RESOLVED FIXED 228839
Assertion failure when checking array in DFG (32 bits) 
https://bugs.webkit.org/show_bug.cgi?id=228839
Summary Assertion failure when checking array in DFG (32 bits)
Mikhail R. Gadelha
Reported 2021-08-05 12:40:25 PDT
Created attachment 435014 [details] Testcase The failure: ASSERTION FAILED: typeFilterFor(node->child1().useKind()) & SpecEmpty ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp(861) : void JSC::DFG::SpeculativeJIT::checkArray(JSC::DFG::Node*) Aborted It happens because in 32 bits empty value doesn't pass the cell check. From SpeculatedType.h: static constexpr SpeculatedType SpecCellCheck = is64Bit() ? (SpecCell | SpecEmpty) : SpecCell; So when we reach the assertion, SpecEmpty is not set. There is no assertion failure when running jsc in release mode.
Attachments
Testcase (169 bytes, text/javascript)
2021-08-05 12:40 PDT, Mikhail R. Gadelha 		no flags
Details
Patch (2.72 KB, patch)
2021-08-05 13:21 PDT, Mikhail R. Gadelha 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mikhail R. Gadelha
Comment 1 2021-08-05 13:21:58 PDT
Created attachment 435018 [details] Patch
Yusuke Suzuki
Comment 2 2021-08-05 18:54:17 PDT
Comment on attachment 435018 [details] Patch r=me
EWS
Comment 3 2021-08-05 18:59:47 PDT
Committed r280716 (240307@main): <https://commits.webkit.org/240307@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 435018 [details].
Radar WebKit Bug Importer
Comment 4 2021-08-05 19:00:17 PDT
<rdar://problem/81595896>
Note You need to log in before you can comment on or make changes to this bug.