RESOLVED WORKSFORME 259394
ASSERTION FAILED: decontaminate() 
https://bugs.webkit.org/show_bug.cgi?id=259394
Summary ASSERTION FAILED: decontaminate()
anbu1024.me
Reported 2023-07-21 07:25:50 PDT
JavaScriptCore version: commit 77585442bf6a0acc7af584f838acd4653918b7e9 Test case: ```js function foo() { const a = /\SK/ui; const b = a.exec(a); for (const c in b) { const d = a.iterator; a[c] = d; const e = new Float64Array(59856); let f = 0; do { const g = delete e[59856]; const h = e.buffer; const i = f++; } while (f < 1); } const x = b >> a; const y = parseInt(); const z = parseInt(y); return z; } for(let i=0; i<0x500; i++){ foo(); } ``` Error msg: ``` ASSERTION FAILED: decontaminate() WebKit/Source/JavaScriptCore/runtime/StructureID.h(131) : Structure *JSC::StructureID::decode() const Aborted (core dumped) ``` backtrace ``` #3 JSC::StructureID::decode() const () #4 JSC::JSCell::structure() const () #5 JSC::slowValidateCell(JSC::JSCell*) () #6 void JSC::validateCell<JSC::JSCell*>(JSC::JSCell*) () #7 JSC::WriteBarrierBase<JSC::PropertyTable, WTF::RawPtrTraits<JSC::PropertyTable> >::get() const () #8 JSC::Structure::ensurePropertyTableIfNotEmpty(JSC::VM&) () #9 JSC::Structure::get(JSC::VM&, JSC::PropertyName, unsigned int&) () #10 JSC::JSObject::getOwnNonIndexPropertySlot(JSC::VM&, JSC::Structure*, JSC::PropertyName, JSC::PropertySlot&) () #11 JSC::JSObject::getOwnPropertySlotImpl(JSC::JSObject*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&) () #12 JSC::JSObject::getOwnPropertySlot(JSC::JSObject*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&) () #13 JSC::RegExpObject::getOwnPropertySlot(JSC::JSObject*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&) () #14 JSC::JSObject::getNonIndexPropertySlot(JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&) () #15 bool JSC::JSObject::getPropertySlot<false>(JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&) () #16 JSC::JSObject::get(JSC::JSGlobalObject*, JSC::PropertyName) const () #17 JSC::regExpProtoFuncToString(JSC::JSGlobalObject*, JSC::CallFrame*) () #18 vmEntryToNative () #19 JSC::Interpreter::executeCallImpl(JSC::VM&, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) () #20 JSC::Interpreter::executeCall(JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) () #21 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) () #22 JSC::JSValue JSC::callToPrimitiveFunction<(JSC::CachedSpecialPropertyKey)1>(JSC::JSGlobalObject*, JSC::JSObject const*, JSC::PropertyName, JSC::PreferredPrimitiveType) () #23 JSC::JSObject::ordinaryToPrimitive(JSC::JSGlobalObject*, JSC::PreferredPrimitiveType) const () #24 JSC::JSObject::toPrimitive(JSC::JSGlobalObject*, JSC::PreferredPrimitiveType) const () #25 JSC::JSCell::toPrimitive(JSC::JSGlobalObject*, JSC::PreferredPrimitiveType) const () #26 JSC::JSValue::toPrimitive(JSC::JSGlobalObject*, JSC::PreferredPrimitiveType) const () #27 JSC::JSValue::toBigIntOrInt32(JSC::JSGlobalObject*) const () #28 JSC::JSValue JSC::shift<false>(JSC::JSGlobalObject*, JSC::JSValue, JSC::JSValue) () #29 JSC::jsRShift(JSC::JSGlobalObject*, JSC::JSValue, JSC::JSValue) () #30 operationValueBitRShift () ```
Attachments
Add attachment proposed patch, testcase, etc.
anbu1024.me
Comment 1 2023-07-21 07:29:00 PDT
The exec cmd: ``` ./jsc --validateOptions=true --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=40 --thresholdForOptimizeAfterLongWarmUp=40 --thresholdForOptimizeSoon=40 --thresholdForFTLOptimizeAfterWarmUp=80 --thresholdForFTLOptimizeSoon=80 --validateBCE=true hello.js ```
Radar WebKit Bug Importer
Comment 2 2023-07-21 18:09:24 PDT
<rdar://problem/112690958>
Yusuke Suzuki
Comment 3 2023-07-24 15:57:51 PDT
Thanks! I tried this, however I cannot reproduce it.
Yusuke Suzuki
Comment 4 2025-05-23 17:38:40 PDT
It doesn't reproduce.
Note You need to log in before you can comment on or make changes to this bug.