Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00000006322c7ffb WebCore::WHLSL::Checker::visit(WebCore::WHLSL::AST::VariableReference&) + 27 (RefPtr.h:81) 1 com.apple.WebCore 0x00000006322c70c2 WebCore::WHLSL::Checker::visit(WebCore::WHLSL::AST::AssignmentExpression&) + 34 (WHLSLVisitor.h:181) 2 com.apple.WebCore 0x0000000632322c89 WebCore::WHLSL::Visitor::visit(WebCore::WHLSL::AST::CommaExpression&) + 73 (WHLSLVisitor.cpp:511) 3 com.apple.WebCore 0x00000006322c92fa WebCore::WHLSL::Checker::visit(WebCore::WHLSL::AST::CommaExpression&) + 26 (WHLSLVisitor.h:181) 4 com.apple.WebCore 0x00000006322c6969 WebCore::WHLSL::Checker::visit(WebCore::WHLSL::AST::VariableDeclaration&) + 105 (WHLSLVisitor.h:181) 5 com.apple.WebCore 0x0000000632322a69 WebCore::WHLSL::Visitor::visit(WebCore::WHLSL::AST::VariableDeclarationsStatement&) + 73 (WHLSLVisitor.cpp:475) 6 com.apple.WebCore 0x0000000632322149 WebCore::WHLSL::Visitor::visit(WebCore::WHLSL::AST::Block&) + 73 (WHLSLVisitor.cpp:299) 7 com.apple.WebCore 0x00000006322c55cb WebCore::WHLSL::Checker::visit(WebCore::WHLSL::AST::FunctionDefinition&) + 1963 8 com.apple.WebCore 0x00000006322c4b6b WebCore::WHLSL::Checker::visit(WebCore::WHLSL::Program&) + 315 (Vector.h:691) 9 com.apple.WebCore 0x00000006322cab4d WebCore::WHLSL::check(WebCore::WHLSL::Program&) + 189 (WHLSLVisitor.h:181) 10 com.apple.WebCore 0x000000063230b80a WebCore::WHLSL::prepareShared(WTF::String&) + 778 (WHLSLPrepare.cpp:119) 11 com.apple.WebCore 0x000000063230b0e6 WebCore::WHLSL::prepare(WTF::String&, WebCore::WHLSL::RenderPipelineDescriptor&) + 38 (Optional.h:371) 12 com.apple.WebCore 0x0000000631b8d822 WebCore::GPURenderPipeline::tryCreate(WebCore::GPUDevice const&, WebCore::GPURenderPipelineDescriptor const&) + 2290 (Optional.h:371) 13 com.apple.WebCore 0x0000000632cb75be WebCore::GPUDevice::tryCreateRenderPipeline(WebCore::GPURenderPipelineDescriptor const&) const + 14 (GPUDevice.cpp:85) 14 com.apple.WebCore 0x00000006322be893 WebCore::WebGPUDevice::createRenderPipeline(WebCore::WebGPURenderPipelineDescriptor const&) const + 67 (WebGPUDevice.cpp:139) 15 com.apple.WebCore 0x0000000632045fc0 WebCore::jsWebGPUDevicePrototypeFunctionCreateRenderPipeline(JSC::ExecState*) + 304 (DumbPtrTraits.h:43) 16 ??? 0x000021a0f7a0116b 0 + 36975232946539 17 com.apple.JavaScriptCore 0x000000063655f73e llint_entry + 62149 (LowLevelInterpreter.asm:891) 18 com.apple.JavaScriptCore 0x000000063655f6c2 llint_entry + 62025 (LowLevelInterpreter.asm:891) 19 com.apple.JavaScriptCore 0x000000063655f6c2 llint_entry + 62025 (LowLevelInterpreter.asm:891) 20 com.apple.JavaScriptCore 0x000000063655f73e llint_entry + 62149 (LowLevelInterpreter.asm:891) 21 com.apple.JavaScriptCore 0x00000006365502cf vmEntryToJavaScript + 200 (LowLevelInterpreter64.asm:293) 22 com.apple.JavaScriptCore 0x0000000636b43f21 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 417 (JITCodeInlines.h:39) 23 com.apple.JavaScriptCore 0x0000000636d99514 JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 196 (CallData.cpp:59) 24 com.apple.JavaScriptCore 0x0000000636e79cfd JSC::JSMicrotask::run(JSC::ExecState*) + 477 (VM.h:968) 25 com.apple.WebCore 0x00000006323fa074 WebCore::JSExecState::runTask(JSC::ExecState*, JSC::Microtask&) + 68 (JSExecState.h:50) 26 com.apple.WebCore 0x0000000632401313 WebCore::JSMicrotaskCallback::call() + 67 27 com.apple.WebCore 0x000000063260d9df WebCore::ActiveDOMCallbackMicrotask::run() + 47 28 com.apple.WebCore 0x000000063269f0ea WebCore::MicrotaskQueue::performMicrotaskCheckpoint() + 106 (Microtasks.cpp:96) 29 com.apple.WebCore 0x0000000632405a63 WebCore::JSExecState::didLeaveScriptContext(JSC::ExecState*) + 35 (memory:2619) 30 com.apple.WebCore 0x00000006323ed29f WebCore::JSExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 143 31 com.apple.WebCore 0x000000063240333e WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1150 (JSEventListener.cpp:175) 32 com.apple.WebCore 0x00000006326920a5 WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase) + 821 (InspectorInstrumentation.h:285) 33 com.apple.WebCore 0x0000000632690182 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 418 (Vector.h:674) 34 com.apple.WebCore 0x0000000632ab93c2 WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) + 290 (InspectorInstrumentation.h:285) 35 com.apple.WebCore 0x0000000632abff15 WebCore::DOMWindow::dispatchLoadEvent() + 181 (Ref.h:59) 36 com.apple.WebCore 0x000000063263f6ef WebCore::Document::implicitClose() + 399 (Document.cpp:4618) 37 com.apple.WebCore 0x0000000632a17a7f WebCore::FrameLoader::checkCompleted() + 431 (FrameLoader.cpp:900) 38 com.apple.WebCore 0x0000000632a1660e WebCore::FrameLoader::finishedParsing() + 158 (FrameLoader.cpp:789) 39 com.apple.WebCore 0x0000000632651506 WebCore::Document::finishedParsing() + 326 (InspectorInstrumentation.h:285) 40 com.apple.WebCore 0x00000006328f893e WebCore::HTMLDocumentParser::prepareToStopParsing() + 190 (RefCounted.h:98) 41 com.apple.WebCore 0x00000006328f9af2 WebCore::HTMLDocumentParser::finish() + 242 42 com.apple.WebCore 0x00000006329f7e9a WebCore::DocumentLoader::finishedLoading() + 538 (utility:918) 43 com.apple.WebCore 0x0000000632a837fc WebCore::CachedResource::checkNotify() + 332 (CachedResource.cpp:351) 44 com.apple.WebCore 0x0000000632a810c9 WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) + 585 (CachedRawResource.cpp:121) 45 com.apple.WebCore 0x0000000632a54575 WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) + 677 (ResourceLoader.h:162) 46 com.apple.WebKit 0x00000006303f2e81 WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) + 197 47 com.apple.WebKit 0x0000000630534408 WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) + 800 (Optional.h:329) 48 com.apple.WebKit 0x00000006303ecb30 WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 642 49 com.apple.WebKit 0x0000000630015418 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) + 108 (memory:2603) 50 com.apple.WebKit 0x0000000630018b4b IPC::Connection::dispatchOneIncomingMessage() + 181 51 com.apple.JavaScriptCore 0x000000063630c9d4 WTF::RunLoop::performWork() + 228 52 com.apple.JavaScriptCore 0x000000063630cc62 WTF::RunLoop::performWork(void*) + 34 (RunLoopCF.cpp:39) 53 com.apple.CoreFoundation 0x00007fff373d7083 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 54 com.apple.CoreFoundation 0x00007fff373d7029 __CFRunLoopDoSource0 + 108 55 com.apple.CoreFoundation 0x00007fff373ba9eb __CFRunLoopDoSources0 + 195 56 com.apple.CoreFoundation 0x00007fff373b9fb5 __CFRunLoopRun + 1189 57 com.apple.CoreFoundation 0x00007fff373b98be CFRunLoopRunSpecific + 455 58 com.apple.Foundation 0x00007fff396d88ef -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 280 59 com.apple.Foundation 0x00007fff396d87c4 -[NSRunLoop(NSRunLoop) run] + 76 60 libxpc.dylib 0x00007fff63b3a077 _xpc_objc_main + 552 61 libxpc.dylib 0x00007fff63b39b79 xpc_main + 433 62 com.apple.WebKit 0x0000000630176253 WebKit::XPCServiceMain(int, char const**) + 547 63 libdyld.dylib 0x00007fff639013d5 start + 1

Can you dump the AST for this example? From the stack trace, it looks like it parses as int x = (42, y = 44); instead of int (x = 42), (y = 44).. which sounds like an ambiguity in the grammar. I should double check that the spec is explicit on the fact that we want the latter, not the former.

I verified, and indeed there is a bug in the parser/grammar/spec. I should replace 'expr' in the definition of variableDeclarations by possibleTernaryConditional. And if someone actually wants to write int x = foo(), bar(); they can do it simply by adding parentheses.

This does not reproduce any longer, and the patch I suggested has visibly been already applied.