RESOLVED DUPLICATE of bug 215894 215841
DFG ASSERTION FAILED: m_value.isNumber() in DFGAbstractValue.cpp 
https://bugs.webkit.org/show_bug.cgi?id=215841
Summary DFG ASSERTION FAILED: m_value.isNumber() in DFGAbstractValue.cpp
zhunkibatu
Reported 2020-08-26 00:37:53 PDT
Created attachment 407279 [details] the minimal poc The following test case cause a assersion failure in DFGAbstractValue.cpp: function main() { let arr = [1.1]; function opt() { (function (main = arr[0x1000]) {}()) } for (var i = 0; i < 0x1000; i++) opt(() => 0); } main();
Attachments
the minimal poc (181 bytes, text/javascript)
2020-08-26 00:37 PDT, zhunkibatu 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2020-08-26 18:09:05 PDT
DFG ASSERTION FAILED: m_value.isNumber() ./dfg/DFGAbstractValue.cpp(133) : void JSC::DFG::AbstractValue::fixTypeForRepresentation(JSC::DFG::Graph &, JSC::DFG::NodeFlags, JSC::DFG::Node *) undefined >>> 1 0x105130839 WTFCrash 2 0x10675fdbb WTFCrashWithInfo(int, char const*, char const*, int) 3 0x105dd6532 JSC::DFG::AbstractValue::fixTypeForRepresentation(JSC::DFG::Graph&, unsigned int, JSC::DFG::Node*) 4 0x105dd6b83 JSC::DFG::AbstractValue::fixTypeForRepresentation(JSC::DFG::Graph&, JSC::DFG::Node*) 5 0x105390557 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::setBuiltInConstant(JSC::DFG::Node*, JSC::DFG::FrozenValue) 6 0x1053905dc JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::setConstant(JSC::DFG::Node*, JSC::DFG::FrozenValue) 7 0x105393556 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::executeEffects(unsigned int, JSC::DFG::Node*)::'lambda'(JSC::DFG::Edge&, JSC::DFG::Edge&)::operator()(JSC::DFG::Edge&, JSC::DFG::Edge&) const 8 0x105385f83 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::executeEffects(unsigned int, JSC::DFG::Node*) 9 0x105e9316a JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::execute(unsigned int) 10 0x105e916d6 JSC::DFG::CFAPhase::performBlockCFA(JSC::DFG::BasicBlock*) 11 0x105e91029 JSC::DFG::CFAPhase::performForwardCFA() 12 0x105e90cd6 JSC::DFG::CFAPhase::run() 13 0x105e907c4 bool JSC::DFG::runAndLog<JSC::DFG::CFAPhase>(JSC::DFG::CFAPhase&) 14 0x105e5d7ab bool JSC::DFG::runPhase<JSC::DFG::CFAPhase>(JSC::DFG::Graph&) 15 0x105e5d775 JSC::DFG::performCFA(JSC::DFG::Graph&) 16 0x106168aa0 JSC::DFG::Plan::compileInThreadImpl() 17 0x106167348 JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*) 18 0x1062236de JSC::DFG::Worklist::ThreadBody::work() 19 0x105145c73 WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const 20 0x10514587e WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() 21 0x1051578b2 WTF::Function<void ()>::operator()() const 22 0x1052055c8 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) 23 0x105211568 WTF::wtfThreadEntryPoint(void*) 24 0x7fff6a51a109 _pthread_start 25 0x7fff6a515b8b thread_start Segmentation fault: 11
Radar WebKit Bug Importer
Comment 2 2020-08-26 18:09:16 PDT
<rdar://problem/67841603>
Saam Barati
Comment 3 2020-08-27 11:15:04 PDT
Thanks for the report. Was actually just in the process of fixing this in 215894 *** This bug has been marked as a duplicate of bug 215894 ***
Note You need to log in before you can comment on or make changes to this bug.