I saw this DFG assert while running the JSC tests on a debug build of 208404 with the patch from https://bugs.webkit.org/show_bug.cgi?id=164436. I don't think the patch from https://bugs.webkit.org/show_bug.cgi?id=164436 matters here. The issue seems to be intermittent (racy). I have not been able to reproduce it yet, but just want to record it. The crash info and trace dumped by the JSC test: ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: DFG ASSERTION FAILED: m_plan.weakReferences.contains(structure) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: /Volumes/Data/ws7/OpenSource/Source/JavaScriptCore/dfg/DFGGraph.cpp(1526) : void JSC::DFG::Graph::assertIsRegistered(JSC::Structure *) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 1 0x10d96437d WTFCrash ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 2 0x10d964399 WTFCrashWithSecurityImplication ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 3 0x10cd6773f JSC::DFG::crash(JSC::DFG::Graph&, WTF::CString const&, char const*, int, char const*, char const*) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 4 0x10cd67549 JSC::DFG::Graph::handleAssertionFailure(std::nullptr_t, char const*, int, char const*, char const*) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 5 0x10cd63fd4 JSC::DFG::Graph::assertIsRegistered(JSC::Structure*) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 6 0x10cfe50a9 JSC::DFG::StructureAbstractValue::assertIsRegistered(JSC::DFG::Graph&) const ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 7 0x10cba76bd JSC::DFG::AbstractValue::assertIsRegistered(JSC::DFG::Graph&) const ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 8 0x10cba778e JSC::DFG::AbstractValue::set(JSC::DFG::Graph&, JSC::Structure*) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 9 0x10cc5a5ff JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::executeEffects(unsigned int, JSC::DFG::Node*) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 10 0x10cc4b65b JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::execute(unsigned int) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 11 0x10cc4a505 JSC::DFG::CFAPhase::performBlockCFA(JSC::DFG::BasicBlock*) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 12 0x10cc49e92 JSC::DFG::CFAPhase::performForwardCFA() ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 13 0x10cc49917 JSC::DFG::CFAPhase::run() ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 14 0x10cc49112 bool JSC::DFG::runAndLog<JSC::DFG::CFAPhase>(JSC::DFG::CFAPhase&) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 15 0x10cc4906e bool JSC::DFG::runPhase<JSC::DFG::CFAPhase>(JSC::DFG::Graph&) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 16 0x10cc49035 JSC::DFG::performCFA(JSC::DFG::Graph&) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 17 0x10cec0065 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 18 0x10cebee69 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 19 0x10d031295 JSC::DFG::Worklist::ThreadBody::work() ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 20 0x10d9c2c35 WTF::AutomaticThread::start(WTF::Locker<WTF::LockBase> const&)::$_0::operator()() const ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 21 0x10d9c29fd void std::__1::__invoke_void_return_wrapper<void>::__call<WTF::AutomaticThread::start(WTF::Locker<WTF::LockBase> const&)::$_0&>(WTF::AutomaticThread::start(WTF::Locker<WTF::LockBase> const&)::$_0&&&) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 22 0x10d9c2799 std::__1::__function::__func<WTF::AutomaticThread::start(WTF::Locker<WTF::LockBase> const&)::$_0, std::__1::allocator<WTF::AutomaticThread::start(WTF::Locker<WTF::LockBase> const&)::$_0>, void ()>::operator()() ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 23 0x10cf006ba std::__1::function<void ()>::operator()() const ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 24 0x10d9d3a77 WTF::threadEntryPoint(void*) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 25 0x10d9d5441 WTF::wtfThreadEntryPoint(void*) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 26 0x7fff97ec4aab _pthread_body ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 27 0x7fff97ec49f7 _pthread_body ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: 28 0x7fff97ec41fd thread_start ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: test_script_30122: line 2: 74605 Segmentation fault: 11 ( "$@" ../../../../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --maxPerThreadStackUsage\=1572864 --useFTLJIT\=true --thresholdForJITAfterWarmUp\=10 --thresholdForJITSoon\=10 --thresholdForOptimizeAfterWarmUp\=20 --thresholdForOptimizeAfterLongWarmUp\=20 --thresholdForOptimizeSoon\=20 --thresholdForFTLOptimizeAfterWarmUp\=20 --thresholdForFTLOptimizeSoon\=20 --maximumEvalCacheableSourceLength\=150000 --useEagerCodeBlockJettisonTiming\=true jsc-lib.js array_includes.js ) ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default: ERROR: Unexpected exit code: 139 ** The following JSC stress test failures have been introduced: ChakraCore.yaml/ChakraCore/test/Array/array_includes.js.default
Eeek ... the build was from a revision before 208404. I svn up'ed to 208404, but did not rebuild because the JSC tests were already running.
Created attachment 293965 [details] dump from failing test (with DFG graph).