14A80) (Structure %BQ:Function), StructureID: 23024, bc#12, ExitValid) 18 1 11: D@35:<!0:-> MovHint(Check:Untyped:D@34, MustGen, loc6, W:SideState, ClobbersExit, bc#12, ExitValid) 19 1 11: D@36:< 1:-> SetLocal(Check:Untyped:D@34, loc6(N~<Object>/FlushedJSValue), W:Stack(loc6), bc#12, exit: bc#17, ExitValid) predicting Function 20 1 11: D@37:<!0:-> GetLocal(Check:Untyped:D@61, JS|MustGen|UseAsOther, Final, arg2(C<Final>/FlushedCell), R:Stack(arg2), bc#17, ExitValid) predicting Final 21 1 11: D@38:<!0:-> FilterGetByStatus(Check:Untyped:D@37, MustGen, (Simple, <id='uid:(name)', [000001A900040800:[0000000000040800/264192, Object, (2/2, 1/4){name:0, info:1, isExpected:64}, NonArray, Proto:000001A8B0A50200, Leaf (Watched)]], [], offset = 0>, seenInJIT = true), W:SideState, bc#17, ExitValid) 22 1 11: D@39:<!0:-> Check(MustGen, bc#17, ExitValid) 23 1 11: D@40:<!0:-> CheckStructure(Cell:D@37, MustGen, [%Bb:Object], R:JSCell_structureID, Exits, bc#17, ExitValid) 24 1 11: D@41:< 1:-> GetByOffset(KnownCell:D@37, KnownCell:D@37, JS|UseAsOther, String, id0{name}, 0, R:NamedProperties(0), Exits, bc#17, ExitValid) predicting String 25 1 11: D@42:<!0:-> MovHint(Check:Untyped:D@41, MustGen, loc9, W:SideState, ClobbersExit, bc#17, ExitValid) 26 1 11: D@43:< 1:-> SetLocal(Check:Untyped:D@41, loc9(P~<String>/FlushedJSValue), W:Stack(loc9), bc#17, exit: bc#22, ExitValid) predicting String 27 1 11: D@44:<!0:-> Flush(Check:Untyped:D@61, MustGen|IsFlushed, arg2(C<Final>/FlushedCell), R:Stack(arg2), W:SideState, bc#22, ExitValid) predicting Final 28 1 11: D@45:<!0:-> Flush(Check:Untyped:D@60, MustGen|IsFlushed, arg1(B<Final>/FlushedCell), R:Stack(arg1), W:SideState, bc#22, ExitValid) predicting Final 29 1 11: D@46:<!0:-> Flush(Check:Untyped:D@62, MustGen|IsFlushed, this(A~<Other>/FlushedJSValue), R:Stack(this), W:SideState, bc#22, ExitValid) predicting Other 30 1 11: D@47:<!0:-> FilterCallLinkStatus(Check:Untyped:D@34, MustGen, Statically Proved, (Function: Object: 000001A8B0960C80 with butterfly 000001A8B0A14AA8(base=000001A8B0A14A80) (Structure 000001A9000059F0:[00000000000059F0/23024, Function, (0/0, 2/4){length:64, name:65}, NonArray, Proto:000001A8B0853F28, Leaf (Watched)]), StructureID: 23024; Executable: NativeExecutable:00007FFC426D6F10/00007FFC42405D60), W:SideState, bc#22, ExitValid) 31 1 11: D@48:<!0:-> CheckIsConstant(Cell:D@34, MustGen, <000001A8B0960C80, Function>, <host function>, Exits, bc#22, ExitValid) 32 1 11: D@49:<!0:-> Check(MustGen, bc#22, ExitValid) 33 1 11: D@50:<!0:-> StringLocaleCompare(String:D@28, Check:String:D@41, Int32|MustGen|UseAsOther, Int32, R:World, W:SideState, Exits, bc#22, ExitValid) 34 1 11: D@51:<!0:-> MovHint(Check:Untyped:D@50, MustGen, loc6, W:SideState, ClobbersExit, bc#22, ExitValid) 35 1 11: D@52:<!0:-> Check(MustGen, bc#22, ExitInvalid) 36 1 11: D@53:<!0:-> Check(MustGen, bc#22, ExitInvalid) 37 1 11: D@54:<!0:-> Check(MustGen, bc#22, ExitInvalid) 38 1 11: D@55:< 1:-> SetLocal(Check:Untyped:D@50, loc6(R~<Int32>/FlushedJSValue), W:Stack(loc6), bc#22, exit: bc#28, ExitValid) predicting Int32 39 1 11: D@56:<!0:-> Return(Check:Untyped:D@50, MustGen, W:SideState, Exits, bc#28, ExitValid) 40 1 11: D@57:<!0:-> Flush(Check:Untyped:D@61, MustGen|IsFlushed, arg2(C<Final>/FlushedCell), R:Stack(arg2), W:SideState, bc#28, ExitValid) predicting Final 41 1 11: D@58:<!0:-> Flush(Check:Untyped:D@60, MustGen|IsFlushed, arg1(B<Final>/FlushedCell), R:Stack(arg1), W:SideState, bc#28, ExitValid) predicting Final 42 1 11: D@59:<!0:-> Flush(Check:Untyped:D@62, MustGen|IsFlushed, this(A~<Other>/FlushedJSValue), R:Stack(this), W:SideState, bc#28, ExitValid) predicting Other 1 11: States: InvalidBranchDirection, StructuresAreWatched 1 11: Vars After: 1 11: Var Links: arg2:D@37 arg1:D@24 arg0:D@46 loc4:D@20 loc5:D@22 loc6:D@55 loc9:D@43 loc10:D@30 11: GC Values: 11: Weak:Object: 000001A8B0960C80 with butterfly 000001A8B0A14AA8(base=000001A8B0A14A80) (Structure %BQ:Function), StructureID: 23024 11: Desired watchpoints: 11: Watchpoint sets: 11: Inline watchpoint sets: 000001A900005A58, 000001A9000041D8, 000001A900004868, 000001A900040868, 000001A9000042B8 11: SymbolTables: 11: FunctionExecutables: 11: Buffer views: 11: Object property conditions: <Object: 000001A8B07E18C8 with butterfly 000001A8B0A486A8(base=000001A8B0A484A0) (Structure %DY:String), StructureID: 264080: Equivalence of localeCompare with Object: 000001A8B0960C80 with butterfly 000001A8B0A14AA8(base=000001A8B0A14A80) (Structure %BQ:Function), StructureID: 23024> 11: Structures: 11: %Am:string = 000001A900004250:[0000000000004250/16976, string, (0/0, 0/0){}, NonArray, Leaf (Watched)] 11: %BQ:Function = 000001A9000059F0:[00000000000059F0/23024, Function, (0/0, 2/4){length:64, name:65}, NonArray, Proto:000001A8B0853F28, Leaf (Watched)] 11: %Bb:Object = 000001A900040800:[0000000000040800/264192, Object, (2/2, 1/4){name:0, info:1, isExpected:64}, NonArray, Proto:000001A8B0A50200, Leaf (Watched)] 11: %DY:String = 000001A900040790:[0000000000040790/264080, String, (0/0, 34/64){toString:64, valueOf:65, charAt:66, charCodeAt:67, codePointAt:68, indexOf:69, lastIndexOf:70, replaceUsingRegExp:71, replaceUsingStringSearch:72, replaceAllUsingStringSearch:73, slice:74, substr:75, substring:76, toLowerCase:77, toUpperCase:78, localeCompare:79, toLocaleLowerCase:80, toLocaleUpperCase:81, trim:82, startsWith:83, endsWith:84, includes:85, normalize:86, charCodeAt:87, at:88, trimStart:89, trimLeft:90, trimEnd:91, trimRight:92, Symbol.iterator:93, substr:94, endsWith:95, constructor:96, split:97}, NonArray, Proto:000001A8B08260E8, Leaf (Watched)] DFG ASSERTION FAILED: AI-clobberize disagreement; AI says ClobberedStructures while clobberize says (Direct:[SideState], Super:[World]) C:\home\webkit\gc\Source\JavaScriptCore\dfg/DFGCFAPhase.cpp(240) : JSC::DFG::CFAPhase::performBlockCFA 1 00007FFCB6F6248B WTFCrash 1 00007FFCB6F6248B WTFCrash 2 00007FFC40C9A90E WTFCrashWithInfo 2 00007FFC40C9A90E WTFCrashWithInfo 3 00007FFC413CC74B JSC::DFG::CFAPhase::performBlockCFA 3 00007FFC413CC74B JSC::DFG::CFAPhase::performBlockCFA 4 00007FFC413CC94B JSC::DFG::CFAPhase::performForwardCFA 4 00007FFC413CC94B JSC::DFG::CFAPhase::performForwardCFA 5 00007FFC413D2DB0 JSC::DFG::CFAPhase::run 5 00007FFC413D2DB0 JSC::DFG::CFAPhase::run 6 00007FFC41371570 JSC::DFG::runAndLog<JSC::DFG::CFAPhase> 6 00007FFC41371570 JSC::DFG::runAndLog<JSC::DFG::CFAPhase> 7 00007FFC41371D44 JSC::DFG::runPhase<JSC::DFG::CFAPhase> 7 00007FFC41371D44 JSC::DFG::runPhase<JSC::DFG::CFAPhase> 8 00007FFC41231724 JSC::DFG::performCFA 8 00007FFC41231724 JSC::DFG::performCFA 9 00007FFC4153F7BD JSC::DFG::Plan::compileInThreadImpl 9 00007FFC4153F7BD JSC::DFG::Plan::compileInThreadImpl 10 00007FFC41E5B75D JSC::JITPlan::compileInThread 10 00007FFC41E5B75D JSC::JITPlan::compileInThread 11 00007FFC41EF6969 JSC::JITWorklistThread::work 11 00007FFC41EF6969 JSC::JITWorklistThread::work 12 00007FFCB6F6AC0A `WTF::AutomaticThread::start'::`2'::<lambda_1>::operator() 12 00007FFCB6F6AC0A `WTF::AutomaticThread::start'::`2'::<lambda_1>::operator() 13 00007FFCB6F6B00B WTF::Detail::CallableWrapper<`WTF::AutomaticThread::start'::`2'::<lambda_1>,void>::call 13 00007FFCB6F6B00B WTF::Detail::CallableWrapper<`WTF::AutomaticThread::start'::`2'::<lambda_1>,void>::call 14 00007FFCB6F7A4A3 WTF::Function<void __cdecl(void)>::operator() 14 00007FFCB6F7A4A3 WTF::Function<void __cdecl(void)>::operator() 15 00007FFCB7018668 WTF::Thread::entryPoint 15 00007FFCB7018668 WTF::Thread::entryPoint 16 00007FFCB70F3244 WTF::wtfThreadEntryPoint 16 00007FFCB70F3244 WTF::wtfThreadEntryPoint 17 00007FFD3C321BB2 configthreadlocale 17 00007FFD3C321BB2 configthreadlocale 18 00007FFD3D5E7034 BaseThreadInitThunk 18 00007FFD3D5E7034 BaseThreadInitThunk 19 00007FFD3EC426A1 RtlUserThreadStart 19 00007FFD3EC426A1 RtlUserThreadStart Exception thrown at 0x00007FFCB6F62490 (WTF.dll) in MiniBrowser.exe: 0xC0000005: Access violation writing location 0x00000000BBADBEEF.
Attachments
Add attachment proposed patch, testcase, etc.
Fujii Hironori
Comment 1 2022-10-23 20:48:14 PDT
This is a regression between the following revision range: 255858@main Good 255866@main Bad 255859@main seems like the culprit.
Fujii Hironori
Comment 2 2022-10-24 13:15:47 PDT
I confirmed this is reproducible with debug build of Mac port, too.
Yusuke Suzuki
Comment 3 2022-10-24 13:31:26 PDT
Fixed in https://github.com/WebKit/WebKit/commit/748312d37ae615892bc463d456ed05a90a132ccf *** This bug has been marked as a duplicate of bug 246954 ***
Note You need to log in before you can comment on or make changes to this bug.