RESOLVED FIXED282342
[JSC] ASSERTION FAILED: oldStructure == newStructure->previousID() 
https://bugs.webkit.org/show_bug.cgi?id=282342
Summary [JSC] ASSERTION FAILED: oldStructure == newStructure->previousID()
Michael Saboff
Reported 2024-10-30 11:07:46 PDT
In llint_slow_path_put_by_id, there is an ASSERT(oldStructure == newStructure->previousID()) that is immediately followed by if oldStructure == newStructure->previousID(). The ASSERT shouldn't be there, as we can crash with a Debug build that works fine with a Release build. The crash is something like: ASSERTION FAILED: oldStructure == newStructure->previousID() ./llint/LLIntSlowPaths.cpp(1137) : UGPRPair JSC::LLInt::llint_slow_path_put_by_id(CallFrame *, const JSInstruction *) 1 0x1244040c4 llint_slow_path_put_by_id 2 0x12a460b64 jsc_llint_llintOpWithMetadata__llintOpWithReturn__llintOp__commonOp__fn__fn__makeReturn__fn__fn__fn__opPutByIdSlow 3 0x12a47d8e0 op_call_return_location 4 0x12a44f380 vmEntryToJavaScriptGateAfter 5 0x123ed0d40 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) ...
Attachments
Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2024-10-30 11:08:12 PDT
<rdar://138178461>
Michael Saboff
Comment 2 2024-10-30 11:27:50 PDT
Pull request: https://github.com/WebKit/WebKit/pull/35952
EWS
Comment 3 2024-10-30 17:58:22 PDT
Committed 285932@main (424a5b978e64): <https://commits.webkit.org/285932@main> Reviewed commits have been landed. Closing PR #35952 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.