160562 – ASSERTION FAILED: !hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction == hasInstanceValueNode->asCell()

RESOLVED FIXED 160562

ASSERTION FAILED: !hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction == hasInstanceValueNode->asCell()

https://bugs.webkit.org/show_bug.cgi?id=160562

Summary ASSERTION FAILED: !hasInstanceValueNode->isCellConstant() || defaultHasInstan...

Mark Lam

Reported 2016-08-04 12:24:54 PDT

Created attachment 285346 [details] Repro test case. Run jsc against the attached test case. We'll get an assertion failure.

Attachments
Repro test case. (369 bytes, application/x-javascript) 2016-08-04 12:24 PDT, Mark Lam	no flags	Details
Patch (5.02 KB, patch) 2016-08-04 13:18 PDT, Keith Miller	no flags	Details Formatted Diff Diff
Patch for landing (5.05 KB, patch) 2016-08-04 13:23 PDT, Keith Miller	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2016-08-04 12:26:13 PDT

<rdar://problem/27704825>

Keith Miller

Comment 2 2016-08-04 13:18:18 PDT

Created attachment 285353 [details] Patch

Mark Lam

Comment 3 2016-08-04 13:21:30 PDT

Comment on attachment 285353 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=285353&action=review r=me. > Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:4579 > + // It would be great if constant folding handled automatically handled the case where we knew the hasInstance function typo: /handled automatically handled/automatically handled/.

Keith Miller

Comment 4 2016-08-04 13:23:23 PDT

Created attachment 285356 [details] Patch for landing

WebKit Commit Bot

Comment 5 2016-08-04 14:12:39 PDT

Comment on attachment 285356 [details] Patch for landing Clearing flags on attachment: 285356 Committed r204140: <http://trac.webkit.org/changeset/204140>

WebKit Commit Bot

Comment 6 2016-08-04 14:12:42 PDT

All reviewed patches have been landed. Closing bug.

Csaba Osztrogonác

Comment 7 2016-08-05 02:35:18 PDT

(In reply to comment #5) > Comment on attachment 285356 [details] > Patch for landing > > Clearing flags on attachment: 285356 > > Committed r204140: <http://trac.webkit.org/changeset/204140> still asserting on the 32 bit Apple Mac bots: https://build.webkit.org/builders/Apple%20El%20Capitan%2032-bit%20JSC%20%28BuildAndTest%29/builds/3143/steps/webkit-32bit-jsc-test/logs/stdio

Csaba Osztrogonác

Comment 8 2016-08-11 03:01:42 PDT

(In reply to comment #7) > (In reply to comment #5) > > Comment on attachment 285356 [details] > > Patch for landing > > > > Clearing flags on attachment: 285356 > > > > Committed r204140: <http://trac.webkit.org/changeset/204140> > > still asserting on the 32 bit Apple Mac bots: > > https://build.webkit.org/builders/Apple%20El%20Capitan%2032- > bit%20JSC%20%28BuildAndTest%29/builds/3143/steps/webkit-32bit-jsc-test/logs/ > stdio just to document, fixed by http://trac.webkit.org/changeset/204209

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Keith Miller

Reported

2016-08-04 12:24 PDT

Modified

2016-08-11 03:01 PDT History

CC List

9 users Show

URL

Keywords InRadar

Depends on

160620

Blocks

Dependencies

tree graph