This assertion failure is seen on 32-bit JSC bots with one of the tests for https://trac.webkit.org/changeset/223523 stress/dfg-object-prototype-of.js.default: ASSERTION FAILED: !isCompilationThread() stress/dfg-object-prototype-of.js.default: /Volumes/Data/slave/highsierra-32bitJSC-debug/build/Source/JavaScriptCore/runtime/LazyClassStructure.h(86) : JSC::JSObject *JSC::LazyClassStructure::prototype(const JSC::JSGlobalObject *) const stress/dfg-object-prototype-of.js.default: 1 0x148857a WTFCrash stress/dfg-object-prototype-of.js.default: 2 0x811dbf JSC::LazyClassStructure::prototype(JSC::JSGlobalObject const*) const stress/dfg-object-prototype-of.js.default: 3 0x811ca3 JSC::JSGlobalObject::booleanPrototype() const stress/dfg-object-prototype-of.js.default: 4 0x80a3f8 JSC::DFG::FixupPhase::fixupGetPrototypeOf(JSC::DFG::Node*) stress/dfg-object-prototype-of.js.default: 5 0x80352f JSC::DFG::FixupPhase::fixupNode(JSC::DFG::Node*) stress/dfg-object-prototype-of.js.default: 6 0x7fbede JSC::DFG::FixupPhase::fixupBlock(JSC::DFG::BasicBlock*) stress/dfg-object-prototype-of.js.default: 7 0x7fbcb3 JSC::DFG::FixupPhase::run() stress/dfg-object-prototype-of.js.default: 8 0x7fba55 bool JSC::DFG::runAndLog<JSC::DFG::FixupPhase>(JSC::DFG::FixupPhase&) stress/dfg-object-prototype-of.js.default: 9 0x7f949c bool JSC::DFG::runPhase<JSC::DFG::FixupPhase>(JSC::DFG::Graph&) stress/dfg-object-prototype-of.js.default: 10 0x7f9457 JSC::DFG::performFixup(JSC::DFG::Graph&) stress/dfg-object-prototype-of.js.default: 11 0x9b9680 JSC::DFG::Plan::compileInThreadImpl() stress/dfg-object-prototype-of.js.default: 12 0x9b8086 JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*) stress/dfg-object-prototype-of.js.default: 13 0x7f8eb8 JSC::DFG::compileImpl(JSC::VM&, JSC::CodeBlock*, JSC::CodeBlock*, JSC::DFG::CompilationMode, unsigned int, JSC::Operands<JSC::JSValue> const&, WTF::Ref<JSC::DeferredCompilationCallback>&&) stress/dfg-object-prototype-of.js.default: 14 0x7f88d9 JSC::DFG::compile(JSC::VM&, JSC::CodeBlock*, JSC::CodeBlock*, JSC::DFG::CompilationMode, unsigned int, JSC::Operands<JSC::JSValue> const&, WTF::Ref<JSC::DeferredCompilationCallback>&&) stress/dfg-object-prototype-of.js.default: 15 0xd8a355 operationOptimize stress/dfg-object-prototype-of.js.default: 16 0x3512bed stress/dfg-object-prototype-of.js.default: 17 0x35cc10 llint_entry stress/dfg-object-prototype-of.js.default: 18 0x35cc67 llint_entry stress/dfg-object-prototype-of.js.default: 19 0x356ff4 vmEntryToJavaScript stress/dfg-object-prototype-of.js.default: 20 0xd80c58 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) stress/dfg-object-prototype-of.js.default: 21 0xd1c5c5 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) stress/dfg-object-prototype-of.js.default: 22 0xffb742 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) stress/dfg-object-prototype-of.js.default: 23 0x142d7f runWithOptions(GlobalObject*, CommandLine&) stress/dfg-object-prototype-of.js.default: 24 0x105cec jscmain(int, char**)::$_3::operator()(JSC::VM&, GlobalObject*) const stress/dfg-object-prototype-of.js.default: 25 0xeb3bf int runJSC<jscmain(int, char**)::$_3>(CommandLine, bool, jscmain(int, char**)::$_3 const&) stress/dfg-object-prototype-of.js.default: 26 0xe9b80 jscmain(int, char**) stress/dfg-object-prototype-of.js.default: 27 0xe9aa7 main stress/dfg-object-prototype-of.js.default: 28 0xa74eb711 start stress/dfg-object-prototype-of.js.default: test_script_2717: line 2: 2 https://build.webkit.org/builders/Apple%20High%20Sierra%2032-bit%20JSC%20%28BuildAndTest%29/builds/205
Yusuke, I think this is a regression from your change?
I’ll look into this.
Duping back to original bug *** This bug has been marked as a duplicate of bug 178067 ***