RESOLVED FIXED191724
ASSERTION FAILED: m_lastOpcodeID == op_end || (m_lastOpcodeID == m_lastInstruction->opcodeID() && m_writer.position() == m_lastInstruction.offset() + m_lastInstruction->size()) 
https://bugs.webkit.org/show_bug.cgi?id=191724
Summary ASSERTION FAILED: m_lastOpcodeID == op_end || (m_lastOpcodeID == m_lastInstru...
Tadeu Zagallo
Reported 2018-11-15 16:21:45 PST
Since https://bugs.webkit.org/show_bug.cgi?id=187373, we were not restoring m_lastInstruction after patching the bytecode when finalizing StructureForInContexts, only m_lastOpcodeID, which led to the assertion failure.
Attachments
Patch (3.74 KB, patch)
2018-11-15 16:26 PST, Tadeu Zagallo 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Tadeu Zagallo
Comment 1 2018-11-15 16:25:26 PST
<rdar://problem/45724395>
Tadeu Zagallo
Comment 2 2018-11-15 16:26:18 PST
Created attachment 354995 [details] Patch
Saam Barati
Comment 3 2018-11-15 16:41:57 PST
Comment on attachment 354995 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=354995&action=review > Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:4866 > + if (generator.m_lastInstruction.offset() + generator.m_lastInstruction->size() != generator.m_writer.size()) { > generator.m_lastOpcodeID = lastOpcodeID; > + generator.m_lastInstruction = lastInstruction; > } Why isn't this unconditional?
Tadeu Zagallo
Comment 4 2018-11-15 16:46:56 PST
Comment on attachment 354995 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=354995&action=review >> Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:4866 >> } > > Why isn't this unconditional? Because if we're writing at end of the stream the lastInstruction we saved might no longer be up-to-date. (i.e. it was op_get_direct_pname, but it was replaced by op_get_by_val + op_nop, so the current value, which should be op_nop, is correct.)
Saam Barati
Comment 5 2018-11-15 17:45:27 PST
Comment on attachment 354995 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=354995&action=review r=me >>> Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:4866 >>> } >> >> Why isn't this unconditional? > > Because if we're writing at end of the stream the lastInstruction we saved might no longer be up-to-date. (i.e. it was op_get_direct_pname, but it was replaced by op_get_by_val + op_nop, so the current value, which should be op_nop, is correct.) makes sense
WebKit Commit Bot
Comment 6 2018-11-16 07:24:12 PST
Comment on attachment 354995 [details] Patch Clearing flags on attachment: 354995 Committed r238281: <https://trac.webkit.org/changeset/238281>
WebKit Commit Bot
Comment 7 2018-11-16 07:24:14 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.