Bug 216103 - ASSERTION FAILED: value.isCell() && value.asCell()->type() == CustomGetterSetterType ./bytecode/ObjectPropertyConditionSet.cpp
Summary: ASSERTION FAILED: value.isCell() && value.asCell()->type() == CustomGetterSet...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Michael Saboff
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-09-02 15:42 PDT by Michael Saboff
Modified: 2022-02-27 23:28 PST (History)
6 users (show)

See Also:


Attachments
Patch (4.89 KB, patch)
2020-09-02 15:52 PDT, Michael Saboff
saam: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Saboff 2020-09-02 15:42:45 PDT
This debug ASSERT happens in the case where we replace a custom getter setter property with a function.  The ASSERT can be reworked to an if statement to fix the issue.

Backtrace:
ASSERTION FAILED: value.isCell() && value.asCell()->type() == CustomGetterSetterType
./bytecode/ObjectPropertyConditionSet.cpp(403) : auto JSC::generateConditionsForPrototypePropertyHitCustom(JSC::VM &, JSC::JSCell *, JSC::JSGlobalObject *, JSC::Structure *, JSC::JSObject *, WTF::UniquedStringImpl *, unsigned int)::(anonymous class)::operator()(Vector<JSC::ObjectPropertyCondition> &, JSC::JSObject *) const
1   0x1141ea34c WTFCrash
2   0x114731684 WTFCrashWithInfo(int, char const*, char const*, int)
3   0x114c6b244 JSC::generateConditionsForPrototypePropertyHitCustom(JSC::VM&, JSC::JSCell*, JSC::JSGlobalObject*, JSC::Structure*, JSC::JSObject*, WTF::UniquedStringImpl*, unsigned int)::$_5::operator()(WTF::Vector<JSC::ObjectPropertyCondition, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::JSObject*) const
4   0x114c5ed00 JSC::ObjectPropertyConditionSet JSC::(anonymous namespace)::generateConditions<JSC::generateConditionsForPrototypePropertyHitCustom(JSC::VM&, JSC::JSCell*, JSC::JSGlobalObject*, JSC::Structure*, JSC::JSObject*, WTF::UniquedStringImpl*, unsigned int)::$_5>(JSC::VM&, JSC::JSGlobalObject*, JSC::Structure*, JSC::JSObject*, JSC::generateConditionsForPrototypePropertyHitCustom(JSC::VM&, JSC::JSCell*, JSC::JSGlobalObject*, JSC::Structure*, JSC::JSObject*, WTF::UniquedStringImpl*, unsigned int)::$_5 const&)
5   0x114c5ebdc JSC::generateConditionsForPrototypePropertyHitCustom(JSC::VM&, JSC::JSCell*, JSC::JSGlobalObject*, JSC::Structure*, JSC::JSObject*, WTF::UniquedStringImpl*, unsigned int)
6   0x115623908 JSC::tryCachePutByID(JSC::JSGlobalObject*, JSC::CodeBlock*, JSC::JSValue, JSC::Structure*, JSC::CacheableIdentifier, JSC::PutPropertySlot const&, JSC::StructureStubInfo&, JSC::PutKind)
7   0x115622bf8 JSC::repatchPutByID(JSC::JSGlobalObject*, JSC::CodeBlock*, JSC::JSValue, JSC::Structure*, JSC::CacheableIdentifier, JSC::PutPropertySlot const&, JSC::StructureStubInfo&, JSC::PutKind)
8   0x11558b65c operationPutByIdNonStrictOptimize
9   0xb80140a6c
10  0x114715a48 llint_entry
11  0x114715a48 llint_entry
12  0x114715a48 llint_entry
13  0x114715c84 llint_entry
14  0x114715a48 llint_entry
15  0x114715a48 llint_entry
16  0x114715a48 llint_entry
17  0x114715a48 llint_entry
18  0x114715a48 llint_entry
19  0x114715a48 llint_entry
20  0x1146f0274 vmEntryToJavaScript
21  0x115bcf06c JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
22  0x1154d7438 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*)
23  0x1158b9ad8 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
24  0x1158b9c14 JSC::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
25  0x11d86b414 WebCore::JSExecState::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
26  0x11d86af70 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&)
27  0x11d86ad9c WebCore::ScriptController::evaluateInWorldIgnoringException(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&)
28  0x11d86b85c WebCore::ScriptController::evaluateIgnoringException(WebCore::ScriptSourceCode const&)
29  0x11df9b5ac WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&)
30  0x11def55c0 WebCore::LoadableClassicScript::execute(WebCore::ScriptElement&)
31  0x11df9c32c WebCore::ScriptElement::executeScriptAndDispatchEvent(WebCore::LoadableScript&)
Comment 1 Michael Saboff 2020-09-02 15:43:05 PDT
<rdar://problem/66651057>
Comment 2 Michael Saboff 2020-09-02 15:52:40 PDT
Created attachment 407824 [details]
Patch
Comment 3 Saam Barati 2020-09-02 16:21:45 PDT
Comment on attachment 407824 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=407824&action=review

> Source/JavaScriptCore/ChangeLog:8
> +        Changed the ASSERT to an if statement.

you should say why
Comment 4 Michael Saboff 2020-09-02 16:58:09 PDT
Committed r266496: <https://trac.webkit.org/changeset/266496>