The following testcase triggers an assertion failure in debug builds of JSC at current HEAD when run with the flags --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000: function f3(a4) { const o7 = { ["forEach"]: "pCGSxWy10A", set e(a6) { }, }; return a4; } f3("forEach"); f3("pCGSxWy10A"); f3("function"); const v12 = new Int8Array(); const v14 = new Uint8ClampedArray(v12); for (const v15 in "pCGSxWy10A") { for (let v16 = 0; v16 < 100; v16++) { for (let v18 = 0; v18 < 10; v18++) { try { (2147483649).toString(v16); } catch(e20) { } } } } f3(v12); gc(); // CRASH INFO // ========== // TERMSIG: 6 // STDERR: // DFG ASSERTION FAILED: Edge verification error: D@212->Check:Untyped:D@276 was expected to have type BytecodeTop but has type NonInt32AsInt52 (34359738368) // /home/builder/webkit/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h(178) : void JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::verifyEdge(JSC::DFG::Node *, JSC::DFG::Edge) [AbstractStateType = JSC::DFG::InPlaceAbstractState] // // ARGS: --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 Here is the backtrace from gdb: #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at ./nptl/pthread_kill.c:44 #1 0x00007ffff16add2f in __pthread_kill_internal (signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:78 #2 0x00007ffff165eef2 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00007ffff1649472 in __GI_abort () at ./stdlib/abort.c:79 #4 0x00007ffff74fde0f in WTFCrashWithInfoImpl () at Source/WTF/wtf/Assertions.cpp:735 #5 0x00007ffff5b89481 in WTFCrashWithInfo<JSC::CompilerAbortReason, JSC::DFG::NodeType, JSC::DFG::NodeType, JSC::DFG::UseKind, unsigned long> (line=178, file=0x7ffff4213db5 "Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h", function=0x7ffff45aa1ab "void JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::verifyEdge(JSC::DFG::Node *, JSC::DFG::Edge) [AbstractStateType = JSC::DFG::InPlaceAbstractState]", counter=5373, reason=JSC::AbstractInterpreterInvalidType, misc1=JSC::DFG::ExtractFromTuple, misc2=JSC::DFG::EnumeratorNextUpdateIndexAndMode, misc3=JSC::DFG::UntypedUse, misc4=34359738368) at WTF/Headers/wtf/Assertions.h:738 #6 0x00007ffff5b89295 in JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::verifyEdge (this=0x7fffa4bf9020, node=0x7fffe720f100, edge=...) at Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:178 #7 0x00007ffff5b829b4 in JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::verifyEdges (this=0x7fffa4bf9020, node=0x7fffe720f100) at Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:184 #8 0x00007ffff5b6cc3a in JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::executeEffects (this=0x7fffa4bf9020, clobberLimit=14, node=0x7fffe720f100) at Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:358 #9 0x00007ffff5b697ea in JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::execute (this=0x7fffa4bf9020, indexInBlock=14) at Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:4998 #10 0x00007ffff5b6839c in JSC::DFG::CFAPhase::performBlockCFA (this=0x7fffa4bf8f88, block=0x7fffe702d8d0) at Source/JavaScriptCore/dfg/DFGCFAPhase.cpp:232 #11 0x00007ffff5b67ccb in JSC::DFG::CFAPhase::performForwardCFA (this=0x7fffa4bf8f88) at Source/JavaScriptCore/dfg/DFGCFAPhase.cpp:263 #12 0x00007ffff5b6797a in JSC::DFG::CFAPhase::run (this=0x7fffa4bf8f88) at Source/JavaScriptCore/dfg/DFGCFAPhase.cpp:119 #13 0x00007ffff5b66e41 in JSC::DFG::runAndLog<JSC::DFG::CFAPhase> (phase=...) at Source/JavaScriptCore/dfg/DFGPhase.h:84 #14 0x00007ffff5b4531b in JSC::DFG::runPhase<JSC::DFG::CFAPhase> (graph=...) at Source/JavaScriptCore/dfg/DFGPhase.h:95 #15 0x00007ffff5aed4c5 in JSC::DFG::performCFA (graph=...) at Source/JavaScriptCore/dfg/DFGCFAPhase.cpp:279 #16 0x00007ffff5d9d6b7 in JSC::DFG::Plan::compileInThreadImpl (this=0x7fffe71d4700) at Source/JavaScriptCore/dfg/DFGPlan.cpp:379 #17 0x00007ffff66c7e7f in JSC::JITPlan::compileInThread (this=0x7fffe71d4700, thread=0x7fffe70a9940) at Source/JavaScriptCore/jit/JITPlan.cpp:172 #18 0x00007ffff6741730 in JSC::JITWorklistThread::work (this=0x7fffe70a9940) at Source/JavaScriptCore/jit/JITWorklistThread.cpp:123 #19 0x00007ffff7500442 in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const (this=0x7fffe709b048) at Source/WTF/wtf/AutomaticThread.cpp:229 #20 0x00007ffff7500189 in WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() (this=0x7fffe709b040) at Source/WTF/wtf/Function.h:53 #21 0x00007ffff5f4c512 in WTF::Function<void ()>::operator()() const (this=0x7fffa4bfbea0) at WTF/Headers/wtf/Function.h:82 #22 0x00007ffff77a44e8 in WTF::Thread::entryPoint (newThreadContext=0x7fffe70a9a30) at Source/WTF/wtf/Threading.cpp:249 #23 0x00007ffff784c125 in WTF::wtfThreadEntryPoint (context=0x7fffe70a9a30) at Source/WTF/wtf/posix/ThreadingPOSIX.cpp:242 #24 0x00007ffff16abfd4 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442 #25 0x00007ffff172c66c in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81 I'm not sure if this assertion failure has any security implications, so I'm filing this as a security issue as a precaution.
<rdar://problem/107876378>
This is a bug in recently added new tuple code (not shipped in any products).
Committed 263433@main (39dd6c8334a6): <https://commits.webkit.org/263433@main> Reviewed commits have been landed. Closing PR #12839 and removing active labels.