https://build.webkit.org/builders/Apple%20El%20Capitan%2032-bit%20JSC%20%28BuildAndTest%29/builds/2948 jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: ASSERTION FAILED: from.isCell() && from.asCell()->JSCell::inherits(std::remove_pointer<To>::type::info()) jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: /Volumes/Data/slave/elcapitan-32bitJSC-debug/build/Source/JavaScriptCore/runtime/JSCell.h(244) : To JSC::jsCast(JSC::JSValue) [To = JSC::JSScope *] jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 1 0xe5320d WTFCrash jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 2 0xe5322b WTFCrashWithSecurityImplication jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 3 0x2afa50 JSC::JSScope* JSC::jsCast<JSC::JSScope*>(JSC::JSValue) jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 4 0x2ac395 JSC::Register::scope() const jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 5 0x8be985 JSC::eval(JSC::ExecState*) jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 6 0x9352df operationCallEval jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 7 0x2b013e7 jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 8 0x2adb316 jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 9 0xb2e137 llint_entry jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 10 0xb28bcc vmEntryToJavaScript jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 11 0x91d3e2 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 12 0x8c2f41 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 13 0x2b3918 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 14 0x5434f runWithScripts(GlobalObject*, WTF::Vector<Script, 0ul, WTF::CrashOnOverflow, 16ul> const&, WTF::String const&, bool, bool) jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 15 0x534c6 runJSC(JSC::VM*, CommandLine) jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 16 0x52309 jscmain(int, char**) jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 17 0x52176 main jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: 18 0x97baf6ad start jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: test_script_23763: line 2: 9583 Segmentation fault: 11 ( "$@" ../../../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --maxPerThreadStackUsage\=1572864 --useConcurrentJIT\=false --thresholdForJITAfterWarmUp\=100 --thresholdForJITAfterWarmUp\=10 --thresholdForJITSoon\=10 --thresholdForOptimizeAfterWarmUp\=20 --thresholdForOptimizeAfterLongWarmUp\=20 --thresholdForOptimizeSoon\=20 --thresholdForFTLOptimizeAfterWarmUp\=20 --thresholdForFTLOptimizeSoon\=20 --maximumEvalCacheableSourceLength\=150000 resources/standalone-pre.js Object-assign.js resources/standalone-post.js ) jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit: ERROR: Unexpected exit code: 139 FAIL: jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit ** The following JSC stress test failures have been introduced: jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/Object-assign.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/array-filter.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/array-filter.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/array-functions-non-arrays.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/array-functions-non-arrays.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/array-holes.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/array-holes.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/array-includes.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/array-includes.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/array-type-speculation.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/array-type-speculation.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/basic-strict-mode.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/basic-strict-mode.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/class-syntax-extends.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/class-syntax-extends.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/class-syntax-name.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/class-syntax-name.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/class-syntax-prototype.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/class-syntax-prototype.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/destructuring-assignment.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/destructuring-assignment.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/dfg-osr-entry-hoisted-clobbered-structure-check.js.layout jsc-layout-tests.yaml/js/script-tests/dfg-osr-entry-hoisted-clobbered-structure-check.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/dfg-osr-entry-hoisted-clobbered-structure-check.js.layout-ftl jsc-layout-tests.yaml/js/script-tests/dfg-osr-entry-hoisted-clobbered-structure-check.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/dfg-osr-entry-hoisted-clobbered-structure-check.js.layout-ftl-no-cjit jsc-layout-tests.yaml/js/script-tests/dfg-osr-entry-hoisted-clobbered-structure-check.js.layout-no-cjit jsc-layout-tests.yaml/js/script-tests/dfg-osr-entry-hoisted-clobbered-structure-check.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/intl-datetimeformat.js.layout jsc-layout-tests.yaml/js/script-tests/intl-datetimeformat.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/intl-datetimeformat.js.layout-ftl jsc-layout-tests.yaml/js/script-tests/intl-datetimeformat.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/intl-datetimeformat.js.layout-ftl-no-cjit jsc-layout-tests.yaml/js/script-tests/intl-datetimeformat.js.layout-no-cjit jsc-layout-tests.yaml/js/script-tests/intl-datetimeformat.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/keywords-and-reserved_words.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/keywords-and-reserved_words.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/number-constructor.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/number-constructor.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/parseInt.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/parseInt.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/parser-syntax-check.js.layout jsc-layout-tests.yaml/js/script-tests/parser-syntax-check.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/parser-syntax-check.js.layout-ftl jsc-layout-tests.yaml/js/script-tests/parser-syntax-check.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/parser-syntax-check.js.layout-ftl-no-cjit jsc-layout-tests.yaml/js/script-tests/parser-syntax-check.js.layout-no-cjit jsc-layout-tests.yaml/js/script-tests/parser-syntax-check.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/preventExtensions.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/preventExtensions.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/prototypes.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/prototypes.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/reserved-words-strict.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/reserved-words-strict.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/reserved-words.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/reserved-words.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/statement-list-item-syntax-errors.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/statement-list-item-syntax-errors.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/string-code-point-at.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/string-code-point-at.js.layout-ftl-eager-no-cjit stress/IIFE-function-name-captured.js.always-trigger-copy-phase stress/IIFE-function-name-captured.js.default stress/IIFE-function-name-captured.js.default-ftl stress/IIFE-function-name-captured.js.dfg-eager stress/IIFE-function-name-captured.js.dfg-eager-no-cjit-validate stress/IIFE-function-name-captured.js.dfg-maximal-flush-validate-no-cjit stress/IIFE-function-name-captured.js.ftl-eager stress/IIFE-function-name-captured.js.ftl-eager-no-cjit stress/IIFE-function-name-captured.js.ftl-no-cjit-no-put-stack-validate stress/IIFE-function-name-captured.js.ftl-no-cjit-small-pool stress/IIFE-function-name-captured.js.ftl-no-cjit-validate-sampling-profiler stress/IIFE-function-name-captured.js.no-cjit-validate-phases stress/IIFE-function-name-captured.js.no-llint stress/for-in-array-mode.js.dfg-eager stress/for-in-array-mode.js.dfg-eager-no-cjit-validate stress/for-in-array-mode.js.ftl-eager stress/for-in-array-mode.js.ftl-eager-no-cjit stress/for-in-array-mode.js.no-llint stress/global-lexical-var-injection.js.always-trigger-copy-phase stress/global-lexical-var-injection.js.default stress/global-lexical-var-injection.js.default-ftl stress/global-lexical-var-injection.js.dfg-eager stress/global-lexical-var-injection.js.dfg-eager-no-cjit-validate stress/global-lexical-var-injection.js.dfg-maximal-flush-validate-no-cjit stress/global-lexical-var-injection.js.ftl-eager stress/global-lexical-var-injection.js.ftl-eager-no-cjit stress/global-lexical-var-injection.js.ftl-no-cjit-no-inline-validate stress/global-lexical-var-injection.js.ftl-no-cjit-no-put-stack-validate stress/global-lexical-var-injection.js.ftl-no-cjit-small-pool stress/global-lexical-var-injection.js.ftl-no-cjit-validate-sampling-profiler stress/global-lexical-var-injection.js.no-cjit-validate-phases stress/global-lexical-var-injection.js.no-llint stress/op-push-name-scope-crashes-profiler.js.profiler-simple stress/regress-159779-1.js.ftl-eager-no-cjit stress/regress-159779-2.js.ftl-eager-no-cjit
Probably related to Debug JSC test failures in https://bugs.webkit.org/show_bug.cgi?id=159929
Looking at this now. It's OK to roll it out. But it's likely I'll have a fix within an hour.
Wow this looks like a long-standing bug with how we read the scope register. We're assuming that it's boxed on 32-bit, which won't be true in the DFG. I believe that we would have gotten this crash in debug 32-bit debugger tests if those tests tried hard enough.
Created attachment 284031 [details] the patch
Comment on attachment 284031 [details] the patch r=me
Landed in https://trac.webkit.org/changeset/203416