Created attachment 463181 [details] testcase Tested on linux intel 64 and ARMv7. Running the attached test case fails with the following message: While handling node D@42 Graph at time of failure: 11: DFG for #<no-hash>:[0x555558c4d0c0->0x555558c4ce80->0x555558beda00, DFGFunctionCall, 32]: 11: Fixpoint state: FixpointNotConverged; Form: ThreadedCPS; Unification state: GloballyUnified; Ref count state: EverythingIsLive 11: Arguments for block#0: D@0, D@1 0 11: Block #0 (bc#0): (OSR target) 0 11: Execution count: 1.000000 0 11: Predecessors: 0 11: Successors: 0 11: Dominated by: #root #0 0 11: Dominates: #0 0 11: Dominance Frontier: 0 11: Iterated Dominance Frontier: 0 11: States: StructuresAreWatched 0 11: Vars Before: arg1:(BytecodeTop, TOP, TOP, none:StructuresAreClobbered) arg0:(Cell|Empty, TOP, TOP, none:StructuresAreClobbered) 0 11: Intersected Vars Before: arg1:(FullTop, TOP, TOP, none:StructuresAreClobbered) arg0:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc0:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc1:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc2:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc3:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc4:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc5:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc6:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc7:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc8:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc9:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc10:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc11:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc12:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc13:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc14:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc15:(FullTop, TOP, TOP, none:StructuresAreClobbered) 0 11: Var Links: arg1:D@1 arg0:D@0 0 0 11: D@0:< 1:-> SetArgumentDefinitely(IsFlushed, this(A<Final>/FlushedCell), W:SideState, bc#0, ExitValid) predicting Final 1 0 11: D@52:<!0:-> GetLocal(Check:Untyped:D@0, JS|MustGen|PureInt, Final, this(A<Final>/FlushedCell), R:Stack(this), bc#0, ExitValid) predicting Final 2 0 11: D@53:<!0:-> CheckStructureOrEmpty(Cell:D@52, MustGen, [%CZ:Object], R:JSCell_structureID, Exits, bc#0, ExitValid) 3 0 11: D@1:< 1:-> SetArgumentDefinitely(IsFlushed, arg1(B~<Other>/FlushedJSValue), W:SideState, bc#0, ExitValid) predicting Other 4 0 11: D@2:< 1:-> JSConstant(JS|PureInt, Other, Undefined, bc#0, ExitValid) 5 0 11: D@3:<!0:-> MovHint(Check:Untyped:D@2, MustGen, loc0, W:SideState, ClobbersExit, bc#0, ExitValid) 6 0 11: D@4:< 1:-> SetLocal(Check:Untyped:D@2, loc0(C~<Other>/FlushedJSValue), W:Stack(loc0), bc#0, ExitInvalid) predicting Other 7 0 11: D@5:<!0:-> MovHint(Check:Untyped:D@2, MustGen, loc1, W:SideState, ClobbersExit, bc#0, ExitInvalid) 8 0 11: D@6:< 1:-> SetLocal(Check:Untyped:D@2, loc1(D~<Other>/FlushedJSValue), W:Stack(loc1), bc#0, ExitInvalid) predicting Other 9 0 11: D@7:<!0:-> MovHint(Check:Untyped:D@2, MustGen, loc2, W:SideState, ClobbersExit, bc#0, ExitInvalid) 10 0 11: D@8:< 1:-> SetLocal(Check:Untyped:D@2, loc2(E~<Other>/FlushedJSValue), W:Stack(loc2), bc#0, ExitInvalid) predicting Other 11 0 11: D@9:<!0:-> MovHint(Check:Untyped:D@2, MustGen, loc3, W:SideState, ClobbersExit, bc#0, ExitInvalid) 12 0 11: D@10:< 1:-> SetLocal(Check:Untyped:D@2, loc3(F~<Other>/FlushedJSValue), W:Stack(loc3), bc#0, ExitInvalid) predicting Other 13 0 11: D@11:<!0:-> MovHint(Check:Untyped:D@2, MustGen, loc4, W:SideState, ClobbersExit, bc#0, ExitInvalid) 14 0 11: D@12:< 1:-> SetLocal(Check:Untyped:D@2, loc4(G~<Other>/FlushedJSValue), W:Stack(loc4), bc#0, ExitInvalid) predicting Other 15 0 11: D@13:<!0:-> MovHint(Check:Untyped:D@2, MustGen, loc5, W:SideState, ClobbersExit, bc#0, ExitInvalid) 16 0 11: D@14:< 1:-> SetLocal(Check:Untyped:D@2, loc5(H~<Other>/FlushedJSValue), W:Stack(loc5), bc#0, ExitInvalid) predicting Other 17 0 11: D@15:< 1:-> JSConstant(JS|PureInt, Function, Weak:Object: 0x555558bd6020 with butterfly (nil)(base=0xfffffffffffffff8) (Structure %AG:Function), StructureID: 22464, bc#1, ExitValid) 18 0 11: D@16:< 1:-> JSConstant(JS|PureInt, OtherObj, Weak:Object: 0x555558ba1cc8 with butterfly (nil)(base=0xfffffffffffffff8) (Structure %DO:JSGlobalLexicalEnvironment), StructureID: 21792, bc#1, ExitValid) 19 0 11: D@17:<!0:-> MovHint(Check:Untyped:D@16, MustGen, loc4, W:SideState, ClobbersExit, bc#1, ExitValid) 20 0 11: D@18:< 1:-> SetLocal(Check:Untyped:D@16, loc4(I~<Object>/FlushedJSValue), W:Stack(loc4), bc#1, exit: bc#3, ExitValid) predicting OtherObj 21 0 11: D@19:<!0:-> MovHint(Check:Untyped:D@16, MustGen, loc5, W:SideState, ClobbersExit, bc#3, ExitValid) 22 0 11: D@20:< 1:-> SetLocal(Check:Untyped:D@16, loc5(J~<Object>/FlushedJSValue), W:Stack(loc5), bc#3, exit: bc#6, ExitValid) predicting OtherObj 23 0 11: D@21:<!0:-> InvalidationPoint(MustGen, W:SideState, Exits, bc#6, ExitValid) 24 0 11: D@22:<!0:-> GetLocal(Check:Untyped:D@0, JS|MustGen|UseAsOther, Final, this(A<Final>/FlushedCell), R:Stack(this), bc#7, ExitValid) predicting Final 25 0 11: D@23:<!0:-> CheckStructure(Cell:D@52, MustGen, [%CZ:Object], R:JSCell_structureID, Exits, bc#7, ExitValid) 26 0 11: D@24:<!0:-> FilterGetByStatus(Check:Untyped:D@52, MustGen, (Simple, <id='uid:(_value)', [0x7ffe000093d0:[0x93d0/37840, Object, (1/2, 0/0){_value:0}, NonArray, Proto:0x555558c04180, Leaf (Watched)]], [], offset = 0>, seenInJIT = true), W:SideState, bc#11, ExitValid) 27 0 11: D@25:<!0:-> Check(MustGen, bc#11, ExitValid) 28 0 11: D@26:<!0:-> CheckStructure(Cell:D@52, MustGen, [%CZ:Object], R:JSCell_structureID, Exits, bc#11, ExitValid) 29 0 11: D@27:< 1:-> GetByOffset(KnownCell:D@52, KnownCell:D@52, JS|UseAsOther, StringIdent, id0{_value}, 0, R:NamedProperties(0), Exits, bc#11, ExitValid) predicting StringIdent 30 0 11: D@28:<!0:-> MovHint(Check:Untyped:D@27, MustGen, loc10, W:SideState, ClobbersExit, bc#11, ExitValid) 31 0 11: D@29:< 1:-> SetLocal(Check:Untyped:D@27, loc10(K~<StringIdent>/FlushedJSValue), W:Stack(loc10), bc#11, exit: bc#16, ExitValid) predicting StringIdent 32 0 11: D@30:<!0:-> FilterGetByStatus(Check:Untyped:D@27, MustGen, (Simple, <id='uid:(localeCompare)', [0x7ffe00004250:[0x4250/16976, string, (0/0, 0/0){}, NonArray, Leaf (Watched)]], [<Object: 0x555558c13df8 with butterfly 0x555558bfc6a8(base=0x555558bfc4a0) (Structure 0x7ffe00006b70:[0x6b70/27504, String, (0/0, 33/64){toString:64, valueOf:65, charAt:66, charCodeAt:67, codePointAt:68, indexOf:69, lastIndexOf:70, replaceUsingRegExp:71, replaceUsingStringSearch:72, replaceAllUsingStringSearch:73, slice:74, substr:75, substring:76, toLowerCase:77, toUpperCase:78, localeCompare:79, toLocaleLowerCase:80, toLocaleUpperCase:81, trim:82, startsWith:83, endsWith:84, includes:85, normalize:86, charCodeAt:87, at:88, trimStart:89, trimLeft:90, trimEnd:91, trimRight:92, Symbol.iterator:93, substr:94, endsWith:95, constructor:96}, NonArray, Proto:0x555558bb5d98, Leaf (Watched)]), StructureID: 27504: Presence of localeCompare at 79 with attributes 4>], offset = 79>, seenInJIT = true), W:SideState, bc#16, ExitValid) 33 0 11: D@31:<!0:-> Check(MustGen, bc#16, ExitValid) 34 0 11: D@32:<!0:-> CheckStructure(Check:Cell:D@27, MustGen, [%AV:string], R:JSCell_structureID, Exits, bc#16, ExitValid) 35 0 11: D@33:< 1:-> JSConstant(JS|UseAsOther, Function, Weak:Object: 0x555558bd4c80 with butterfly 0x555558bbca88(base=0x555558bbca60) (Structure %DI:Function), StructureID: 22800, bc#16, ExitValid) 36 0 11: D@34:<!0:-> MovHint(Check:Untyped:D@33, MustGen, loc6, W:SideState, ClobbersExit, bc#16, ExitValid) 37 0 11: D@35:< 1:-> SetLocal(Check:Untyped:D@33, loc6(L~<Object>/FlushedJSValue), W:Stack(loc6), bc#16, exit: bc#21, ExitValid) predicting Function 38 0 11: D@36:<!0:-> GetLocal(Check:Untyped:D@1, JS|MustGen|UseAsOther, Other, arg1(B~<Other>/FlushedJSValue), R:Stack(arg1), bc#21, ExitValid) predicting Other 39 0 11: D@37:<!0:-> MovHint(Check:Untyped:D@36, MustGen, loc9, W:SideState, ClobbersExit, bc#21, ExitValid) 40 0 11: D@38:< 1:-> SetLocal(Check:Untyped:D@36, loc9(M~<Other>/FlushedJSValue), W:Stack(loc9), bc#21, exit: bc#24, ExitValid) predicting Other 41 0 11: D@39:<!0:-> FilterCallLinkStatus(Check:Untyped:D@33, MustGen, Statically Proved, (Function: Object: 0x555558bd4c80 with butterfly 0x555558bbca88(base=0x555558bbca60) (Structure 0x7ffe00005910:[0x5910/22800, Function, (0/0, 2/4){length:64, name:65}, NonArray, Proto:0x555558bb48e8, Leaf]), StructureID: 22800; Executable: NativeExecutable:0x555556cbb510/0x555556a595b0), W:SideState, bc#24, ExitValid) 42 0 11: D@40:<!0:-> CheckIsConstant(Cell:D@33, MustGen, <0x555558bd4c80, Function>, <host function>, Exits, bc#24, ExitValid) 43 0 11: D@41:<!0:-> Check(MustGen, bc#24, ExitValid) 44 0 11: D@42:<!0:-> StringLocaleCompare(String:D@27, Check:String:D@36, Int32|MustGen|PureInt, Int32, R:World, W:SideState, Exits, bc#24, ExitValid) 45 0 11: D@43:<!0:-> MovHint(Check:Untyped:D@42, MustGen, loc6, W:SideState, ClobbersExit, bc#24, ExitValid) 46 0 11: D@44:<!0:-> Check(MustGen, bc#24, ExitInvalid) 47 0 11: D@45:<!0:-> Check(MustGen, bc#24, ExitInvalid) 48 0 11: D@46:<!0:-> Check(MustGen, bc#24, ExitInvalid) 49 0 11: D@47:< 1:-> SetLocal(Check:Untyped:D@42, loc6(N~<Int32>/FlushedJSValue), W:Stack(loc6), bc#24, exit: bc#30, ExitValid) predicting Int32 50 0 11: D@48:< 1:-> JSConstant(JS|UseAsOther, Other, Undefined, bc#30, ExitValid) 51 0 11: D@49:<!0:-> Return(Check:Untyped:D@48, MustGen, W:SideState, Exits, bc#30, ExitValid) 52 0 11: D@50:<!0:-> Flush(Check:Untyped:D@1, MustGen|IsFlushed, arg1(B~<Other>/FlushedJSValue), R:Stack(arg1), W:SideState, bc#30, ExitValid) predicting Other 53 0 11: D@51:<!0:-> Flush(Check:Untyped:D@0, MustGen|IsFlushed, this(A<Final>/FlushedCell), R:Stack(this), W:SideState, bc#30, ExitValid) predicting Final 0 11: States: InvalidBranchDirection, StructuresAreWatched 0 11: Vars After: 0 11: Var Links: arg1:D@36 arg0:D@52 loc0:D@4 loc1:D@6 loc2:D@8 loc3:D@10 loc4:D@18 loc5:D@20 loc6:D@47 loc9:D@38 loc10:D@29 11: GC Values: 11: Weak:Object: 0x555558bd4c80 with butterfly 0x555558bbca88(base=0x555558bbca60) (Structure %DI:Function), StructureID: 22800 11: Weak:Object: 0x555558ba1cc8 with butterfly (nil)(base=0xfffffffffffffff8) (Structure %DO:JSGlobalLexicalEnvironment), StructureID: 21792 11: Weak:Object: 0x555558bd6020 with butterfly (nil)(base=0xfffffffffffffff8) (Structure %AG:Function), StructureID: 22464 11: Desired watchpoints: 11: Watchpoint sets: 11: Inline watchpoint sets: 0x7ffe00005978, 0x7ffe000041d8, 0x7ffe00005588, 0x7ffe00004868, 0x7ffe00009438, 0x7ffe000042b8 11: SymbolTables: 11: FunctionExecutables: 0x555558beda00 11: Buffer views: 11: Object property conditions: <Object: 0x555558c13df8 with butterfly 0x555558bfc6a8(base=0x555558bfc4a0) (Structure %BO:String), StructureID: 27504: Equivalence of localeCompare with Object: 0x555558bd4c80 with butterfly 0x555558bbca88(base=0x555558bbca60) (Structure %DI:Function), StructureID: 22800> 11: Structures: 11: %AG:Function = 0x7ffe000057c0:[0x57c0/22464, Function, (0/0, 0/0){}, NonArray, Proto:0x555558bb48e8] 11: %AV:string = 0x7ffe00004250:[0x4250/16976, string, (0/0, 0/0){}, NonArray, Leaf (Watched)] 11: %BO:String = 0x7ffe00006b70:[0x6b70/27504, String, (0/0, 33/64){toString:64, valueOf:65, charAt:66, charCodeAt:67, codePointAt:68, indexOf:69, lastIndexOf:70, replaceUsingRegExp:71, replaceUsingStringSearch:72, replaceAllUsingStringSearch:73, slice:74, substr:75, substring:76, toLowerCase:77, toUpperCase:78, localeCompare:79, toLocaleLowerCase:80, toLocaleUpperCase:81, trim:82, startsWith:83, endsWith:84, includes:85, normalize:86, charCodeAt:87, at:88, trimStart:89, trimLeft:90, trimEnd:91, trimRight:92, Symbol.iterator:93, substr:94, endsWith:95, constructor:96}, NonArray, Proto:0x555558bb5d98, Leaf (Watched)] 11: %CZ:Object = 0x7ffe000093d0:[0x93d0/37840, Object, (1/2, 0/0){_value:0}, NonArray, Proto:0x555558c04180, Leaf (Watched)] 11: %DI:Function = 0x7ffe00005910:[0x5910/22800, Function, (0/0, 2/4){length:64, name:65}, NonArray, Proto:0x555558bb48e8, Leaf] 11: %DO:JSGlobalLexicalEnvironment = 0x7ffe00005520:[0x5520/21792, JSGlobalLexicalEnvironment, (0/0, 0/0){}, NonArray, Leaf (Watched)] DFG ASSERTION FAILED: AI-clobberize disagreement; AI says ClobberedStructures while clobberize says (Direct:[SideState], Super:[World]) /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGCFAPhase.cpp(240) : void JSC::DFG::CFAPhase::performBlockCFA(JSC::DFG::BasicBlock *) The backtrace: #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140736231028288) at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=140736231028288) at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=140736231028288, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007ffff5935476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007ffff591b7f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x000055555562d72b in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:754 #6 0x0000555555b2155e in JSC::DFG::CFAPhase::performBlockCFA (this=0x7fffb50e8448, block=0x7fffa80015f0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGCFAPhase.cpp:240 #7 0x0000555555b20eeb in JSC::DFG::CFAPhase::performForwardCFA (this=0x7fffb50e8448) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGCFAPhase.cpp:263 #8 0x0000555555b20b6a in JSC::DFG::CFAPhase::run (this=0x7fffb50e8448) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGCFAPhase.cpp:119 #9 0x0000555555b20111 in JSC::DFG::runAndLog<JSC::DFG::CFAPhase> (phase=...) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGPhase.h:84 #10 0x0000555555afd7db in JSC::DFG::runPhase<JSC::DFG::CFAPhase> (graph=...) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGPhase.h:95 #11 0x0000555555aa9b35 in JSC::DFG::performCFA (graph=...) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGCFAPhase.cpp:279 #12 0x0000555555d593f6 in JSC::DFG::Plan::compileInThreadImpl (this=0x555558d20c60) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGPlan.cpp:276 #13 0x000055555659644f in JSC::JITPlan::compileInThread (this=0x555558d20c60, thread=0x555558c28ed0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/jit/JITPlan.cpp:172 #14 0x00005555566178f0 in JSC::JITWorklistThread::work (this=0x555558c28ed0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/jit/JITWorklistThread.cpp:123 #15 0x0000555557735bd2 in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const (this=0x555558c424c8) at /home/mgadelha/tools/WebKit/Source/WTF/wtf/AutomaticThread.cpp:229 #16 0x0000555557735919 in WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() (this=0x555558c424c0) at /home/mgadelha/tools/WebKit/Source/WTF/wtf/Function.h:53 #17 0x0000555555efe2d2 in WTF::Function<void ()>::operator()() const (this=0x7fffb50eae20) at /home/mgadelha/tools/WebKit/Source/WTF/wtf/Function.h:82 #18 0x000055555777f7c8 in WTF::Thread::entryPoint (newThreadContext=0x555558c42520) at /home/mgadelha/tools/WebKit/Source/WTF/wtf/Threading.cpp:250 #19 0x000055555780c5a5 in WTF::wtfThreadEntryPoint (context=0x555558c42520) at /home/mgadelha/tools/WebKit/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:242 #20 0x00007ffff5987b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442 #21 0x00007ffff5a19a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81 Found by Igalia Fuzzing Campaign.