Bug 191058 - Reproducible RELEASE_ASSERT(materialization->properties().size() - 2 == table->scopeSize()) in FTLOperations.cpp
Summary: Reproducible RELEASE_ASSERT(materialization->properties().size() - 2 == table...
Status: RESOLVED WORKSFORME
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: PC Linux
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2018-10-30 01:24 PDT by zhunkibatu
Modified: 2019-02-15 16:29 PST (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description zhunkibatu 2018-10-30 01:24:41 PDT 
the following poc triggered an assertion failure:

RELEASE_ASSERT(materialization->properties().size() - 2 == table->scopeSize());

at ../../Source/JavaScriptCore/ftl/FTLOperations.cpp:236

poc:

function f(x,x,x,x){eval;}

for(var i=0;i<100000;i++){f();}

f(0,1,2,3);
Comment 1 Alexey Proskuryakov 2018-10-30 14:48:27 PDT 
I can reproduce with latest shipping Safari.
Comment 2 Radar WebKit Bug Importer 2018-10-30 14:48:52 PDT 
<rdar://problem/45681780>
Comment 3 Keith Miller 2018-12-10 14:40:03 PST 
I can't reproduce this on ToT.
Comment 4 Robin Morisset 2019-02-15 16:29:26 PST 
I could not reproduce it either, and I tried it on several versions of Safari going back all the way to March 2018.. not sure what is going on.