Bug 289680

Summary:	DFG ASSERTION FAILED: AI-clobberize disagreement; AI says NotClobbered while clobberize says (Direct:[Heap], Super:[World])
Product:	WebKit	Reporter:	katoshi1337
Component:	JavaScriptCore	Assignee:	Yusuke Suzuki <ysuzuki>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	bfulgham, webkit-bug-importer, ysuzuki
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

katoshi1337

Reported 2025-03-13 00:52:32 PDT

commit: c5e0671158732bcdf83d26d4a964a0d88b2ca02c PoC: ``` for (let i1 = -409186827; i1 != -268435456;) { new WeakMap(); new SharedArrayBuffer(); } ``` command: ./jsc ./poc.js logs: ``` // CRASH INFO // ========== // TERMSIG: 6 // STDERR: // DFG ASSERTION FAILED: AI-clobberize disagreement; AI says NotClobbered while clobberize says (Direct:[Heap], Super:[World]) // /home/fuzzer/webkit/WebKit-c5e0671158732bcdf83d26d4a964a0d88b2ca02c/Source/JavaScriptCore/dfg/DFGCFAPhase.cpp(229) : void JSC::DFG::CFAPhase::performBlockCFA(BasicBlock *) // // While handling node D@121 // // Graph at time of failure: // // 11: DFG for <global>#C01K4u:[0x7ee9790f9470->0x7ee9790f9360->0x7ee97924c1e0, DFGGlobal, 212]: // 11: Fixpoint state: FixpointNotConverged; Form: ThreadedCPS; Unification state: GloballyUnified; Ref count state: EverythingIsLive // 11: Arguments for block#0: D@0 // // 0 11: Block #0 (bc#0): (OSR target) // 0 11: Execution count: 1.000000 // 0 11: Predecessors: // 0 11: Successors: #2 #1 // 0 11: Dominated by: #root #0 // 0 11: Dominates: #0 #1 #2 // 0 11: Dominance Frontier: // 0 11: Iterated Dominance Frontier: // 0 11: States: StructuresAreWatched // 0 11: Vars Before: arg0:(BytecodeTop, TOP, TOP, none:StructuresAreClobbered) // 0 11: Intersected Vars Before: arg0:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc0:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc1:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc2:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc3:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc4:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc5:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc6:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc7:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc8:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc9:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc10:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc11:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc12:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc13:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc14:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc15:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc16:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc17:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc18:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc19:(FullTop, TOP, TOP, none:StructuresAreClobbered) // 0 11: Var Links: arg0:D@0 // 0 0 11: D@0:< 1:-> SetArgumentDefinitely(IsFlushed, this(A~<Object>/FlushedJSValue), W:SideState, bc#0, ExitValid) predicting GlobalProxy // 1 0 11: D@1:< 1:-> JSConstant(JS|PureInt, Other, Undefined, bc#0, ExitValid) // 2 0 11: D@2:<!0:-> MovHint(Check:Untyped:D@1, MustGen, loc0, W:SideState, ClobbersExit, bc#0, ExitValid) // 3 0 11: D@3:< 1:-> SetLocal(Check:Untyped:D@1, loc0(B~<Other>/FlushedJSValue), W:Stack(loc0), bc#0, ExitInvalid) predicting Other // 4 0 11: D@4:<!0:-> MovHint(Check:Untyped:D@1, MustGen, loc1, W:SideState, ClobbersExit, bc#0, ExitInvalid) // 5 0 11: D@5:< 1:-> SetLocal(Check:Untyped:D@1, loc1(C~<Other>/FlushedJSValue), W:Stack(loc1), bc#0, ExitInvalid) predicting Other // 6 0 11: D@6:<!0:-> MovHint(Check:Untyped:D@1, MustGen, loc2, W:SideState, ClobbersExit, bc#0, ExitInvalid) // 7 0 11: D@7:< 1:-> SetLocal(Check:Untyped:D@1, loc2(D~<Other>/FlushedJSValue), W:Stack(loc2), bc#0, ExitInvalid) predicting Other // 8 0 11: D@8:<!0:-> MovHint(Check:Untyped:D@1, MustGen, loc3, W:SideState, ClobbersExit, bc#0, ExitInvalid) // 9 0 11: D@9:< 1:-> SetLocal(Check:Untyped:D@1, loc3(E~<Other>/FlushedJSValue), W:Stack(loc3), bc#0, ExitInvalid) predicting Other // 10 0 11: D@10:<!0:-> MovHint(Check:Untyped:D@1, MustGen, loc4, W:SideState, ClobbersExit, bc#0, ExitInvalid) // 11 0 11: D@11:< 1:-> SetLocal(Check:Untyped:D@1, loc4(F~<Other>/FlushedJSValue), W:Stack(loc4), bc#0, ExitInvalid) predicting Other // 12 0 11: D@12:< 1:-> GetCallee(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, Function, R:Stack(callee), bc#0, ExitInvalid) // 13 0 11: D@13:< 1:-> GetScope(KnownCell:D@12, JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, OtherObj, bc#0, ExitInvalid) // 14 0 11: D@14:<!0:-> MovHint(Check:Untyped:D@13, MustGen, loc4, W:SideState, ClobbersExit, bc#0, ExitInvalid) // 15 0 11: D@15:<!0:-> ExitOK(MustGen, W:SideState, bc#0, ExitValid) // 16 0 11: D@16:<!0:-> InvalidationPoint(MustGen, W:SideState, Exits, bc#0, ExitValid) // 17 0 11: D@17:< 1:-> SetLocal(Check:Untyped:D@13, loc4(G~<Object>/FlushedJSValue), W:Stack(loc4), bc#0, exit: bc#1, ExitValid) predicting OtherObj // 18 0 11: D@18:< 1:-> JSConstant(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, Other, Undefined, bc#1, ExitValid) // 19 0 11: D@19:<!0:-> MovHint(Check:Untyped:D@18, MustGen, loc5, W:SideState, ClobbersExit, bc#1, ExitValid) // 20 0 11: D@20:< 1:-> SetLocal(Check:Untyped:D@18, loc5(H~<Other>/FlushedJSValue), W:Stack(loc5), bc#1, exit: bc#4, ExitValid) predicting Other // 21 0 11: D@21:< 1:-> JSConstant(JS|PureInt, OtherCell, Strong:Cell: 0x7ee979268130 (%CW:Immutable Butterfly,ArrayWithDouble), StructureID: 18880, bc#4, ExitValid) // 22 0 11: D@22:< 1:-> NewArrayBuffer(JS|PureInt, Array, <0x7ee979268130, Immutable Butterfly>, vectorLengthHint = 7, CopyOnWriteArrayWithDouble, R:HeapObjectCount, W:HeapObjectCount, Exits, bc#4, ExitValid) // 23 0 11: D@23:<!0:-> MovHint(Check:Untyped:D@22, MustGen, loc5, W:SideState, ClobbersExit, bc#4, ExitValid) // 24 0 11: D@24:< 1:-> SetLocal(Check:Untyped:D@22, loc5(I~<Array>/FlushedJSValue), W:Stack(loc5), bc#4, exit: bc#9, ExitValid) predicting Array // 25 0 11: D@25:< 1:-> JSConstant(JS|PureInt, OtherCell, Strong:Cell: 0x7ee97914c1a0 (%Dx:Immutable Butterfly,ArrayWithInt32), StructureID: 18656, bc#9, ExitValid) // 26 0 11: D@26:< 1:-> NewArrayBuffer(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, Array, <0x7ee97914c1a0, Immutable Butterfly>, vectorLengthHint = 1, CopyOnWriteArrayWithInt32, R:HeapObjectCount, W:HeapObjectCount, Exits, bc#9, ExitValid) // 27 0 11: D@27:<!0:-> MovHint(Check:Untyped:D@26, MustGen, loc5, W:SideState, ClobbersExit, bc#9, ExitValid) // 28 0 11: D@28:< 1:-> SetLocal(Check:Untyped:D@26, loc5(J~<Array>/FlushedJSValue), W:Stack(loc5), bc#9, exit: bc#14, ExitValid) predicting Array // 29 0 11: D@29:< 1:-> JSConstant(JS|PureNum|NeedsNaNOrInfinity|UseAsOther|UseAsInt|ReallyWantsInt, NonBoolInt32, Int32: 2, bc#14, ExitValid) // 30 0 11: D@30:< 1:-> JSConstant(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, NonBoolInt32, Int32: 56466, bc#14, ExitValid) // 31 0 11: D@156:<!0:-> ArrayifyToStructure(Cell:D@26, Int32:D@29, MustGen, Int32+OriginalCopyOnWriteArray+InBounds+Convert+Write, %Ar:Array,ArrayWithInt32, R:JSCell_indexingType,JSCell_structureID,JSObject_butterfly, W:JSCell_indexingType,JSCell_structureID,JSObject_butterfly,Watchpoint_fire, Exits, bc#14, ExitValid) // 32 0 11: D@157:< 1:-> GetButterfly(Cell:D@26, Storage|PureInt, R:JSObject_butterfly, bc#14, ExitValid) // 33 0 11: D@31:<!0:-> PutByValDirect(KnownCell:D@26, Int32:D@29, Int32:D@30, Check:Untyped:D@157, MustGen|VarArgs, Int32+OriginalCopyOnWriteArray+InBounds+Convert+Write, R:Butterfly_publicLength,Butterfly_vectorLength,IndexedInt32Properties, W:IndexedInt32Properties, Exits, ClobbersExit, bc#14, ExitValid) // 34 0 11: D@186:<!0:-> InvalidationPoint(MustGen, W:SideState, Exits, bc#20, ExitValid) // 35 0 11: D@32:< 1:-> JSConstant(JS|PureNum|NeedsNaNOrInfinity|UseAsOther|UseAsInt|ReallyWantsInt, NonBoolInt32, Int32: 3, bc#20, ExitValid) // 36 0 11: D@33:< 1:-> JSConstant(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, NonBoolInt32, Int32: 998143057, bc#20, ExitValid) // 37 0 11: D@158:<!0:-> CheckStructure(Cell:D@26, MustGen, [%Ar:Array,ArrayWithInt32], R:JSCell_structureID, Exits, bc#20, ExitValid) // 38 0 11: D@159:< 1:-> GetButterfly(Cell:D@26, Storage|PureInt, R:JSObject_butterfly, bc#20, ExitValid) // 39 0 11: D@34:<!0:-> PutByValDirect(KnownCell:D@26, Int32:D@32, Int32:D@33, Check:Untyped:D@159, MustGen|VarArgs, Int32+OriginalNonCopyOnWriteArray+ToHole+AsIs+Write, R:Butterfly_publicLength,Butterfly_vectorLength,IndexedInt32Properties, W:Butterfly_publicLength,IndexedInt32Properties, Exits, ClobbersExit, bc#20, ExitValid) // 40 0 11: D@35:< 1:-> JSConstant(JS|PureNum|NeedsNaNOrInfinity|UseAsOther|UseAsInt|ReallyWantsInt, NonBoolInt32, Int32: 4, bc#26, ExitValid) // 41 0 11: D@36:< 1:-> JSConstant(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, NonBoolInt32, Int32: -14, bc#26, ExitValid) // 42 0 11: D@160:<!0:-> CheckStructure(Cell:D@26, MustGen, [%Ar:Array,ArrayWithInt32], R:JSCell_structureID, Exits, bc#26, ExitValid) // 43 0 11: D@161:< 1:-> GetButterfly(Cell:D@26, Storage|PureInt, R:JSObject_butterfly, bc#26, ExitValid) // 44 0 11: D@37:<!0:-> PutByValDirect(KnownCell:D@26, Int32:D@35, Int32:D@36, Check:Untyped:D@161, MustGen|VarArgs, Int32+OriginalNonCopyOnWriteArray+ToHole+AsIs+Write, R:Butterfly_publicLength,Butterfly_vectorLength,IndexedInt32Properties, W:Butterfly_publicLength,IndexedInt32Properties, Exits, ClobbersExit, bc#26, ExitValid) // 45 0 11: D@38:< 1:-> JSConstant(JS|PureNum|NeedsNaNOrInfinity|UseAsOther|UseAsInt|ReallyWantsInt, NonBoolInt32, Int32: 5, bc#32, ExitValid) // 46 0 11: D@39:< 1:-> JSConstant(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, NonBoolInt32, Int32: 646500229, bc#32, ExitValid) // 47 0 11: D@162:<!0:-> CheckStructure(Cell:D@26, MustGen, [%Ar:Array,ArrayWithInt32], R:JSCell_structureID, Exits, bc#32, ExitValid) // 48 0 11: D@163:< 1:-> GetButterfly(Cell:D@26, Storage|PureInt, R:JSObject_butterfly, bc#32, ExitValid) // 49 0 11: D@40:<!0:-> PutByValDirect(KnownCell:D@26, Int32:D@38, Int32:D@39, Check:Untyped:D@163, MustGen|VarArgs, Int32+OriginalNonCopyOnWriteArray+ToHole+AsIs+Write, R:Butterfly_publicLength,Butterfly_vectorLength,IndexedInt32Properties, W:Butterfly_publicLength,IndexedInt32Properties, Exits, ClobbersExit, bc#32, ExitValid) // 50 0 11: D@41:< 1:-> JSConstant(JS|PureNum|NeedsNaNOrInfinity|UseAsOther|UseAsInt|ReallyWantsInt, NonBoolInt32, Int32: 8, bc#38, ExitValid) // 51 0 11: D@42:< 1:-> JSConstant(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, NonBoolInt32, Int32: 268435439, bc#38, ExitValid) // 52 0 11: D@164:<!0:-> CheckStructure(Cell:D@26, MustGen, [%Ar:Array,ArrayWithInt32], R:JSCell_structureID, Exits, bc#38, ExitValid) // 53 0 11: D@165:< 1:-> GetButterfly(Cell:D@26, Storage|PureInt, R:JSObject_butterfly, bc#38, ExitValid) // 54 0 11: D@43:<!0:-> PutByValDirect(KnownCell:D@26, Int32:D@41, Int32:D@42, Check:Untyped:D@165, MustGen|VarArgs, Int32+OriginalNonCopyOnWriteArray+OutOfBounds+AsIs+Write, R:World, W:Heap, Exits, ClobbersExit, bc#38, ExitValid) // 55 0 11: D@187:<!0:-> InvalidationPoint(MustGen, W:SideState, Exits, bc#44, ExitValid) // 56 0 11: D@44:< 1:-> JSConstant(JS|PureNum|NeedsNaNOrInfinity|UseAsOther|UseAsInt|ReallyWantsInt, NonBoolInt32, Int32: 9, bc#44, ExitValid) // 57 0 11: D@45:< 1:-> JSConstant(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, NonInt32AsInt52, Double: -4476578029604175872, -2147483649.000000, bc#44, ExitValid) // 58 0 11: D@166:<!0:-> ArrayifyToStructure(Cell:D@26, Int32:D@44, MustGen, Double+OriginalNonCopyOnWriteArray+ToHole+Convert+Write, %Bu:Array,ArrayWithDouble, R:JSCell_indexingType,JSCell_structureID,JSObject_butterfly, W:JSCell_indexingType,JSCell_structureID,JSObject_butterfly,Watchpoint_fire, Exits, bc#44, ExitValid) // 59 0 11: D@167:< 1:-> GetButterfly(Cell:D@26, Storage|PureInt, R:JSObject_butterfly, bc#44, ExitValid) // 60 0 11: D@178:< 1:-> DoubleConstant(Double|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, BytecodeDouble, Double: -4476578029604175872, -2147483649.000000, bc#44, ExitValid) // 61 0 11: D@46:<!0:-> PutByValDirect(KnownCell:D@26, Int32:D@44, DoubleRepReal:D@178<Double>, Check:Untyped:D@167, MustGen|VarArgs, Double+OriginalNonCopyOnWriteArray+ToHole+Convert+Write, R:Butterfly_publicLength,Butterfly_vectorLength,IndexedDoubleProperties, W:Butterfly_publicLength,IndexedDoubleProperties, Exits, ClobbersExit, bc#44, ExitValid) // 62 0 11: D@188:<!0:-> InvalidationPoint(MustGen, W:SideState, Exits, bc#50, ExitValid) // 63 0 11: D@47:< 1:-> JSConstant(JS|PureNum|NeedsNaNOrInfinity|UseAsOther|UseAsInt|ReallyWantsInt, NonBoolInt32, Int32: 10, bc#50, ExitValid) // 64 0 11: D@48:< 1:-> JSConstant(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, NonBoolInt32, Int32: 1088171092, bc#50, ExitValid) // 65 0 11: D@168:<!0:-> CheckStructure(Cell:D@26, MustGen, [%Bu:Array,ArrayWithDouble], R:JSCell_structureID, Exits, bc#50, ExitValid) // 66 0 11: D@169:< 1:-> GetButterfly(Cell:D@26, Storage|PureInt, R:JSObject_butterfly, bc#50, ExitValid) // 67 0 11: D@179:< 1:-> DoubleConstant(Double|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, BytecodeDouble, Double: 4742350928357621760, 1088171092.000000, bc#50, ExitValid) // 68 0 11: D@49:<!0:-> PutByValDirect(KnownCell:D@26, Int32:D@47, DoubleRepReal:D@179<Double>, Check:Untyped:D@169, MustGen|VarArgs, Double+OriginalNonCopyOnWriteArray+ToHole+AsIs+Write, R:Butterfly_publicLength,Butterfly_vectorLength,IndexedDoubleProperties, W:Butterfly_publicLength,IndexedDoubleProperties, Exits, ClobbersExit, bc#50, ExitValid) // 69 0 11: D@50:< 1:-> JSConstant(JS|PureNum|NeedsNaNOrInfinity|UseAsOther|UseAsInt|ReallyWantsInt, NonBoolInt32, Int32: 11, bc#56, ExitValid) // 70 0 11: D@51:< 1:-> JSConstant(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, NonBoolInt32, Int32: -2147483648, bc#56, ExitValid) // 71 0 11: D@170:<!0:-> CheckStructure(Cell:D@26, MustGen, [%Bu:Array,ArrayWithDouble], R:JSCell_structureID, Exits, bc#56, ExitValid) // 72 0 11: D@171:< 1:-> GetButterfly(Cell:D@26, Storage|PureInt, R:JSObject_butterfly, bc#56, ExitValid) // 73 0 11: D@180:< 1:-> DoubleConstant(Double|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, BytecodeDouble, Double: -4476578029606273024, -2147483648.000000, bc#56, ExitValid) // 74 0 11: D@52:<!0:-> PutByValDirect(KnownCell:D@26, Int32:D@50, DoubleRepReal:D@180<Double>, Check:Untyped:D@171, MustGen|VarArgs, Double+OriginalNonCopyOnWriteArray+ToHole+AsIs+Write, R:Butterfly_publicLength,Butterfly_vectorLength,IndexedDoubleProperties, W:Butterfly_publicLength,IndexedDoubleProperties, Exits, ClobbersExit, bc#56, ExitValid) // 75 0 11: D@53:< 1:-> JSConstant(JS|PureNum|NeedsNaNOrInfinity|UseAsOther|UseAsInt|ReallyWantsInt, NonBoolInt32, Int32: 12, bc#62, ExitValid) // 76 0 11: D@54:< 1:-> JSConstant(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, NonBoolInt32, Int32: 3, bc#62, ExitValid) // 77 0 11: D@172:<!0:-> CheckStructure(Cell:D@26, MustGen, [%Bu:Array,ArrayWithDouble], R:JSCell_structureID, Exits, bc#62, ExitValid) // 78 0 11: D@173:< 1:-> GetButterfly(Cell:D@26, Storage|PureInt, R:JSObject_butterfly, bc#62, ExitValid) // 79 0 11: D@181:< 1:-> DoubleConstant(Double|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, BytecodeDouble, Double: 4613937818241073152, 3.000000, bc#62, ExitValid) // 80 0 11: D@55:<!0:-> PutByValDirect(KnownCell:D@26, Int32:D@53, DoubleRepReal:D@181<Double>, Check:Untyped:D@173, MustGen|VarArgs, Double+OriginalNonCopyOnWriteArray+ToHole+AsIs+Write, R:Butterfly_publicLength,Butterfly_vectorLength,IndexedDoubleProperties, W:Butterfly_publicLength,IndexedDoubleProperties, Exits, ClobbersExit, bc#62, ExitValid) // 81 0 11: D@56:< 1:-> JSConstant(JS|PureNum|NeedsNaNOrInfinity|UseAsOther|UseAsInt|ReallyWantsInt, NonBoolInt32, Int32: 13, bc#68, ExitValid) // 82 0 11: D@57:< 1:-> JSConstant(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, NonBoolInt32, Int32: -268435456, bc#68, ExitValid) // 83 0 11: D@174:<!0:-> CheckStructure(Cell:D@26, MustGen, [%Bu:Array,ArrayWithDouble], R:JSCell_structureID, Exits, bc#68, ExitValid) // 84 0 11: D@175:< 1:-> GetButterfly(Cell:D@26, Storage|PureInt, R:JSObject_butterfly, bc#68, ExitValid) // 85 0 11: D@182:< 1:-> DoubleConstant(Double|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, BytecodeDouble, Double: -4490088828488384512, -268435456.000000, bc#68, ExitValid) // 86 0 11: D@58:<!0:-> PutByValDirect(KnownCell:D@26, Int32:D@56, DoubleRepReal:D@182<Double>, Check:Untyped:D@175, MustGen|VarArgs, Double+OriginalNonCopyOnWriteArray+ToHole+AsIs+Write, R:Butterfly_publicLength,Butterfly_vectorLength,IndexedDoubleProperties, W:Butterfly_publicLength,IndexedDoubleProperties, Exits, ClobbersExit, bc#68, ExitValid) // 87 0 11: D@59:< 1:-> JSConstant(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, NonBoolInt32, Int32: 15, bc#74, ExitValid) // 88 0 11: D@60:<!0:-> ForceOSRExit(MustGen, W:SideState, Exits, bc#74, ExitValid) // 89 0 11: D@61:<!0:-> PutById(Check:Cell:D@26, Check:Untyped:D@59, MustGen, cachable-id {uid:(length)}, R:World, W:Heap, Exits, ClobbersExit, bc#74, ExitValid) // 90 0 11: D@189:<!0:-> InvalidationPoint(MustGen, W:SideState, Exits, bc#80, ExitValid) // 91 0 11: D@62:< 1:-> JSConstant(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, OtherObj, Weak:Object: 0x7ee979230180 with butterfly (nil)(base=0xfffffffffffffff8) (Structure %BQ:JSGlobalLexicalEnvironment), StructureID: 235456, bc#80, ExitValid) // 92 0 11: D@63:<!0:-> MovHint(Check:Untyped:D@62, MustGen, loc6, W:SideState, ClobbersExit, bc#80, ExitValid) // 93 0 11: D@64:<!0:-> Check(MustGen, bc#80, ExitInvalid) // 94 0 11: D@65:< 1:-> SetLocal(Check:Untyped:D@62, loc6(K~<Object>/FlushedJSValue), W:Stack(loc6), bc#80, exit: bc#87, ExitValid) predicting OtherObj // 95 0 11: D@66:< 1:-> NewArray(JS|VarArgs|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, Array, vectorLengthHint = 5, ArrayWithUndecided, R:HeapObjectCount, W:HeapObjectCount, Exits, bc#87, ExitValid) // 96 0 11: D@67:<!0:-> MovHint(Check:Untyped:D@66, MustGen, loc7, W:SideState, ClobbersExit, bc#87, ExitValid) // 97 0 11: D@68:< 1:-> SetLocal(Check:Untyped:D@66, loc7(L~<Array>/FlushedJSValue), W:Stack(loc7), bc#87, exit: bc#93, ExitValid) predicting Array // 98 0 11: D@69:< 1:-> JSConstant(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, OtherObj, Weak:Object: 0x7ee979230180 with butterfly (nil)(base=0xfffffffffffffff8) (Structure %BQ:JSGlobalLexicalEnvironment), StructureID: 235456, bc#93, ExitValid) // 99 0 11: D@70:<!0:-> PutGlobalVariable(Check:Cell:D@69, Check:Untyped:D@66, MustGen, global(0x7ee97b0a9580), W:Absolute(139541256770944), Exits, ClobbersExit, bc#93, ExitValid) // 100 0 11: D@71:<!0:-> NotifyWrite(MustGen, 0x7ee97b1e1b00, W:Watchpoint_fire,SideState, ClobbersExit, bc#93, ExitInvalid) // 101 0 11: D@72:<!0:-> Check(MustGen, bc#93, ExitInvalid) // 102 0 11: D@190:<!0:-> InvalidationPoint(MustGen, W:SideState, Exits, bc#101, ExitValid) // 103 0 11: D@73:<!0:-> MovHint(Check:Untyped:D@18, MustGen, loc5, W:SideState, ClobbersExit, bc#101, ExitValid) // 104 0 11: D@74:< 1:-> SetLocal(Check:Untyped:D@18, loc5(M~/FlushedJSValue), W:Stack(loc5), bc#101, exit: bc#104, ExitValid) predicting OtherObj|Other // 105 0 11: D@75:< 1:-> JSConstant(JS|PureNum|NeedsNaNOrInfinity|UseAsOther|ReallyWantsInt, NonBoolInt32, Int32: -409186827, bc#104, ExitValid) // 106 0 11: D@76:<!0:-> MovHint(Check:Untyped:D@75, MustGen, loc6, W:SideState, ClobbersExit, bc#104, ExitValid) // 107 0 11: D@77:< 1:-> SetLocal(Check:Int32:D@75, loc6(N<Int32>/FlushedInt32), W:Stack(loc6), Exits, bc#104, exit: bc#107, ExitValid) predicting NonBoolInt32 // 108 0 11: D@78:< 1:-> CompareEq(Check:Int32:D@75, Check:Int32:D@57, Boolean|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, Bool, Exits, bc#107, ExitValid) // 109 0 11: D@79:<!0:-> Branch(Check:KnownBoolean:D@78, MustGen, T:#2/w:1.000000, F:#1/w:10.000000, W:SideState, bc#107, ExitInvalid) // 0 11: States: InvalidBranchDirection, StructuresAreWatched, CFAInvalidated // 0 11: Vars After: // 0 11: Var Links: arg0:D@0 loc0:D@3 loc1:D@5 loc2:D@7 loc3:D@9 loc4:D@17 loc5:D@74 loc6:D@77 loc7:D@68 // // 1 11: Block #1 (bc#111): (OSR target) // 1 11: Execution count: 10.000000 // 1 11: Predecessors: #0 #1 // 1 11: Successors: #2 #1 // 1 11: Dominated by: #root #0 #1 // 1 11: Dominates: #1 // 1 11: Dominance Frontier: #1 #2 // 1 11: Iterated Dominance Frontier: #1 #2 // 1 11: Loop header, contains: #1 // 1 11: Containing loop headers: #1 // 1 11: Phi Nodes: D@153<loc4,1>->(D@153, D@17), D@154<loc6,1>->(D@154, D@77), D@155<this,1, IsFlushed>->(D@155, D@0) // 1 11: States: StructuresAreWatched // 1 11: Vars Before: arg0:(GlobalProxy, NonArray, [%Ac:JSGlobalProxy], Object: 0x7ee979248160 with butterfly (nil)(base=0xfffffffffffffff8) (Structure %Ac:JSGlobalProxy), StructureID: 250944, none:StructuresAreClobbered) loc4:(OtherObj, NonArray, [%BQ:JSGlobalLexicalEnvironment], Object: 0x7ee979230180 with butterfly (nil)(base=0xfffffffffffffff8) (Structure %BQ:JSGlobalLexicalEnvironment), StructureID: 235456, none:StructuresAreClobbered) loc6:(NonBoolInt32, Int32: -409186827, none:StructuresAreClobbered) // 1 11: Intersected Vars Before: arg0:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc0:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc1:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc2:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc3:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc4:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc5:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc6:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc7:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc8:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc9:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc10:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc11:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc12:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc13:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc14:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc15:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc16:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc17:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc18:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc19:(FullTop, TOP, TOP, none:StructuresAreClobbered) // 1 11: Var Links: arg0:D@155 loc4:D@153 loc6:D@154 // 0 1 11: D@80:<!0:-> LoopHint(MustGen, W:SideState, bc#111, ExitValid) // 1 1 11: D@81:<!0:-> InvalidationPoint(MustGen, W:SideState, Exits, bc#112, ExitValid) // 2 1 11: D@82:< 1:-> JSConstant(JS|PureInt, Empty, <JSValue()>, bc#113, ExitValid) // 3 1 11: D@83:<!0:-> MovHint(Check:Untyped:D@82, MustGen, loc7, W:SideState, ClobbersExit, bc#113, ExitValid) // 4 1 11: D@84:< 1:-> SetLocal(Check:Untyped:D@82, loc7(O~/FlushedJSValue), W:Stack(loc7), bc#113, exit: bc#116, ExitValid) predicting Empty // 5 1 11: D@85:<!0:-> MovHint(Check:Untyped:D@82, MustGen, loc8, W:SideState, ClobbersExit, bc#116, ExitValid) // 6 1 11: D@86:< 1:-> SetLocal(Check:Untyped:D@82, loc8(P~/FlushedJSValue), W:Stack(loc8), bc#116, exit: bc#119, ExitValid) predicting Empty // 7 1 11: D@87:< 1:-> JSConstant(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, OtherObj, Weak:Object: 0x7ee97922d5a0 with butterfly 0x7ee9790ef0c8(base=0x7ee9790eecc0) (Structure %CL:global), StructureID: 250832, bc#119, ExitValid) // 8 1 11: D@88:<!0:-> MovHint(Check:Untyped:D@87, MustGen, loc9, W:SideState, ClobbersExit, bc#119, ExitValid) // 9 1 11: D@89:<!0:-> GetLocal(Check:Untyped:D@153, JS|MustGen|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, OtherObj, loc4(G~<Object>/FlushedJSValue), R:Stack(loc4), bc#119, ExitInvalid) predicting OtherObj // 10 1 11: D@90:<!0:-> Check(MustGen, bc#119, ExitInvalid) // 11 1 11: D@91:< 1:-> SetLocal(Check:Untyped:D@87, loc9(R~<Object>/FlushedJSValue), W:Stack(loc9), bc#119, exit: bc#126, ExitValid) predicting OtherObj // 12 1 11: D@92:< 1:-> JSConstant(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, OtherObj, Weak:Object: 0x7ee97922d5a0 with butterfly 0x7ee9790ef0c8(base=0x7ee9790eecc0) (Structure %CL:global), StructureID: 250832, bc#126, ExitValid) // 13 1 11: D@93:<!0:-> Check(MustGen, bc#126, ExitValid) // 14 1 11: D@94:< 1:-> JSConstant(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, OtherObj, Weak:Object: 0x7ee9790e2980 with butterfly 0x7ee97923f848(base=0x7ee97923f820) (Structure %An:Function), StructureID: 253632, bc#126, ExitValid) // 15 1 11: D@95:<!0:-> Check(MustGen, bc#126, ExitValid) // 16 1 11: D@96:<!0:-> MovHint(Check:Untyped:D@94, MustGen, loc10, W:SideState, ClobbersExit, bc#126, ExitValid) // 17 1 11: D@97:< 1:-> SetLocal(Check:Untyped:D@94, loc10(S~<Object>/FlushedJSValue), W:Stack(loc10), bc#126, exit: bc#135, ExitValid) predicting OtherObj // 18 1 11: D@98:<!0:-> MovHint(Check:Untyped:D@94, MustGen, loc12, W:SideState, ClobbersExit, bc#135, ExitValid) // 19 1 11: D@99:< 1:-> SetLocal(Check:Untyped:D@94, loc12(T~<Object>/FlushedJSValue), W:Stack(loc12), bc#135, exit: bc#138, ExitValid) predicting OtherObj // 20 1 11: D@100:<!0:-> FilterCallLinkStatus(Check:Untyped:D@94, MustGen, Statically Proved, InternalFunction: Object: 0x7ee9790e2980 with butterfly 0x7ee97923f848(base=0x7ee97923f820) (Structure 0x7ee80003dec0:[0x3dec0/253632, Function, (0/0, 3/4){length:64, name:65, prototype:66}, NonArray, Unknown, Proto:0x7ee9790e2620, Leaf]), StructureID: 253632, W:SideState, bc#138, ExitValid) // 21 1 11: D@101:<!0:-> Construct(Check:Untyped:D@94, Check:Untyped:D@94, JS|MustGen|VarArgs|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther|UseAsInt|ReallyWantsInt, WeakMapObject, R:World, W:Heap, ExitsForExceptions, ClobbersExit, bc#138, ExitValid) predicting WeakMapObject // 22 1 11: D@102:<!0:-> MovHint(Check:Untyped:D@101, MustGen, loc7, W:SideState, ClobbersExit, bc#138, ExitInvalid) // 23 1 11: D@183:<!0:-> InvalidationPoint(MustGen, W:SideState, Exits, bc#138, exit: bc#145, ExitValid) // 24 1 11: D@103:< 1:-> SetLocal(Check:Untyped:D@101, loc7(U~<Object>/FlushedJSValue), W:Stack(loc7), bc#138, exit: bc#145, ExitValid) predicting WeakMapObject // 25 1 11: D@104:< 1:-> JSConstant(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, OtherObj, Weak:Object: 0x7ee97922d5a0 with butterfly 0x7ee9790ef0c8(base=0x7ee9790eecc0) (Structure %CL:global), StructureID: 250832, bc#145, ExitValid) // 26 1 11: D@105:<!0:-> MovHint(Check:Untyped:D@104, MustGen, loc9, W:SideState, ClobbersExit, bc#145, ExitValid) // 27 1 11: D@106:<!0:-> Check(MustGen, bc#145, ExitInvalid) // 28 1 11: D@107:< 1:-> SetLocal(Check:Untyped:D@104, loc9(V~<Object>/FlushedJSValue), W:Stack(loc9), bc#145, exit: bc#152, ExitValid) predicting OtherObj // 29 1 11: D@108:< 1:-> JSConstant(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, OtherObj, Weak:Object: 0x7ee97922d5a0 with butterfly 0x7ee9790ef0c8(base=0x7ee9790eecc0) (Structure %CL:global), StructureID: 250832, bc#152, ExitValid) // 30 1 11: D@109:<!0:-> Check(MustGen, bc#152, ExitValid) // 31 1 11: D@110:< 1:-> JSConstant(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, OtherObj, Weak:Object: 0x7ee9790e2950 with butterfly 0x7ee97923ea48(base=0x7ee97923ea20) (Structure %CR:Function), StructureID: 249600, bc#152, ExitValid) // 32 1 11: D@111:<!0:-> Check(MustGen, bc#152, ExitValid) // 33 1 11: D@112:<!0:-> MovHint(Check:Untyped:D@110, MustGen, loc10, W:SideState, ClobbersExit, bc#152, ExitValid) // 34 1 11: D@113:< 1:-> SetLocal(Check:Untyped:D@110, loc10(W~<Object>/FlushedJSValue), W:Stack(loc10), bc#152, exit: bc#161, ExitValid) predicting OtherObj // 35 1 11: D@114:<!0:-> MovHint(Check:Untyped:D@101, MustGen, loc13, W:SideState, ClobbersExit, bc#161, ExitValid) // 36 1 11: D@115:< 1:-> SetLocal(Check:Untyped:D@101, loc13(X~<Object>/FlushedJSValue), W:Stack(loc13), bc#161, exit: bc#164, ExitValid) predicting WeakMapObject // 37 1 11: D@116:<!0:-> MovHint(Check:Untyped:D@110, MustGen, loc14, W:SideState, ClobbersExit, bc#164, ExitValid) // 38 1 11: D@117:< 1:-> SetLocal(Check:Untyped:D@110, loc14(Y~<Object>/FlushedJSValue), W:Stack(loc14), bc#164, exit: bc#167, ExitValid) predicting OtherObj // 39 1 11: D@118:<!0:-> FilterCallLinkStatus(Check:Untyped:D@110, MustGen, Statically Proved, InternalFunction: Object: 0x7ee9790e2950 with butterfly 0x7ee97923ea48(base=0x7ee97923ea20) (Structure 0x7ee80003cf00:[0x3cf00/249600, Function, (0/0, 4/4){length:64, name:65, prototype:66, Symbol.species:67}, NonArray, Unknown, Proto:0x7ee9790e2620, Leaf]), StructureID: 249600, W:SideState, bc#167, ExitValid) // 40 1 11: D@119:<!0:-> CheckIsConstant(Cell:D@110, MustGen, <0x7ee9790e2950, Function>, Exits, bc#167, ExitValid) // 41 1 11: D@120:<!0:-> Check(MustGen, bc#167, ExitValid) // 42 1 11: D@121:<!0:-> NewTypedArrayBuffer(Check:Untyped:D@101, JS|MustGen|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, OtherObj, %ED:ArrayBuffer, R:World, W:Heap, Exits, ClobbersExit, bc#167, ExitValid) // 43 1 11: D@122:<!0:-> MovHint(Check:Untyped:D@121, MustGen, loc8, W:SideState, ClobbersExit, bc#167, ExitInvalid) // 44 1 11: D@123:<!0:-> Check(MustGen, bc#167, ExitInvalid) // 45 1 11: D@124:<!0:-> Check(MustGen, bc#167, ExitInvalid) // 46 1 11: D@125:<!0:-> Check(MustGen, bc#167, ExitInvalid) // 47 1 11: D@184:<!0:-> InvalidationPoint(MustGen, W:SideState, Exits, bc#167, exit: bc#174, ExitValid) // 48 1 11: D@126:< 1:-> SetLocal(Check:Untyped:D@121, loc8(Z~<Object>/FlushedJSValue), W:Stack(loc8), bc#167, exit: bc#174, ExitValid) predicting OtherObj // 49 1 11: D@127:< 1:-> JSConstant(JS|PureInt, Other, Undefined, bc#174, ExitValid) // 50 1 11: D@128:<!0:-> MovHint(Check:Untyped:D@127, MustGen, loc5, W:SideState, ClobbersExit, bc#174, ExitValid) // 51 1 11: D@129:< 1:-> SetLocal(Check:Untyped:D@127, loc5(AB~<Other>/FlushedJSValue), W:Stack(loc5), bc#174, exit: bc#177, ExitValid) predicting Other // 52 1 11: D@130:< 1:-> JSConstant(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, OtherObj, Weak:Object: 0x7ee979230180 with butterfly (nil)(base=0xfffffffffffffff8) (Structure %BQ:JSGlobalLexicalEnvironment), StructureID: 235456, bc#177, ExitValid) // 53 1 11: D@131:<!0:-> MovHint(Check:Untyped:D@130, MustGen, loc9, W:SideState, ClobbersExit, bc#177, ExitValid) // 54 1 11: D@132:<!0:-> Check(MustGen, bc#177, ExitInvalid) // 55 1 11: D@133:< 1:-> SetLocal(Check:Untyped:D@130, loc9(BB~<Object>/FlushedJSValue), W:Stack(loc9), bc#177, exit: bc#184, ExitValid) predicting OtherObj // 56 1 11: D@134:<!0:-> Check(MustGen, bc#184, ExitValid) // 57 1 11: D@135:< 1:-> JSConstant(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, Array, Weak:Object: 0x7ee9791502a0 with butterfly 0x7ee9791401f8(base=0x7ee9791401d0) (Structure %Am:Array,ArrayWithUndecided), StructureID: 253744, bc#184, ExitValid) // 58 1 11: D@136:<!0:-> MovHint(Check:Untyped:D@135, MustGen, loc10, W:SideState, ClobbersExit, bc#184, ExitValid) // 59 1 11: D@137:< 1:-> SetLocal(Check:Untyped:D@135, loc10(CB~<Array>/FlushedJSValue), W:Stack(loc10), bc#184, exit: bc#193, ExitValid) predicting Array // 60 1 11: D@138:<!0:-> MovHint(Check:Untyped:D@121, MustGen, loc5, W:SideState, ClobbersExit, bc#193, ExitValid) // 61 1 11: D@139:< 1:-> SetLocal(Check:Untyped:D@121, loc5(M~/FlushedJSValue), W:Stack(loc5), bc#193, exit: bc#196, ExitValid) predicting OtherObj|Other // 62 1 11: D@140:<!0:-> GetLocal(Check:Untyped:D@154, JS|MustGen|PureNum|NeedsNaNOrInfinity|UseAsOther|UseAsInt|ReallyWantsInt, NonBoolInt32, loc6(N<Int32>/FlushedInt32), R:Stack(loc6), bc#196, ExitValid) predicting NonBoolInt32 // 63 1 11: D@176:<!0:-> Arrayify(Check:Cell:D@135, Check:Int32:D@140, MustGen, Contiguous+Array+OutOfBounds+Convert+Write, R:JSCell_indexingType,JSCell_structureID,JSObject_butterfly, W:JSCell_indexingType,JSCell_structureID,JSObject_butterfly,Watchpoint_fire, Exits, bc#196, ExitValid) // 64 1 11: D@177:< 1:-> GetButterfly(Check:Cell:D@135, Storage|PureInt, R:JSObject_butterfly, Exits, bc#196, ExitValid) // 65 1 11: D@141:<!0:-> PutByVal(Check:KnownCell:D@135, Check:Int32:D@140, Check:Untyped:D@121, Check:Untyped:D@177, MustGen|VarArgs, Contiguous+Array+OutOfBounds+Convert+Write, R:World, W:Heap, Exits, ClobbersExit, bc#196, ExitValid) // 66 1 11: D@185:<!0:-> InvalidationPoint(MustGen, W:SideState, Exits, bc#202, ExitValid) // 67 1 11: D@142:< 1:-> ArithBitNot(Check:Int32:D@140, Int32|PureInt, Int32, Exits, bc#202, ExitValid) // 68 1 11: D@143:<!0:-> MovHint(Check:Untyped:D@142, MustGen, loc7, W:SideState, ClobbersExit, bc#202, ExitInvalid) // 69 1 11: D@144:< 1:-> SetLocal(Check:Untyped:D@142, loc7(FB~<Int32>/FlushedJSValue), W:Stack(loc7), bc#202, exit: bc#206, ExitValid) predicting Int32 // 70 1 11: D@145:< 1:-> JSConstant(JS|PureNum|NeedsNaNOrInfinity|UseAsOther, NonBoolInt32, Int32: -268435456, bc#206, ExitValid) // 71 1 11: D@146:< 1:-> CompareEq(Check:Int32:D@140, Check:Int32:D@145, Boolean|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, Bool, Exits, bc#206, ExitValid) // 72 1 11: D@147:<!0:-> Branch(Check:KnownBoolean:D@146, MustGen, T:#2/w:1.000000, F:#1/w:10.000000, W:SideState, bc#206, ExitInvalid) // 1 11: States: InvalidBranchDirection, StructuresAreWatched // 1 11: Vars After: // 1 11: Var Links: arg0:D@155 loc4:D@89 loc5:D@139 loc6:D@140 loc7:D@144 loc8:D@126 loc9:D@133 loc10:D@137 loc12:D@99 loc13:D@115 loc14:D@117 // // 2 11: Block #2 (bc#210): // 2 11: Execution count: 1.000000 // 2 11: Predecessors: #0 #1 // 2 11: Successors: // 2 11: Dominated by: #root #0 #2 // 2 11: Dominates: #2 // 2 11: Dominance Frontier: // 2 11: Iterated Dominance Frontier: // 2 11: Phi Nodes: D@151<loc5,1>->(D@139, D@74), D@152<this,1, IsFlushed>->(D@155, D@0) // 2 11: States: StructuresAreWatched, CurrentlyCFAUnreachable // 2 11: Vars Before: <empty> // 2 11: Intersected Vars Before: arg0:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc0:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc1:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc2:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc3:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc4:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc5:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc6:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc7:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc8:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc9:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc10:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc11:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc12:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc13:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc14:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc15:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc16:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc17:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc18:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc19:(FullTop, TOP, TOP, none:StructuresAreClobbered) // 2 11: Var Links: arg0:D@152 loc5:D@151 // 0 2 11: D@148:<!0:-> GetLocal(Check:Untyped:D@151, JS|MustGen|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, OtherObj|Other, loc5(M~/FlushedJSValue), R:Stack(loc5), bc#210, ExitValid) predicting OtherObj|Other // 1 2 11: D@149:<!0:-> Return(Check:Untyped:D@148, MustGen, W:SideState, Exits, bc#210, ExitValid) // 2 2 11: D@150:<!0:-> Flush(Check:Untyped:D@152, MustGen|IsFlushed, this(A~<Object>/FlushedJSValue), R:Stack(this), W:SideState, bc#210, ExitValid) predicting GlobalProxy // 2 11: States: InvalidBranchDirection, StructuresAreWatched // 2 11: Vars After: <empty> // 2 11: Var Links: arg0:D@150 loc5:D@148 // // 11: GC Values: // 11: Strong:Cell: 0x7ee979268130 (%CW:Immutable Butterfly,ArrayWithDouble), StructureID: 18880 // 11: Strong:Cell: 0x7ee97914c1a0 (%Dx:Immutable Butterfly,ArrayWithInt32), StructureID: 18656 // 11: Weak:Object: 0x7ee979230180 with butterfly (nil)(base=0xfffffffffffffff8) (Structure %BQ:JSGlobalLexicalEnvironment), StructureID: 235456 // 11: Weak:Object: 0x7ee97922d5a0 with butterfly 0x7ee9790ef0c8(base=0x7ee9790eecc0) (Structure %CL:global), StructureID: 250832 // 11: Weak:Object: 0x7ee9790e2980 with butterfly 0x7ee97923f848(base=0x7ee97923f820) (Structure %An:Function), StructureID: 253632 // 11: Weak:Object: 0x7ee9790e2950 with butterfly 0x7ee97923ea48(base=0x7ee97923ea20) (Structure %CR:Function), StructureID: 249600 // 11: Weak:Object: 0x7ee9791502a0 with butterfly 0x7ee9791401f8(base=0x7ee9791401d0) (Structure %Am:Array,ArrayWithUndecided), StructureID: 253744 // 11: Weak:Object: 0x7ee979248160 with butterfly (nil)(base=0xfffffffffffffff8) (Structure %Ac:JSGlobalProxy), StructureID: 250944 // 11: Desired watchpoints: // 11: Watchpoint sets: 0x7ee97b1e0d00, 0x7ee97b1e1b00 // 11: Inline watchpoint sets: 0x7ee80003cf68, 0x7ee80003df28, 0x7ee80003cef8, 0x7ee800004948, 0x7ee8000041d8, 0x7ee8000042b8, 0x7ee80003a548, 0x7ee800039828, 0x7ee800004a28, 0x7ee80003df98, 0x7ee80003a778, 0x7ee800004868, 0x7ee80003d4a8 // 11: SymbolTables: // 11: FunctionExecutables: // 11: Buffer views: // 11: Object property conditions: <Object: 0x7ee97922d5a0 with butterfly 0x7ee9790ef0c8(base=0x7ee9790eecc0) (Structure %CL:global), StructureID: 250832: Equivalence of WeakMap with Object: 0x7ee9790e2980 with butterfly 0x7ee97923f848(base=0x7ee97923f820) (Structure %An:Function), StructureID: 253632>, <Object: 0x7ee97922d5a0 with butterfly 0x7ee9790ef0c8(base=0x7ee9790eecc0) (Structure %CL:global), StructureID: 250832: Equivalence of SharedArrayBuffer with Object: 0x7ee9790e2950 with butterfly 0x7ee97923ea48(base=0x7ee97923ea20) (Structure %CR:Function), StructureID: 249600> // 11: Structures: // 11: %Ac:JSGlobalProxy = 0x7ee80003d440:[0x3d440/250944, JSGlobalProxy, (0/0, 0/0){}, NonArray, Unknown, Proto:0x7ee9790dd100, Leaf] // 11: %Am:Array,ArrayWithUndecided = 0x7ee80003df30:[0x3df30/253744, Array, (0/0, 1/4){-409186827:64}, ArrayWithUndecided, PropertyAddition, Proto:0x7ee979150270, Leaf] // 11: %An:Function = 0x7ee80003dec0:[0x3dec0/253632, Function, (0/0, 3/4){length:64, name:65, prototype:66}, NonArray, Unknown, Proto:0x7ee9790e2620, Leaf] // 11: %Ar:Array,ArrayWithInt32 = 0x7ee80003a400:[0x3a400/238592, Array, (0/0, 0/0){}, ArrayWithInt32, Unknown, Proto:0x7ee979150270] // 11: %BQ:JSGlobalLexicalEnvironment = 0x7ee8000397c0:[0x397c0/235456, JSGlobalLexicalEnvironment, (0/0, 0/0){}, NonArray, Unknown, Leaf] // 11: %Bu:Array,ArrayWithDouble = 0x7ee80003a4e0:[0x3a4e0/238816, Array, (0/0, 0/0){}, ArrayWithDouble, Unknown, Proto:0x7ee979150270, Leaf] // 11: %CL:global = 0x7ee80003d3d0:[0x3d3d0/250832, global, (0/0, 95/128){Object:64, Function:65, Array:66, RegExp:67, Iterator:68, SharedArrayBuffer:69, String:70, Promise:71, BigInt:72, Symbol:73, WeakRef:74, FinalizationRegistry:75, Intl:76, WebAssembly:77, Symbol.toStringTag:78, testLoopCount:79, wasmTestLoopCount:80, atob:81, btoa:82, disassembleBase64:83, debug:84, describe:85, describeArray:86, print:87, printErr:88, prettyPrint:89, gc:90, fullGC:91, edenGC:92, jscStack:93, preciseTime:94, neverInlineFunction:95, noInline:96, noDFG:97, noFTL:98, noOSRExitFuzzing:99, numberOfDFGCompiles:100, callerIsBBQOrOMGCompiled:101, jscOptions:102, optimizeNextInvocation:103, reoptimizationRetryCount:104, transferArrayBuffer:105, OSRExit:106, isFinalTier:107, predictInt32:108, isInt32:109, isPureNaN:110, fiatInt52:111, effectful42:112, makeMasquerader:113, hasCustomProperties:114, createGlobalObject:115, createHeapBigInt:116, useBigInt32:117, isBigInt32:118, isHeapBigInt:119, createNonRopeNonAtomString:120, dumpTypesForAllVariables:121, drainMicrotasks:122, setTimeout:123, releaseWeakRefs:124, finalizationRegistryLiveCount:125, finalizationRegistryDeadCount:126, getRandomSeed:127, setRandomSeed:128, isRope:129, callerSourceOrigin:130, is32BitPlatform:131, checkModuleSyntax:132, checkScriptSyntax:133, platformSupportsSamplingProfiler:134, generateHeapSnapshot:135, generateHeapSnapshotForGCDebugging:136, resetSuperSamplerState:137, ensureArrayStorage:138, startSamplingProfiler:139, samplingProfilerStackTraces:140, maxArguments:141, asyncTestStart:142, asyncTestPassed:143, WebAssemblyMemoryMode:144, console:145, waiterListSize:146, waitForReport:147, heapCapacity:148, flashHeapAccess:149, disableRichSourceInfo:150, mallocInALoop:151, totalCompileTime:152, setUnhandledRejectionCallback:153, asDoubleNumber:154, dropAllLocks:155, performance:156, fuzzilli:157, WeakMap:158}, NonArray, ChangePrototype, Proto:0x7ee9790dd100, Dictionary, Leaf] // 11: %CR:Function = 0x7ee80003cf00:[0x3cf00/249600, Function, (0/0, 4/4){length:64, name:65, prototype:66, Symbol.species:67}, NonArray, Unknown, Proto:0x7ee9790e2620, Leaf] // 11: %CW:Immutable Butterfly,ArrayWithDouble = 0x7ee8000049c0:[0x49c0/18880, Immutable Butterfly, (0/0, 0/0){}, CopyOnWriteArrayWithDouble, Unknown, Leaf] // 11: %Dx:Immutable Butterfly,ArrayWithInt32 = 0x7ee8000048e0:[0x48e0/18656, Immutable Butterfly, (0/0, 0/0){}, CopyOnWriteArrayWithInt32, Unknown, Leaf] // 11: %ED:ArrayBuffer = 0x7ee80003ce90:[0x3ce90/249488, ArrayBuffer, (0/0, 0/0){}, NonArray, Unknown, Proto:0x7ee9790dd250, Leaf] // // // DFG ASSERTION FAILED: AI-clobberize disagreement; AI says NotClobbered while clobberize says (Direct:[Heap], Super:[World]) // /home/fuzzer/webkit/WebKit-c5e0671158732bcdf83d26d4a964a0d88b2ca02c/Source/JavaScriptCore/dfg/DFGCFAPhase.cpp(229) : void JSC::DFG::CFAPhase::performBlockCFA(BasicBlock *) // STDOUT: // ```

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2025-03-13 00:52:42 PDT

<rdar://problem/146930687>

Yusuke Suzuki

Comment 2 2025-03-13 11:19:14 PDT

ToT bug, fixing.

Yusuke Suzuki

Comment 3 2025-03-13 11:20:48 PDT

Pull request: https://github.com/WebKit/WebKit/pull/42413

EWS

Comment 4 2025-03-13 13:29:07 PDT

Committed 292112@main (5ad89cecd558): <https://commits.webkit.org/292112@main> Reviewed commits have been landed. Closing PR #42413 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.