RESOLVED FIXED 196176
ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge) 
https://bugs.webkit.org/show_bug.cgi?id=196176
Summary ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompare...
HAICHEN WANG
Reported 2019-03-23 04:19:18 PDT
>>> ASSERTION FAILED: m_op == CompareStrictEq ../../Source/JavaScriptCore/dfg/DFGNode.h(713) : void JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge) 1 0x10a9e6849 WTFCrash 2 0x109295dfb WTFCrashWithInfo(int, char const*, char const*, int) 3 0x1099b4266 JSC::DFG::ConstantFoldingPhase::foldConstants(JSC::DFG::BasicBlock*) 4 0x1099aa646 JSC::DFG::ConstantFoldingPhase::run() 5 0x1099a44de bool JSC::DFG::runPhase<JSC::DFG::ConstantFoldingPhase>(JSC::DFG::Graph&) 6 0x109b6fa7e JSC::DFG::Plan::compileInThreadImpl() 7 0x109b6de3d JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*) 8 0x109d8ffc9 JSC::DFG::Worklist::ThreadBody::work() 9 0x10a9eae29 WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call() 10 0x10aa1b85a WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) 11 0x10aad6edd WTF::wtfThreadEntryPoint(void*) 12 0x7fff7b0ba305 _pthread_body 13 0x7fff7b0bd26f _pthread_start 14 0x7fff7b0b9415 thread_start UndefinedBehaviorSanitizer:DEADLYSIGNAL ==61785==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x00010a9e684e bp 0x7000068f89f0 sp 0x7000068f89f0 T1709195) ==61785==The signal is caused by a WRITE memory access. #0 0x10a9e684d in WTFCrash Assertions.cpp:305 ==61785==Register values: rax = 0x00000000bbadbeef rbx = 0x000000010accfcc1 rcx = 0x000000000007f702 rdx = 0x0000000000000004 rdi = 0x000000010b28e544 rsi = 0x000000010c992000 rbp = 0x00007000068f89f0 rsp = 0x00007000068f89f0 r8 = 0x00000000000130a8 r9 = 0x0000000000000000 r10 = 0x00007fffadc9f048 r11 = 0x00007fffadc9f040 r12 = 0x00007000068f8e20 r13 = 0x000000010dc735c8 r14 = 0x000000010acc4f8f r15 = 0x0000000000000026 UndefinedBehaviorSanitizer can not provide additional info. ==61785==ABORTING Abort trap: 6 Poc: function main() { const v3 = [1337,1337,13.37,1337]; const v5 = [1337,13.37,1337,1337,1337,1337,13.37,1337,1337,1337]; const v8 = {getInt8:13.37}; const v9 = Object(); function v10(v11,v12,v13,v14) { for (const v15 of v5) { for (const v16 of v11) { let v18 = v8; do { const v20 = Object.is(0,v18); const v22 = ["name"]; for (let v25 = 0; v25 < 100; v25++) { const v26 = v25[100]; } const v27 = v22 + 1; v18 = v27; } while (v18 < -9007199254740991); } } } const v28 = v10(v3,v9); } noDFG(main); noFTL(main); main();
Attachments
Patch (1.51 KB, patch)
2019-03-24 20:21 PDT, Keith Miller 		no flags
DetailsFormatted DiffDiff
Patch (3.21 KB, patch)
2019-03-24 20:27 PDT, Keith Miller 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews124 for ios-simulator-wk2 (2.64 MB, application/zip)
2019-03-24 22:38 PDT, EWS Watchlist 		no flags
Details
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
HAICHEN WANG
Comment 1 2019-03-23 04:33:20 PDT
reported by HAICHEN WANG, P1umer
Radar WebKit Bug Importer
Comment 2 2019-03-24 13:39:09 PDT
<rdar://problem/49199639>
Keith Miller
Comment 3 2019-03-24 20:18:08 PDT
Ah, I think this is a bad assertion since we added SameValue to the DFG with r231224. Should be a simple fix.
Keith Miller
Comment 4 2019-03-24 20:21:06 PDT
Created attachment 365843 [details] Patch
Keith Miller
Comment 5 2019-03-24 20:27:27 PDT
Created attachment 365844 [details] Patch
EWS Watchlist
Comment 6 2019-03-24 22:38:44 PDT
Comment on attachment 365844 [details] Patch Attachment 365844 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: https://webkit-queues.webkit.org/results/11655632 New failing tests: fast/visual-viewport/ios/min-scale-greater-than-one.html
EWS Watchlist
Comment 7 2019-03-24 22:38:45 PDT
Created attachment 365849 [details] Archive of layout-test-results from ews124 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews124 Port: ios-simulator-wk2 Platform: Mac OS X 10.13.6
Keith Miller
Comment 8 2019-03-24 22:41:15 PDT
Yeah, iOS simulator doesn't use JIT so that's noise...
WebKit Commit Bot
Comment 9 2019-03-25 13:29:25 PDT
Comment on attachment 365844 [details] Patch Clearing flags on attachment: 365844 Committed r243448: <https://trac.webkit.org/changeset/243448>
WebKit Commit Bot
Comment 10 2019-03-25 13:29:26 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.