Created attachment 460795 [details] Testcase Found by Igalia Fuzzing Campaign. The attached test case fails with the following message: ASSERTION FAILED: variant.intrinsic() == NoIntrinsic WebKit//Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp(4788) : void JSC::DFG::ByteCodeParser::handleGetById(JSC::VirtualRegister, JSC::SpeculatedType, JSC::DFG::Node*, JSC::CacheableIdentifier, unsigned int, JSC::GetByStatus, JSC::AccessType, JSC::BytecodeIndex)
<rdar://problem/96836847>
This is stale assertion. Let's drop it.
Previously all intrinsic getters are handled. So at this point, it should be NoIntrinsic. But 4GB wasm array work added a case which can fail. But then, we should just continue using this generic path, invoking a getter. Thus, this assertion is stale. Let's just remove it. And marking it non-security since the solution is just removing this assertion and this is debug assertion.
Pull request: https://github.com/WebKit/WebKit/pull/2333
Committed 252391@main (1f3e8b70b999): <https://commits.webkit.org/252391@main> Reviewed commits have been landed. Closing PR #2333 and removing active labels.