Bug 228839 - Assertion failure when checking array in DFG (32 bits)
Summary: Assertion failure when checking array in DFG (32 bits)
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-08-05 12:40 PDT by Mikhail R. Gadelha
Modified: 2021-08-05 19:00 PDT (History)
8 users (show)

See Also:

Attachments
Testcase (169 bytes, text/javascript)
2021-08-05 12:40 PDT, Mikhail R. Gadelha 		no flags Details
Patch (2.72 KB, patch)
2021-08-05 13:21 PDT, Mikhail R. Gadelha 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail R. Gadelha 2021-08-05 12:40:25 PDT 
Created attachment 435014 [details]
Testcase

The failure:

ASSERTION FAILED: typeFilterFor(node->child1().useKind()) & SpecEmpty
../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp(861) : void JSC::DFG::SpeculativeJIT::checkArray(JSC::DFG::Node*)
Aborted

It happens because in 32 bits empty value doesn't pass the cell check. From SpeculatedType.h:

static constexpr SpeculatedType SpecCellCheck          = is64Bit() ? (SpecCell | SpecEmpty) : SpecCell;

So when we reach the assertion, SpecEmpty is not set.

There is no assertion failure when running jsc in release mode.
Comment 1 Mikhail R. Gadelha 2021-08-05 13:21:58 PDT 
Created attachment 435018 [details]
Patch
Comment 2 Yusuke Suzuki 2021-08-05 18:54:17 PDT 
Comment on attachment 435018 [details]
Patch

r=me
Comment 3 EWS 2021-08-05 18:59:47 PDT 
Committed r280716 (240307@main): <https://commits.webkit.org/240307@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 435018 [details].
Comment 4 Radar WebKit Bug Importer 2021-08-05 19:00:17 PDT 
<rdar://problem/81595896>