Seeing the following assertion failure on the debug JSC bot: DFG ASSERTION FAILED: AI-clobberize disagreement; AI says FoldedClobber while clobberize says (Direct:[], Super:[]) ./dfg/DFGCFAPhase.cpp(240) : void JSC::DFG::CFAPhase::performBlockCFA(JSC::DFG::BasicBlock *) While handling node D@30 Graph at time of failure: 12: DFG for test3#<no-hash>:[0x10d7bcab0->0x10d7bc5f0->0x10d7e5300, DFGFunctionCall, 29 (NeverInline)]: 12: Fixpoint state: FixpointNotConverged; Form: ThreadedCPS; Unification state: GloballyUnified; Ref count state: EverythingIsLive 12: Arguments for block#0: D@0 0 12: Block #0 (bc#0): (OSR target) 0 12: Execution count: 1.000000 0 12: Predecessors: 0 12: Successors: 0 12: Dominated by: #root #0 0 12: Dominates: #0 0 12: Dominance Frontier: 0 12: Iterated Dominance Frontier: 0 12: States: StructuresAreWatched 0 12: Vars Before: arg0:(BytecodeTop, TOP, TOP, none:StructuresAreClobbered) 0 12: Intersected Vars Before: arg0:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc0:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc1:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc2:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc3:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc4:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc5:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc6:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc7:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc8:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc9:(FullTop, TOP, TOP, none:StructuresAreClobbered) 0 12: Var Links: arg0:D@0 0 0 12: D@0:< 1:-> SetArgumentDefinitely(IsFlushed, this(a), W:SideState, bc#0, ExitValid) predicting OtherObj 1 0 12: D@1:< 1:-> JSConstant(JS|PureInt, Other, Undefined, bc#0, ExitValid) 2 0 12: D@2:<!0:-> MovHint(Check:Untyped:D@1, MustGen, loc0, W:SideState, ClobbersExit, bc#0, ExitValid) 3 0 12: D@3:< 1:-> SetLocal(Check:Untyped:D@1, loc0(B~<Other>/FlushedJSValue), W:Stack(loc0), bc#0, ExitInvalid) predicting Other 4 0 12: D@4:<!0:-> MovHint(Check:Untyped:D@1, MustGen, loc1, W:SideState, ClobbersExit, bc#0, ExitInvalid) 5 0 12: D@5:< 1:-> SetLocal(Check:Untyped:D@1, loc1(C~<Other>/FlushedJSValue), W:Stack(loc1), bc#0, ExitInvalid) predicting Other 6 0 12: D@6:<!0:-> MovHint(Check:Untyped:D@1, MustGen, loc2, W:SideState, ClobbersExit, bc#0, ExitInvalid) 7 0 12: D@7:< 1:-> SetLocal(Check:Untyped:D@1, loc2(D~<Other>/FlushedJSValue), W:Stack(loc2), bc#0, ExitInvalid) predicting Other 8 0 12: D@8:<!0:-> MovHint(Check:Untyped:D@1, MustGen, loc3, W:SideState, ClobbersExit, bc#0, ExitInvalid) 9 0 12: D@9:< 1:-> SetLocal(Check:Untyped:D@1, loc3(E~<Other>/FlushedJSValue), W:Stack(loc3), bc#0, ExitInvalid) predicting Other 10 0 12: D@10:<!0:-> MovHint(Check:Untyped:D@1, MustGen, loc4, W:SideState, ClobbersExit, bc#0, ExitInvalid) 11 0 12: D@11:< 1:-> SetLocal(Check:Untyped:D@1, loc4(F~<Other>/FlushedJSValue), W:Stack(loc4), bc#0, ExitInvalid) predicting Other 12 0 12: D@12:<!0:-> MovHint(Check:Untyped:D@1, MustGen, loc5, W:SideState, ClobbersExit, bc#0, ExitInvalid) 13 0 12: D@13:< 1:-> SetLocal(Check:Untyped:D@1, loc5(G~<Other>/FlushedJSValue), W:Stack(loc5), bc#0, ExitInvalid) predicting Other 14 0 12: D@14:< 1:-> JSConstant(JS|PureInt, Function, Weak:Object: 0x10d7f65e0 with butterfly 0x0 (Structure %BO:Function), StructureID: 37855, bc#1, ExitValid) 15 0 12: D@15:< 1:-> JSConstant(JS|UseAsOther, OtherObj, Weak:Object: 0x10d2b4068 with butterfly 0x0 (Structure %BG:JSGlobalLexicalEnvironment), StructureID: 39390, bc#1, ExitValid) 16 0 12: D@16:<!0:-> MovHint(Check:Untyped:D@15, MustGen, loc4, W:SideState, ClobbersExit, bc#1, ExitValid) 17 0 12: D@17:< 1:-> SetLocal(Check:Untyped:D@15, loc4(H~<Object>/FlushedJSValue), W:Stack(loc4), bc#1, exit: bc#3, ExitValid) predicting OtherObj 18 0 12: D@18:<!0:-> MovHint(Check:Untyped:D@15, MustGen, loc5, W:SideState, ClobbersExit, bc#3, ExitValid) 19 0 12: D@19:< 1:-> SetLocal(Check:Untyped:D@15, loc5(I~<Object>/FlushedJSValue), W:Stack(loc5), bc#3, exit: bc#6, ExitValid) predicting OtherObj 20 0 12: D@20:<!0:-> InvalidationPoint(MustGen, W:SideState, Exits, bc#6, ExitValid) 21 0 12: D@21:< 1:-> JSConstant(JS|UseAsOther, OtherObj, Weak:Object: 0x10d5fa068 with butterfly 0x18078e88d8 (Structure %B2:global), StructureID: 32425, bc#7, ExitValid) 22 0 12: D@22:<!0:-> MovHint(Check:Untyped:D@21, MustGen, loc7, W:SideState, ClobbersExit, bc#7, ExitValid) 23 0 12: D@23:<!0:-> Check(MustGen, bc#7, ExitInvalid) 24 0 12: D@24:< 1:-> SetLocal(Check:Untyped:D@21, loc7(J~<Object>/FlushedJSValue), W:Stack(loc7), bc#7, exit: bc#14, ExitValid) predicting OtherObj 25 0 12: D@25:<!0:-> Check(MustGen, bc#14, ExitValid) 26 0 12: D@26:< 1:-> JSConstant(JS|UseAsOther, Array, Weak:Object: 0x10d2979e8 with butterfly 0x18078e40d0 (Structure %EO:Array,ArrayWithContiguous), StructureID: 3285, bc#14, ExitValid) 27 0 12: D@27:<!0:-> MovHint(Check:Untyped:D@26, MustGen, loc8, W:SideState, ClobbersExit, bc#14, ExitValid) 28 0 12: D@28:< 1:-> SetLocal(Check:Untyped:D@26, loc8(K~<Array>/FlushedJSValue), W:Stack(loc8), bc#14, exit: bc#22, ExitValid) predicting Array 29 0 12: D@29:< 1:-> JSConstant(JS|PureNum|UseAsOther|UseAsInt|ReallyWantsInt, NonBoolInt32, Int32: 5, bc#22, ExitValid) 30 0 12: D@35:<!0:-> CheckStructure(Cell:D@26, MustGen, [%EO:Array,ArrayWithContiguous], R:JSCell_structureID, Exits, bc#22, ExitValid) 31 0 12: D@36:< 1:-> GetButterfly(Cell:D@26, Storage|PureInt, R:JSObject_butterfly, Exits, bc#22, ExitValid) 32 0 12: D@30:< 1:-> GetByVal(KnownCell:D@26, Int32:D@29, Check:Untyped:D@36, JS|VarArgs|UseAsOther, Other, Contiguous+OriginalCopyOnWriteArray+OutOfBoundsSaneChain+AsIs+Read, R:Butterfly_publicLength,IndexedContiguousProperties, Exits, bc#22, ExitValid) predicting Other 33 0 12: D@31:<!0:-> MovHint(Check:Untyped:D@30, MustGen, loc6, W:SideState, ClobbersExit, bc#22, ExitInvalid) 34 0 12: D@32:< 1:-> SetLocal(Check:Untyped:D@30, loc6(L~<Other>/FlushedJSValue), W:Stack(loc6), bc#22, exit: bc#27, ExitValid) predicting Other 35 0 12: D@33:<!0:-> Return(Check:Untyped:D@30, MustGen, W:SideState, Exits, bc#27, ExitValid) 36 0 12: D@34:<!0:-> Flush(Check:Untyped:D@0, MustGen|IsFlushed, this(a), R:Stack(this), W:SideState, bc#27, ExitValid) predicting OtherObj 0 12: States: InvalidBranchDirection, StructuresAreWatched 0 12: Vars After: 0 12: Var Links: arg0:D@0 loc0:D@3 loc1:D@5 loc2:D@7 loc3:D@9 loc4:D@17 loc5:D@19 loc6:D@32 loc7:D@24 loc8:D@28 12: GC Values: 12: Weak:Object: 0x10d2979e8 with butterfly 0x18078e40d0 (Structure %EO:Array,ArrayWithContiguous), StructureID: 3285 12: Weak:Object: 0x10d5fa068 with butterfly 0x18078e88d8 (Structure %B2:global), StructureID: 32425 12: Weak:Object: 0x10d2b4068 with butterfly 0x0 (Structure %BG:JSGlobalLexicalEnvironment), StructureID: 39390 12: Weak:Object: 0x10d7f65e0 with butterfly 0x0 (Structure %BO:Function), StructureID: 37855 12: Desired watchpoints: 12: Watchpoint sets: 0x10d29a680 12: Inline watchpoint sets: 0x10d7f9b08, 0x10d2cd0c0, 0x10d7f9788, 0x10d2cd280, 0x10d7f8448, 0x10d7f9478, 0x10d7f91d8, 0x10d7f9f68 12: SymbolTables: 12: FunctionExecutables: 0x10d7e5300 12: Buffer views: 12: Object property conditions: 12: Structures: 12: %B2:global = 0x10d7cd810:[0x7ea9, global, {Object:100, Function:101, Array:102, RegExp:103, String:104, Promise:105, BigInt:106, Intl:107, $vm:108, WebAssembly:109, Symbol.toStringTag:110, debug:111, describe:112, describeArray:113, print:114, printErr:115, quit:116, gc:117, fullGC:118, edenGC:119, gcHeapSize:120, MemoryFootprint:121, resetMemoryPeak:122, addressOf:123, version:124, run:125, runString:126, load:127, loadString:128, readFile:129, read:130, checkSyntax:131, sleepSeconds:132, jscStack:133, readline:134, preciseTime:135, neverInlineFunction:136, noInline:137, noDFG:138, noFTL:139, noOSRExitFuzzing:140, numberOfDFGCompiles:141, callerIsOMGCompiled:142, jscOptions:143, optimizeNextInvocation:144, reoptimizationRetryCount:145, transferArrayBuffer:146, failNextNewCodeBlock:147, OSRExit:148, isFinalTier:149, predictInt32:150, isInt32:151, isPureNaN:152, fiatInt52:153, effectful42:154, makeMasquerader:155, hasCustomProperties:156, createGlobalObject:157, createHeapBigInt:158, useBigInt32:159, isBigInt32:160, isHeapBigInt:161, dumpTypesForAllVariables:162, drainMicrotasks:163, setTimeout:164, releaseWeakRefs:165, finalizationRegistryLiveCount:166, finalizationRegistryDeadCount:167, getRandomSeed:168, setRandomSeed:169, isRope:170, callerSourceOrigin:171, is32BitPlatform:172, checkModuleSyntax:173, platformSupportsSamplingProfiler:174, generateHeapSnapshot:175, generateHeapSnapshotForGCDebugging:176, resetSuperSamplerState:177, ensureArrayStorage:178, startSamplingProfiler:179, samplingProfilerStackTraces:180, stress/folding-get-by-val-with-immutable-butterfly-out-of-bounds-foldable.js.mini-mode: DFG ASSERTION FAILED: AI-clobberize disagreement; AI says FoldedClobber while clobberize says (Direct:[], Super:[]) stress/folding-get-by-val-with-immutable-butterfly-out-of-bounds-foldable.js.mini-mode: ./dfg/DFGCFAPhase.cpp(240) : void JSC::DFG::CFAPhase::performBlockCFA(JSC::DFG::BasicBlock *) stress/folding-get-by-val-with-immutable-butterfly-out-of-bounds-foldable.js.mini-mode: https://build.webkit.org/builders/Apple-Catalina-Debug-JSC-Tests/builds/1366
<rdar://problem/67376432>
https://trac.webkit.org/changeset/265775/webkit is the only JSC change in the regression range.
Should be easy to fix.
fix forthcoming
Created attachment 406855 [details] patch
Comment on attachment 406855 [details] patch r=me
Committed r265893: <https://trac.webkit.org/changeset/265893> All reviewed patches have been landed. Closing bug and clearing flags on attachment 406855 [details].