Bug 273854

Summary: [Win][JSC] REGRESSION(278477@main): crashing in operationPutByValSloppyOptimize of JITOperations.cpp
Product: WebKit Reporter: Fujii Hironori <fujii.hironori>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: lwarlow, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=273264
Bug Depends on: 254478    
Bug Blocks:    
Attachments:
Description Flags
crash log none

Fujii Hironori
Reported 2024-05-07 17:12:10 PDT
[Win][JSC] REGRESSION(278477@main): crashing in operationPutByValSloppyOptimize of JITOperations.cpp After 278477@main, Windows port is crashing. 00 0000003b`110fd060 000001d1`80002ca4 JavaScriptCore!operationPutByValSloppyOptimize(int64 encodedBaseValue = 0n2000416968128, int64 encodedSubscript = 0n2000417086208, int64 encodedValue = 0n2000384729672, class JSC::JSGlobalObject * globalObject = 0x000001d1`c22a6270, class JSC::StructureStubInfo * stubInfo = 0x000001d1`c03fceac, class JSC::ArrayProfile * profile = 0x000001d1`fc3283a0)+0x6f [C:\webkit\build\Source\JavaScriptCore\jit\JITOperations.cpp @ 1751] 01 0000003b`110fd1a0 0000bd9e`1ddb6d6f 0x000001d1`80002ca4 02 0000003b`110fd1a8 000001d1`8000301a 0x0000bd9e`1ddb6d6f 03 0000003b`110fd1b0 fffffff9`c2278a00 0x000001d1`8000301a
Attachments
crash log (165.48 KB, text/plain)
2024-05-07 17:19 PDT, Fujii Hironori 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Fujii Hironori
Comment 1 2024-05-07 17:15:04 PDT
I confirmed setting a env bar $env:JSC_useJIT=0 works around the crash. But, $env:JSC_useDFGJIT=0 doesn't.
Fujii Hironori
Comment 2 2024-05-07 17:19:08 PDT
Created attachment 471307 [details] crash log
Fujii Hironori
Comment 3 2024-05-07 17:43:46 PDT
bug#273854 is going to disable Windows JIT to work around crashing.
Radar WebKit Bug Importer
Comment 4 2024-05-14 17:13:16 PDT
<rdar://problem/128098257>
Note You need to log in before you can comment on or make changes to this bug.