191058 – Reproducible RELEASE_ASSERT(materialization->properties().size() - 2 == table->scopeSize()) in FTLOperations.cpp

RESOLVED WORKSFORME 191058

Reproducible RELEASE_ASSERT(materialization->properties().size() - 2 == table->scopeSize()) in FTLOperations.cpp

https://bugs.webkit.org/show_bug.cgi?id=191058

Summary Reproducible RELEASE_ASSERT(materialization->properties().size() - 2 == table...

zhunkibatu

Reported 2018-10-30 01:24:41 PDT

the following poc triggered an assertion failure: RELEASE_ASSERT(materialization->properties().size() - 2 == table->scopeSize()); at ../../Source/JavaScriptCore/ftl/FTLOperations.cpp:236 poc: function f(x,x,x,x){eval;} for(var i=0;i<100000;i++){f();} f(0,1,2,3);

Attachments
Add attachment proposed patch, testcase, etc.

Alexey Proskuryakov

Comment 1 2018-10-30 14:48:27 PDT

I can reproduce with latest shipping Safari.

Radar WebKit Bug Importer

Comment 2 2018-10-30 14:48:52 PDT

<rdar://problem/45681780>

Keith Miller

Comment 3 2018-12-10 14:40:03 PST

I can't reproduce this on ToT.

Robin Morisset

Comment 4 2019-02-15 16:29:26 PST

I could not reproduce it either, and I tried it on several versions of Safari going back all the way to March 2018.. not sure what is going on.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution WORKSFORME

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware PC

OS Linux

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2018-10-30 01:24 PDT

Modified

2019-02-15 16:29 PST History

CC List

3 users Show

URL

Keywords InRadar

Depends on

Blocks