Bug 282342

Summary:	[JSC] ASSERTION FAILED: oldStructure == newStructure->previousID()
Product:	WebKit	Reporter:	Michael Saboff <msaboff>
Component:	JavaScriptCore	Assignee:	Michael Saboff <msaboff>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	Other
Hardware:	Unspecified
OS:	Unspecified

Michael Saboff

Reported 2024-10-30 11:07:46 PDT

In llint_slow_path_put_by_id, there is an ASSERT(oldStructure == newStructure->previousID()) that is immediately followed by if oldStructure == newStructure->previousID(). The ASSERT shouldn't be there, as we can crash with a Debug build that works fine with a Release build. The crash is something like: ASSERTION FAILED: oldStructure == newStructure->previousID() ./llint/LLIntSlowPaths.cpp(1137) : UGPRPair JSC::LLInt::llint_slow_path_put_by_id(CallFrame *, const JSInstruction *) 1 0x1244040c4 llint_slow_path_put_by_id 2 0x12a460b64 jsc_llint_llintOpWithMetadata__llintOpWithReturn__llintOp__commonOp__fn__fn__makeReturn__fn__fn__fn__opPutByIdSlow 3 0x12a47d8e0 op_call_return_location 4 0x12a44f380 vmEntryToJavaScriptGateAfter 5 0x123ed0d40 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) ...

Attachments
Add attachment proposed patch, testcase, etc.

Michael Saboff

Comment 1 2024-10-30 11:08:12 PDT

<rdar://138178461>

Michael Saboff

Comment 2 2024-10-30 11:27:50 PDT

Pull request: https://github.com/WebKit/WebKit/pull/35952

EWS

Comment 3 2024-10-30 17:58:22 PDT

Committed 285932@main (424a5b978e64): <https://commits.webkit.org/285932@main> Reviewed commits have been landed. Closing PR #35952 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.