160562 – ASSERTION FAILED: !hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction == hasInstanceValueNode->asCell()

Bug 160562 - ASSERTION FAILED: !hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction == hasInstanceValueNode->asCell()

Summary: ASSERTION FAILED: !hasInstanceValueNode->isCellConstant() || defaultHasInstan...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Keith Miller

URL:
Keywords:	InRadar

Depends on:	160620
Blocks:
	Show dependency tree / graph

Reported:	2016-08-04 12:24 PDT by Mark Lam
Modified:	2016-08-11 03:01 PDT (History)
CC List:	9 users (show)

See Also:

Attachments
Repro test case. (369 bytes, application/x-javascript) 2016-08-04 12:24 PDT, Mark Lam	no flags	Details
Patch (5.02 KB, patch) 2016-08-04 13:18 PDT, Keith Miller	no flags	Details \| Formatted Diff \| Diff
Patch for landing (5.05 KB, patch) 2016-08-04 13:23 PDT, Keith Miller	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Lam 2016-08-04 12:24:54 PDT

Created attachment 285346 [details]
Repro test case.

Run jsc against the attached test case.  We'll get an assertion failure.

Comment 1 Radar WebKit Bug Importer 2016-08-04 12:26:13 PDT

<rdar://problem/27704825>

Comment 2 Keith Miller 2016-08-04 13:18:18 PDT

Created attachment 285353 [details]
Patch

Comment 3 Mark Lam 2016-08-04 13:21:30 PDT

Comment on attachment 285353 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=285353&action=review

r=me.

> Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:4579
> +        // It would be great if constant folding handled automatically handled the case where we knew the hasInstance function

typo: /handled automatically handled/automatically handled/.

Comment 4 Keith Miller 2016-08-04 13:23:23 PDT

Created attachment 285356 [details]
Patch for landing

Comment 5 WebKit Commit Bot 2016-08-04 14:12:39 PDT

Comment on attachment 285356 [details]
Patch for landing

Clearing flags on attachment: 285356

Committed r204140: <http://trac.webkit.org/changeset/204140>

Comment 6 WebKit Commit Bot 2016-08-04 14:12:42 PDT

All reviewed patches have been landed.  Closing bug.

Comment 7 Csaba Osztrogonác 2016-08-05 02:35:18 PDT

(In reply to comment #5)
> Comment on attachment 285356 [details]
> Patch for landing
> 
> Clearing flags on attachment: 285356
> 
> Committed r204140: <http://trac.webkit.org/changeset/204140>

still asserting on the 32 bit Apple Mac bots:

https://build.webkit.org/builders/Apple%20El%20Capitan%2032-bit%20JSC%20%28BuildAndTest%29/builds/3143/steps/webkit-32bit-jsc-test/logs/stdio

Comment 8 Csaba Osztrogonác 2016-08-11 03:01:42 PDT

(In reply to comment #7)
> (In reply to comment #5)
> > Comment on attachment 285356 [details]
> > Patch for landing
> > 
> > Clearing flags on attachment: 285356
> > 
> > Committed r204140: <http://trac.webkit.org/changeset/204140>
> 
> still asserting on the 32 bit Apple Mac bots:
> 
> https://build.webkit.org/builders/Apple%20El%20Capitan%2032-
> bit%20JSC%20%28BuildAndTest%29/builds/3143/steps/webkit-32bit-jsc-test/logs/
> stdio

just to document, fixed by http://trac.webkit.org/changeset/204209