Created attachment 474718 [details] Crashed DFG dump. Hello, I found an assertion failure in JavaScriptCore DFG. (commit id:20cf90f5dc83e37db3897195555c3c110b401638) ================test.js=============== function f0(a1) { a1[65536]; } for (let v4 = 0; v4 < 100; v4++) { const v5 = [v4]; const v6 = v5.map(f0); for (const v7 of v5) { v6.slice(); try { v7(); } catch(e10) {} } for (let v11 = 0; v11 < 84; v11++) {} } ==================================== Compiler JavaScriptCore in debug mode. Run args: ./jsc --useConcurrentJIT=0 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 test.js Result: ASSERTION FAILED: !edge->isPhantomAllocation() /webkit_latest/Source/JavaScriptCore/dfg/DFGValidate.cpp(986) : auto JSC::DFG::(anonymous namespace)::Validate::validateSSA()::(anonymous class)::operator()(const Edge &) const Aborted (core dumped) Stack trace: (lldb) bt * thread #1, name = 'jsc', stop reason = signal SIGABRT * frame #0: 0x00007ffff56afe5c libc.so.6`__pthread_kill_implementation + 268 frame #1: 0x00007ffff565fa76 libc.so.6`raise + 22 frame #2: 0x00007ffff56497fc libc.so.6`abort + 215 frame #3: 0x0000555557919652 jsc`JSC::DFG::(anonymous namespace)::Validate::validateSSA(this=0x00007fffffff89c0, edge=0x00007fffeb0c2b18)::'lambda'(JSC::DFG::Edge const&)::operator()(JSC::DFG::Edge const&) const at DFGValidate.cpp:986:29 frame #4: 0x0000555557919594 jsc`void JSC::DFG::Graph::doToChildren<JSC::DFG::(anonymous namespace)::Validate::validateSSA()::'lambda'(JSC::DFG::Edge const&)>(this=0x00007fffffff8910, (null)=0x00007fffeb0c2b00, edge=0x00007fffeb0c2b18)::Validate::validateSSA()::'lambda'(JSC::DFG::Edge const&) const&)::ForwardingFunc::operator()(JSC::DFG::Node*, JSC::DFG::Edge&) const at DFGGraph.h:801:17 frame #5: 0x0000555557919525 jsc`void JSC::DFG::Graph::doToChildrenWithNode<void JSC::DFG::Graph::doToChildren<JSC::DFG::(anonymous namespace)::Validate::validateSSA()::'lambda'(JSC::DFG::Edge const&)>(JSC::DFG::Node*, JSC::DFG::(anonymous namespace)::Validate::validateSSA()::'lambda'(JSC::DFG::Edge const&) const&)::ForwardingFunc>(this=0x00007fffffffb848, node=0x00007fffeb0c2b00, functor=0x00007fffffff8910)::Validate::validateSSA()::'lambda'(JSC::DFG::Edge const&) const&) at DFGGraph.h:785:9 frame #6: 0x0000555557918962 jsc`void JSC::DFG::Graph::doToChildren<JSC::DFG::(anonymous namespace)::Validate::validateSSA()::'lambda'(JSC::DFG::Edge const&)>(this=0x00007fffffffb848, node=0x00007fffeb0c2b00, functor=0x00007fffffff89c0)::Validate::validateSSA()::'lambda'(JSC::DFG::Edge const&) const&) at DFGGraph.h:808:9 frame #7: 0x0000555557915b71 jsc`JSC::DFG::(anonymous namespace)::Validate::validateSSA(this=0x00007fffffff9138) at DFGValidate.cpp:983:29 frame #8: 0x000055555791022b jsc`JSC::DFG::(anonymous namespace)::Validate::validate(this=0x00007fffffff9138) at DFGValidate.cpp:455:13 frame #9: 0x000055555790c34f jsc`JSC::DFG::validate(graph=0x00007fffffffb848, graphDumpMode=DumpGraph, graphDumpBeforePhase=<unavailable>) at DFGValidate.cpp:1120:22 frame #10: 0x00005555576021c8 jsc`JSC::DFG::(anonymous namespace)::dumpAndVerifyGraph(graph=0x00007fffffffb848, text="Graph just before FTL lowering:", forceDump=false) at DFGPlan.cpp:108:9 frame #11: 0x0000555557601a94 jsc`JSC::DFG::Plan::compileInThreadImpl(this=0x00007fffeb050c40) at DFGPlan.cpp:461:9 frame #12: 0x0000555558154942 jsc`JSC::JITPlan::compileInThread(this=0x00007fffeb050c40, thread=0x0000000000000000) at JITPlan.cpp:207:28 frame #13: 0x00005555581ab1b7 jsc`JSC::JITWorklist::enqueue(this=0x00007fffeb0a81a0, plan=Ref<JSC::JITPlan, WTF::RawPtrTraits<JSC::JITPlan>, WTF::DefaultRefDerefTraits<JSC::JITPlan> > @ 0x00007fffffffc258) at JITWorklist.cpp:91:15 frame #14: 0x000055555733f9a9 jsc`JSC::DFG::compileImpl(vm=0x00007fffe9400000, codeBlock=0x00007fffe90f86a0, profiledDFGCodeBlock=0x00007fffe90f8480, mode=FTLForOSREntry, osrEntryBytecodeIndex=(m_packedBits = 920), mustHandleValues=0x00007fffffffc478, callback=0x00007fffffffc320) at DFGDriver.cpp:88:21 frame #15: 0x000055555733f513 jsc`JSC::DFG::compile(vm=0x00007fffe9400000, codeBlock=0x00007fffe90f86a0, profiledDFGCodeBlock=0x00007fffe90f8480, mode=FTLForOSREntry, osrEntryBytecodeIndex=(m_packedBits = 920), mustHandleValues=0x00007fffffffc478, callback=0x00007fffffffc440) at DFGDriver.cpp:104:12 frame #16: 0x00005555574e774e jsc`JSC::DFG::tierUpCommon(vm=0x00007fffe9400000, callFrame=0x00007fffffffc7f0, originBytecodeIndex=(m_packedBits = 920), canOSREnterHere=true) at DFGOperations.cpp:5483:40 frame #17: 0x00005555574e7ccf jsc`::operationTriggerOSREntryNow(vmPointer=0x00007fffe9400000, bytecodeIndexBits=920) at DFGOperations.cpp:5561:12 frame #18: 0x00007fffa8e650e0 frame #19: 0x0000555556ed87a7 jsc`llint_call_javascript + 6 frame #20: 0x000055555805a9e1 jsc`JSC::Interpreter::executeProgram(this=0x00007fffe9416528, source=0x00007fffffffd750, (null)=0x00007fffe903a088, thisObj=0x00007fffeb01e248) at Interpreter.cpp:1199:28 frame #21: 0x00005555584a782b jsc`JSC::evaluate(globalObject=0x00007fffe903a088, source=0x00007fffffffd750, thisValue=JSValue @ 0x00007fffffffd650, returnedException=0x00007fffffffd770) at Completion.cpp:138:37 frame #22: 0x0000555556c1d9a6 jsc`runWithOptions(globalObject=0x00007fffe903a088, options=0x00005555598a2040, success=0x00007fffffffdba3) at jsc.cpp:3823:35 frame #23: 0x0000555556bc38bc jsc`jscmain(this=0x00007fffffffdc70, vm=0x00007fffe9400000, globalObject=0x00007fffe903a088, success=0x00007fffffffdba3)::$_0::operator()(JSC::VM&, GlobalObject*, bool&) const at jsc.cpp:4512:13 frame #24: 0x0000555556b8486d jsc`int runJSC<jscmain(int, char**)::$_0>(options=0x00005555598a2040, isWorker=false, func=0x00007fffffffdc70)::$_0 const&) at jsc.cpp:4303:13 frame #25: 0x0000555556b820f6 jsc`jscmain(argc=7, argv=0x00007fffffffddf8) at jsc.cpp:4505:18 frame #26: 0x0000555556b81e4c jsc`main(argc=7, argv=0x00007fffffffddf8) at jsc.cpp:3579:15 frame #27: 0x00007ffff564a510 libc.so.6`__libc_start_call_main + 128 frame #28: 0x00007ffff564a5c9 libc.so.6`__libc_start_main@@GLIBC_2.34 + 137 frame #29: 0x0000555556b7be25 jsc`_start + 37 Graph dump is attached.