WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
304696
Relax OSRAvailability validation around phantom arguments-like objects
https://bugs.webkit.org/show_bug.cgi?id=304696
Summary
Relax OSRAvailability validation around phantom arguments-like objects
bigsean123
Reported
2025-12-25 10:50:47 PST
Created
attachment 477847
[details]
check out assertion failure While fuzzying i came across this sample triggering "DFG ASSERTION FAILED: heapPair.value.hasNode()", with said flaky.js file. i narrowed down the sample and cant seem to get it to trigger without "--validateFTLOSRExitLiveness=false --forceEagerCompilation=true" passed to jsc binary. "turnerhackz1@turnerhackz1-Aspire-A315-24P:~/Desktop/WebKitTest$ git describe --tags WebKit-7623.1.14.14.11 turnerhackz1@turnerhackz1-Aspire-A315-24P:~/Desktop/WebKitTest$ git rev-parse HEAD 7732a1acb12f1f24f7e32a501947a0c76d4b9492 " shows the current tag for build. Last comments running sample as follows produces this output "turnerhackz1@turnerhackz1-Aspire-A315-24P:~/Desktop/fuzzilli-main$ '/home/turnerhackz1/Desktop/WebKitTest/WebKitBuild/JSCOnly/Release/bin/jsc' --validateFTLOSRExitLiveness=true --forceEagerCompilation=true /home/turnerhackz1/Desktop/ggzfuzz/crashes/program_20251225112142_3329D242-E1C5-4410-BB1A-31200A461B9B_flaky.js Fuzzer output channel not available, printing to stdout instead. EXPLORE_ACTION: {"operation":"CALL_METHOD","inputs":[{"special":{"name":"exploredValue"}},{"string":{"value":"constructor"}}],"isGuarded":true,"id":"v4"} EXPLORE_ACTION: {"operation":"BITWISE_AND","inputs":[{"special":{"name":"exploredValue"}},{"argument":{"index":1}}],"isGuarded":false,"id":"v11"} EXPLORE_ACTION: {"operation":"GET_PROPERTY","inputs":[{"special":{"name":"exploredValue"}},{"int":{"value":1}}],"isGuarded":false,"id":"v15"} DFG ASSERTION FAILED: heapPair.value.hasNode() /home/turnerhackz1/Desktop/WebKitTest/Source/JavaScriptCore/dfg/DFGAvailabilityMap.cpp(109) : void JSC::DFG::AvailabilityMap::validateAvailability(Graph &, Node *) const While handling node D@95 Graph at time of failure: 39: DFG for apply#BWaJWD:[0x79f3e55773c0->0x79f3e54ebf20->0x79f3e5506600, DFGFunctionCall, 35 (DidTryToEnterInLoop) (StrictMode)]: 39: Fixpoint state: FixpointNotConverged; Form: SSA; Unification state: GloballyUnified; Ref count state: EverythingIsLive 39: Argument formats for entrypoint index: 0 : FlushedJSValue, FlushedCell, FlushedCell, FlushedJSValue 0 39: Block #0 (bc#0): (OSR target) 0 39: Execution count: 1.000000 0 39: Predecessors: 0 39: Successors: #2 #1 0 39: Dominated by: #0 0 39: Dominates: #0 #1 #2 0 39: Dominance Frontier: 0 39: Iterated Dominance Frontier: 0 39: States: StructuresAreWatched 0 39: Live: 0 39: Values: 0 0 39: D@4:< 12:-> JSConstant(JS|PureInt, Other, Undefined, bc#0, ExitValid) 1 0 39: D@17:< 1:-> JSConstant(JS|PureInt, Function, Weak:Object: 0x79f3e5463d00 with butterfly (nil)(base=0xfffffffffffffff8) (Structure %CI:Function), StructureID: 16782960, bc#0, ExitValid) 2 0 39: D@82:< 0:-> JSConstant(JS|PureInt, Function, Weak:Object: 0x79f3e5462e20 with butterfly 0x79f3e5457d48(base=0x79f3e5457d20) (Structure %C0:Function), StructureID: 16817968, bc#0, ExitValid) 3 0 39: D@31:< 1:-> JSConstant(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, StringIdent, Strong:String (atomic),8Bit:(1),length:(55): Reflect.apply requires the first argument be a function, StructureID: 16777808, bc#0, ExitValid) 4 0 39: D@18:< 1:-> JSConstant(JS|PureInt, OtherObj, Weak:Object: 0x79f3e503b088 with butterfly 0x79f3e5508968(base=0x79f3e5508160) (Structure %BK:global), StructureID: 16800240, bc#0, ExitValid) 5 0 39: D@101:< 1:-> JSConstant(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, StringIdent, Strong:String (atomic),8Bit:(1),length:(23): must be called with new, StructureID: 16777808, bc#0, ExitValid) 6 0 39: D@89:< 1:-> JSConstant(JS|PureInt, Empty, <JSValue()>, bc#0, ExitValid) 7 0 39: D@83:< 1:-> JSConstant(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, OtherObj, Weak:Object: 0x79f3e54ec130 with butterfly (nil)(base=0xfffffffffffffff8) (Structure %D2:JSLexicalEnvironment), StructureID: 16785200, bc#0, ExitValid) 8 0 39: D@38:< 1:-> JSConstant(Boolean|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, Bool, True, bc#0, ExitValid) 9 0 39: D@59:<!0:-> ExitOK(MustGen, W:SideState, bc#0, ExitValid) 10 0 39: D@109:<!0:-> InitializeEntrypointArguments(MustGen, W:SideState, ClobbersExit, bc#0, ExitValid) 11 0 39: D@121:<!0:-> ExitOK(MustGen, W:SideState, bc#0, ExitValid) 12 0 39: D@123:< 0:-> GetStack(JS|PureInt, OtherObj, this, FlushedJSValue, R:Stack(this), bc#0, ExitValid) 13 0 39: D@100:< 4:-> GetStack(JS|PureInt, Function, arg1, FlushedCell, R:Stack(arg1), bc#0, ExitValid) 14 0 39: D@86:< 5:-> GetStack(JS|PureInt, Final|GlobalProxy, arg2, FlushedCell, R:Stack(arg2), bc#0, ExitValid) 15 0 39: D@114:<!0:-> AssertNotEmpty(Check:Untyped:D@86, MustGen, W:SideState, Exits, bc#0, ExitValid) 16 0 39: D@115:<!0:-> CheckStructure(Cell:D@86, MustGen, [%Ae:Object], R:JSCell_structureID, Exits, bc#0, ExitValid) 17 0 39: D@64:< 3:-> GetStack(JS|PureInt, Array|DirectArguments, arg3, FlushedJSValue, R:Stack(arg3), bc#0, ExitValid) 18 0 39: D@58:<!0:-> KillStack(MustGen, loc0, W:Stack(loc0), ClobbersExit, bc#0, ExitValid) 19 0 39: D@5:<!0:-> MovHint(Check:Untyped:D@4, MustGen, loc0, W:SideState, ClobbersExit, bc#0, ExitInvalid) 20 0 39: D@41:<!0:-> KillStack(MustGen, loc1, W:Stack(loc1), ClobbersExit, bc#0, ExitInvalid) 21 0 39: D@7:<!0:-> MovHint(Check:Untyped:D@4, MustGen, loc1, W:SideState, ClobbersExit, bc#0, ExitInvalid) 22 0 39: D@23:<!0:-> KillStack(MustGen, loc2, W:Stack(loc2), ClobbersExit, bc#0, ExitInvalid) 23 0 39: D@9:<!0:-> MovHint(Check:Untyped:D@4, MustGen, loc2, W:SideState, ClobbersExit, bc#0, ExitInvalid) 24 0 39: D@127:<!0:-> KillStack(MustGen, loc3, W:Stack(loc3), ClobbersExit, bc#0, ExitInvalid) 25 0 39: D@11:<!0:-> MovHint(Check:Untyped:D@4, MustGen, loc3, W:SideState, ClobbersExit, bc#0, ExitInvalid) 26 0 39: D@126:<!0:-> KillStack(MustGen, loc4, W:Stack(loc4), ClobbersExit, bc#0, ExitInvalid) 27 0 39: D@13:<!0:-> MovHint(Check:Untyped:D@4, MustGen, loc4, W:SideState, ClobbersExit, bc#0, ExitInvalid) 28 0 39: D@125:<!0:-> KillStack(MustGen, loc5, W:Stack(loc5), ClobbersExit, bc#0, ExitInvalid) 29 0 39: D@15:<!0:-> MovHint(Check:Untyped:D@4, MustGen, loc5, W:SideState, ClobbersExit, bc#0, ExitInvalid) 30 0 39: D@124:<!0:-> KillStack(MustGen, loc4, W:Stack(loc4), ClobbersExit, bc#0, ExitInvalid) 31 0 39: D@19:<!0:-> MovHint(Check:Untyped:Kill:D@18, MustGen, loc4, W:SideState, ClobbersExit, bc#0, ExitInvalid) 32 0 39: D@20:<!0:-> ExitOK(MustGen, W:SideState, bc#0, ExitValid) 33 0 39: D@21:<!0:-> InvalidationPoint(MustGen, W:SideState, Exits, bc#0, ExitValid) 34 0 39: D@110:<!0:-> KillStack(MustGen, loc5, W:Stack(loc5), ClobbersExit, bc#1, ExitValid) 35 0 39: D@24:<!0:-> MovHint(Check:Untyped:Kill:D@17, MustGen, loc5, W:SideState, ClobbersExit, bc#1, ExitInvalid) 36 0 39: D@27:< 2:-> IsCallable(Check:Untyped:D@100, Boolean|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, Bool, R:MiscFields, Exits, bc#4, ExitValid) 37 0 39: D@111:<!0:-> KillStack(MustGen, loc6, W:Stack(loc6), ClobbersExit, bc#4, ExitValid) 38 0 39: D@28:<!0:-> MovHint(Check:Untyped:D@27, MustGen, loc6, W:SideState, ClobbersExit, bc#4, ExitInvalid) 39 0 39: D@30:<!0:-> Branch(KnownBoolean:Kill:D@27, MustGen, T:#2/w:1.000000, F:#1/w:1.000000, W:SideState, bc#7, ExitValid) 0 39: States: TakeBoth, StructuresAreWatched 0 39: Live: D@4, D@31, D@38, D@64, D@83, D@86, D@89, D@100, D@101 0 39: Values: D@4=>(Other, Undefined, 1:StructuresAreWatched), D@31=>(StringIdent, NonArray, [%C2:string], String (atomic),8Bit:(1),length:(55): Reflect.apply requires the first argument be a function, StructureID: 16777808, 1:StructuresAreWatched), D@38=>(Bool, True, 1:StructuresAreWatched), D@64=>(BytecodeTop, TOP, TOP, 1:StructuresAreWatched), D@83=>(OtherObj, NonArray, [%D2:JSLexicalEnvironment], Object: 0x79f3e54ec130 with butterfly (nil)(base=0xfffffffffffffff8) (Structure %D2:JSLexicalEnvironment), StructureID: 16785200, 1:StructuresAreWatched), D@86=>(Final, NonArray, [%Ae:Object], 1:StructuresAreWatched), D@89=>(Empty, 1:StructuresAreWatched), D@100=>(Cell|Empty, TOP, TOP, 1:StructuresAreWatched), D@101=>(StringIdent, NonArray, [%C2:string], String (atomic),8Bit:(1),length:(23): must be called with new, StructureID: 16777808, 1:StructuresAreWatched) 1 39: Block #1 (bc#10): 1 39: Execution count: 1.000000 1 39: Predecessors: #0 1 39: Successors: 1 39: Dominated by: #0 #1 1 39: Dominates: #1 1 39: Dominance Frontier: 1 39: Iterated Dominance Frontier: 1 39: States: StructuresAreWatched 1 39: Live: D@31 1 39: Values: D@31=>(StringIdent, NonArray, [%C2:string], String (atomic),8Bit:(1),length:(55): Reflect.apply requires the first argument be a function, StructureID: 16777808, 1:StructuresAreWatched) 0 1 39: D@0:<!0:-> ExitOK(MustGen, W:SideState, bc#10, ExitValid) 1 1 39: D@32:<!0:-> ThrowStaticError(String:Kill:D@31, MustGen, R:World, W:SideState, Exits, bc#10, ExitValid) 1 39: States: InvalidBranchDirection, StructuresAreWatched, CFAInvalidated 1 39: Live: 1 39: Values: 2 39: Block #2 (bc#13): 2 39: Execution count: 1.000000 2 39: Predecessors: #0 2 39: Successors: 2 39: Dominated by: #0 #2 2 39: Dominates: #2 2 39: Dominance Frontier: 2 39: Iterated Dominance Frontier: 2 39: States: StructuresAreWatched 2 39: Live: D@4, D@38, D@64, D@83, D@86, D@89, D@100, D@101 2 39: Values: D@4=>(Other, Undefined, 1:StructuresAreWatched), D@38=>(Bool, True, 1:StructuresAreWatched), D@64=>(BytecodeTop, TOP, TOP, 1:StructuresAreWatched), D@83=>(OtherObj, NonArray, [%D2:JSLexicalEnvironment], Object: 0x79f3e54ec130 with butterfly (nil)(base=0xfffffffffffffff8) (Structure %D2:JSLexicalEnvironment), StructureID: 16785200, 1:StructuresAreWatched), D@86=>(Final, NonArray, [%Ae:Object], 1:StructuresAreWatched), D@89=>(Empty, 1:StructuresAreWatched), D@100=>(Cell|Empty, TOP, TOP, 1:StructuresAreWatched), D@101=>(StringIdent, NonArray, [%C2:string], String (atomic),8Bit:(1),length:(23): must be called with new, StructureID: 16777808, 1:StructuresAreWatched) 0 2 39: D@112:<!0:-> ExitOK(MustGen, W:SideState, bc#13, ExitValid) 1 2 39: D@119:<!0:-> Check(Check:Object:D@64, MustGen, Exits, bc#13, ExitValid) 2 2 39: D@113:<!0:-> KillStack(MustGen, loc6, W:Stack(loc6), ClobbersExit, bc#13, ExitValid) 3 2 39: D@39:<!0:-> MovHint(Check:Untyped:Kill:D@38, MustGen, loc6, W:SideState, ClobbersExit, bc#13, ExitInvalid) 4 2 39: D@116:<!0:-> KillStack(MustGen, loc7, W:Stack(loc7), ClobbersExit, bc#22, ExitValid) 5 2 39: D@49:<!0:-> MovHint(Check:Untyped:D@100, MustGen, loc7, W:SideState, ClobbersExit, bc#22, ExitInvalid) 6 2 39: D@55:<!0:-> FilterCallLinkStatus(Check:Untyped:D@100, MustGen, (Function: Object: 0x79f3e5462e20 with butterfly 0x79f3e5457d48(base=0x79f3e5457d20) (Structure 0x79f201009f30:[0x1009f30/16817968, Function, (0/0, 3/4){prototype:64, length:65, name:66}, NonArray, PropertyAddition, Proto:0x79f3e70185c8, Leaf]), StructureID: 16817968; Executable: F3#Besus2:[0x79f3e55741e0->0x79f3e5475900, BaselineFunctionCall, 131 (ShouldAlwaysBeInlined)]/F3#Besus3:[0x79f3e54e8e20->0x79f3e5475900, BaselineFunctionConstruct, 134]), W:SideState, bc#25, ExitValid) 7 2 39: D@57:<!0:-> CheckIsConstant(Cell:Kill:D@100, MustGen, <0x79f3e5462e20, Function>, F3#Besus2/Besus3:[0x79f3e5475900], Exits, bc#25, ExitValid) 8 2 39: D@60:<!2:-> VarargsLength(Check:Untyped:D@64, Int32|MustGen|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, start = loc9, count = loc11, offset = 0, mandatoryMinimum = 0, limit = 1, R:World, W:Heap, Exits, ClobbersExit, bc#25, ExitValid) 9 2 39: D@120:<!0:-> KillStack(MustGen, tmp0, W:Stack(tmp0), ClobbersExit, bc#25, ExitInvalid) 10 2 39: D@61:<!0:-> MovHint(Check:Untyped:D@60, MustGen, tmp0, W:SideState, ClobbersExit, bc#25, ExitInvalid) 11 2 39: D@118:<!0:-> InvalidationPoint(MustGen, W:SideState, Exits, bc#25, exit: bc#25cp#1, ExitValid) 12 2 39: D@63:<!0:-> LoadVarargs(KnownInt32:Kill:D@60, Check:Untyped:Kill:D@64, MustGen, start = loc9, count = loc11, offset = 0, mandatoryMinimum = 0, limit = 1, R:World, W:Stack(loc11),Stack(loc9),Heap, Exits, ClobbersExit, bc#25cp#1, ExitValid) 13 2 39: D@122:< 0:-> GetStack(JS|PureInt, Int32, loc11, FlushedInt32, R:Stack(loc11), bc#25cp#1, ExitInvalid) 14 2 39: D@128:<!0:-> KillStack(MustGen, loc10, W:Stack(loc10), ClobbersExit, bc#25cp#1, ExitInvalid) 15 2 39: D@66:<!0:-> MovHint(Check:Untyped:D@86, MustGen, loc10, W:SideState, ClobbersExit, bc#25cp#1, ExitInvalid) 2 39: --> F3#Besus2:<0x79f3e55741e0, bc#25cp#1, TailCallVarargs, known callee: Object: 0x79f3e5462e20 with butterfly 0x79f3e5457d48(base=0x79f3e5457d20) (Structure %C0:Function), StructureID: 16817968, numArgs+this = 1, numFixup = 0, stackOffset = -16 (loc0 maps to loc16)> 16 2 39: D@117:<!0:-> InvalidationPoint(MustGen, R:Stack(loc11), W:SideState, Exits, bc#0, ExitValid) 17 2 39: D@68:<!0:-> ExitOK(MustGen, R:Stack(loc11), W:SideState, bc#0, ExitValid) 18 2 39: D@108:<!0:-> KillStack(MustGen, loc16, R:Stack(loc11), W:Stack(loc16), ClobbersExit, bc#0, ExitValid) 19 2 39: D@70:<!0:-> MovHint(Check:Untyped:D@4, MustGen, loc16, R:Stack(loc11), W:SideState, ClobbersExit, bc#0, ExitInvalid) 20 2 39: D@107:<!0:-> KillStack(MustGen, loc17, R:Stack(loc11), W:Stack(loc17), ClobbersExit, bc#0, ExitInvalid) 21 2 39: D@72:<!0:-> MovHint(Check:Untyped:D@4, MustGen, loc17, R:Stack(loc11), W:SideState, ClobbersExit, bc#0, ExitInvalid) 22 2 39: D@106:<!0:-> KillStack(MustGen, loc18, R:Stack(loc11), W:Stack(loc18), ClobbersExit, bc#0, ExitInvalid) 23 2 39: D@74:<!0:-> MovHint(Check:Untyped:D@4, MustGen, loc18, R:Stack(loc11), W:SideState, ClobbersExit, bc#0, ExitInvalid) 24 2 39: D@105:<!0:-> KillStack(MustGen, loc19, R:Stack(loc11), W:Stack(loc19), ClobbersExit, bc#0, ExitInvalid) 25 2 39: D@76:<!0:-> MovHint(Check:Untyped:D@4, MustGen, loc19, R:Stack(loc11), W:SideState, ClobbersExit, bc#0, ExitInvalid) 26 2 39: D@104:<!0:-> KillStack(MustGen, loc20, R:Stack(loc11), W:Stack(loc20), ClobbersExit, bc#0, ExitInvalid) 27 2 39: D@78:<!0:-> MovHint(Check:Untyped:D@4, MustGen, loc20, R:Stack(loc11), W:SideState, ClobbersExit, bc#0, ExitInvalid) 28 2 39: D@103:<!0:-> KillStack(MustGen, loc21, R:Stack(loc11), W:Stack(loc21), ClobbersExit, bc#0, ExitInvalid) 29 2 39: D@80:<!0:-> MovHint(Check:Untyped:Kill:D@4, MustGen, loc21, R:Stack(loc11), W:SideState, ClobbersExit, bc#0, ExitInvalid) 30 2 39: D@99:<!0:-> KillStack(MustGen, loc20, R:Stack(loc11), W:Stack(loc20), ClobbersExit, bc#0, ExitInvalid) 31 2 39: D@84:<!0:-> MovHint(Check:Untyped:Kill:D@83, MustGen, loc20, R:Stack(loc11), W:SideState, ClobbersExit, bc#0, ExitInvalid) 32 2 39: D@85:<!0:-> ExitOK(MustGen, R:Stack(loc11), W:SideState, bc#0, ExitValid) 33 2 39: D@88:<!0:-> CheckStructure(Cell:D@86, MustGen, [%Ae:Object], R:Stack(loc11),JSCell_structureID, Exits, bc#1, ExitValid) 34 2 39: D@97:<!0:-> KillStack(MustGen, loc22, R:Stack(loc11), W:Stack(loc22), ClobbersExit, bc#6, ExitValid) 35 2 39: D@90:<!0:-> MovHint(Check:Untyped:Kill:D@89, MustGen, loc22, R:Stack(loc11), W:SideState, ClobbersExit, bc#6, ExitInvalid) 36 2 39: D@69:<!0:-> PutStack(Check:Untyped:Kill:D@86, MustGen, loc10, FlushedJSValue, R:Stack(loc11), W:Stack(loc10), bc#9, ExitValid) 37 2 39: D@92:< 1:-> GetRestLength(Int32|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, Int32, numberOfArgumentsToSkip = 0, R:Stack,Stack(loc11), bc#9, ExitValid) 38 2 39: D@3:<!0:-> KillStack(MustGen, loc25, R:Stack(loc11), W:Stack(loc25), ClobbersExit, bc#9, ExitValid) 39 2 39: D@93:<!0:-> MovHint(Check:Untyped:Kill:D@92, MustGen, loc25, R:Stack(loc11), W:SideState, ClobbersExit, bc#9, ExitInvalid) 40 2 39: D@95:<!2:-> PhantomCreateRest(JS|MustGen|PureInt, Array, numberOfArgumentsToSkip = 0, R:Stack(loc11),HeapObjectCount, W:HeapObjectCount, Exits, bc#12, ExitValid) 41 2 39: D@2:<!0:-> KillStack(MustGen, loc24, R:Stack(loc11), W:Stack(loc24), ClobbersExit, bc#12, ExitValid) 42 2 39: D@96:<!0:-> MovHint(Check:Untyped:D@95, MustGen, loc24, R:Stack(loc11), W:SideState, ClobbersExit, bc#12, ExitInvalid) 43 2 39: D@1:<!0:-> KillStack(MustGen, loc22, R:Stack(loc11), W:Stack(loc22), ClobbersExit, bc#16, ExitValid) 44 2 39: D@98:<!0:-> MovHint(Check:Untyped:Kill:D@95, MustGen, loc22, R:Stack(loc11), W:SideState, ClobbersExit, bc#16, ExitInvalid) 45 2 39: D@102:<!0:-> Throw(Check:Untyped:Kill:D@101, MustGen, R:World,Stack(loc11), W:SideState, Exits, bc#22, ExitValid) 2 39: States: InvalidBranchDirection, StructuresAreWatched, CFAInvalidated 2 39: Live: 2 39: Values: 39: GC Values: 39: Strong:Cell: 0x79f3e5506600 (%Bd:FunctionExecutable), StructureID: 16778928 39: Weak:Object: 0x79f3e5463d00 with butterfly (nil)(base=0xfffffffffffffff8) (Structure %CI:Function), StructureID: 16782960 39: Weak:Object: 0x79f3e503b088 with butterfly 0x79f3e5508968(base=0x79f3e5508160) (Structure %BK:global), StructureID: 16800240 39: Strong:String (atomic),8Bit:(1),length:(55): Reflect.apply requires the first argument be a function, StructureID: 16777808 39: Strong:String (atomic),8Bit:(1),length:(54): Reflect.apply requires the third argument be an object, StructureID: 16777808 39: Weak:Object: 0x79f3e5462e20 with butterfly 0x79f3e5457d48(base=0x79f3e5457d20) (Structure %C0:Function), StructureID: 16817968 39: Weak:Object: 0x79f3e54ec130 with butterfly (nil)(base=0xfffffffffffffff8) (Structure %D2:JSLexicalEnvironment), StructureID: 16785200 39: Strong:String (atomic),8Bit:(1),length:(23): must be called with new, StructureID: 16777808 39: Weak:Object: 0x79f3e7040408 with butterfly (nil)(base=0xfffffffffffffff8) (Structure %Eo:JSGlobalLexicalEnvironment), StructureID: 16782624 39: Weak:Object: 0x79f3e5463be0 with butterfly (nil)(base=0xfffffffffffffff8) (Structure %BY:Function), StructureID: 16783744 39: Strong:String (atomic),8Bit:(1),length:(2): v4, StructureID: 16777808 39: Weak:Object: 0x79f3e5488370 with butterfly 0x79f3e5456d08(base=0x79f3e5456ce0) (Structure %BD:Function), StructureID: 16803712 39: Weak:Object: 0x79f3e701ac08 with butterfly (nil)(base=0xfffffffffffffff8) (Structure %Ae0:Uint32Array), StructureID: 16803488 39: Weak:Cell: 0x79f3e5504b00 (%Bd:FunctionExecutable), StructureID: 16778928 39: Desired watchpoints: 39: Watchpoint sets: 0x79f3e7077600, 0x79f3e7059a80, 0x79f3e7077260, 0x79f3e7077500 39: Inline watchpoint sets: 0x79f2010001d8, 0x79f2010008d8, 0x79f201000718, 0x79f2010002b8, 0x79f201001f98, 0x79f2010067e8, 0x79f201001588, 0x79f2010016d8, 0x79f201006708 39: SymbolTables: 39: FunctionExecutables: 0x79f3e5506600 39: Buffer views: 39: Object property conditions: <Object: 0x79f3e503b088 with butterfly 0x79f3e5508968(base=0x79f3e5508160) (Structure %BK:global), StructureID: 16800240: Equivalence of Uint32Array with Object: 0x79f3e5488370 with butterfly 0x79f3e5456d08(base=0x79f3e5456ce0) (Structure %BD:Function), StructureID: 16803712> 39: Structures: 39: %Ae:Object = 0x79f201009910:[0x1009910/16816400, Object, (0/2, 0/0){}, NonArray, Unknown, Proto:0x79f3e547c240, Shady leaf] 39: %Ae0:Uint32Array = 0x79f2010066a0:[0x10066a0/16803488, Uint32Array, (0/0, 0/0){}, NonArray, Unknown, Proto:0x79f3e5484280, Leaf] 39: %BD:Function = 0x79f201006780:[0x1006780/16803712, Function, (0/0, 4/4){length:64, name:65, prototype:66, BYTES_PER_ELEMENT:67}, NonArray, Unknown, Proto:0x79f3e5488340, Leaf] 39: %BK:global = 0x79f2010059f0:[0x10059f0/16800240, global, (0/0, 130/256){Object:64, Function:65, Array:66, RegExp:67, Iterator:68, SharedArrayBuffer:69, String:70, Promise:71, BigInt:72, Symbol:73, WeakRef:74, FinalizationRegistry:75, Intl:76, WebAssembly:77, Symbol.toStringTag:78, testLoopCount:79, wasmTestLoopCount:80, atob:81, btoa:82, disassembleBase64:83, debug:84, describe:85, describeArray:86, print:87, printErr:88, prettyPrint:89, quit:90, gc:91, fullGC:92, edenGC:93, gcHeapSize:94, memoryUsageStatistics:95, MemoryFootprint:96, resetMemoryPeak:97, addressOf:98, version:99, run:100, runString:101, load:102, loadString:103, readFile:104, read:105, writeFile:106, write:107, checkSyntax:108, sleepSeconds:109, jscStack:110, openFile:111, readline:112, preciseTime:113, neverInlineFunction:114, noInline:115, noDFG:116, noFTL:117, noOSRExitFuzzing:118, numberOfDFGCompiles:119, callerIsBBQOrOMGCompiled:120, jscOptions:121, optimizeNextInvocation:122, reoptimizationRetryCount:123, transferArrayBuffer:124, failNextNewCodeBlock:125, OSRExit:126, isFinalTier:127, predictInt32:128, isInt32:129, isPureNaN:130, fiatInt52:131, effectful42:132, makeMasquerader:133, hasCustomProperties:134, createGlobalObject:135, createHeapBigInt:136, useBigInt32:137, isBigInt32:138, isHeapBigInt:139, createNonRopeNonAtomString:140, dumpTypesForAllVariables:141, drainMicrotasks:142, setTimeout:143, releaseWeakRefs:144, finalizationRegistryLiveCount:145, finalizationRegistryDeadCount:146, getRandomSeed:147, setRandomSeed:148, isRope:149, callerSourceOrigin:150, is32BitPlatform:151, checkModuleSyntax:152, checkScriptSyntax:153, platformSupportsSamplingProfiler:154, generateHeapSnapshot:155, generateHeapSnapshotForGCDebugging:156, resetSuperSamplerState:157, ensureArrayStorage:158, startSamplingProfiler:159, samplingProfilerStackTraces:160, maxArguments:161, asyncTestStart:162, asyncTestPassed:163, WebAssemblyMemoryMode:164, createWebAssemblyMemoryWithMode:165, console:166, $:167, $262:168, waiterListSize:169, waitForReport:170, heapCapacity:171, flashHeapAccess:172, disableRichSourceInfo:173, mallocInALoop:174, totalCompileTime:175, setUnhandledRejectionCallback:176, asDoubleNumber:177, dropAllLocks:178, performance:179, fuzzilli:180, Uint32Array:181, Float64Array:182, Uint8ClampedArray:183, WeakSet:184, Int8Array:185, Map:186, Proxy:187, Set:188, JSON:189, parseInt:190, Number:191, Math:192, Reflect:193}, NonArray, ChangePrototype, Proto:0x79f3e70083d8, Dictionary, Leaf (Watched)] 39: %BY:Function = 0x79f201001980:[0x1001980/16783744, Function, (0/0, 0/0){}, NonArray, Unknown, Proto:0x79f3e70185c8, Shady leaf] 39: %Bd:FunctionExecutable = 0x79f2010006b0:[0x10006b0/16778928, FunctionExecutable, (0/0, 0/0){}, NonArray, Unknown, Leaf (Watched)] 39: %C0:Function = 0x79f201009f30:[0x1009f30/16817968, Function, (0/0, 3/4){prototype:64, length:65, name:66}, NonArray, PropertyAddition, Proto:0x79f3e70185c8, Leaf] 39: %C2:string = 0x79f201000250:[0x1000250/16777808, string, (0/0, 0/0){}, NonArray, Unknown, Leaf (Watched)] 39: %CI:Function = 0x79f201001670:[0x1001670/16782960, Function, (0/0, 0/0){}, NonArray, Unknown, Proto:0x79f3e70185c8, Leaf (Watched)] 39: %D2:JSLexicalEnvironment = 0x79f201001f30:[0x1001f30/16785200, JSLexicalEnvironment, (0/0, 0/0){}, NonArray, Unknown, Leaf (Watched)] 39: %Eo:JSGlobalLexicalEnvironment = 0x79f201001520:[0x1001520/16782624, JSGlobalLexicalEnvironment, (0/0, 0/0){}, NonArray, Unknown, Leaf] DFG ASSERTION FAILED: heapPair.value.hasNode() /home/turnerhackz1/Desktop/WebKitTest/Source/JavaScriptCore/dfg/DFGAvailabilityMap.cpp(109) : void JSC::DFG::AvailabilityMap::validateAvailability(Graph &, Node *) const Aborted (core dumped) "
Attachments
check out assertion failure
(86.48 KB, application/x-javascript)
2025-12-25 10:50 PST
,
bigsean123
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2025-12-25 10:50:53 PST
<
rdar://problem/167179244
>
bigsean123
Comment 2
2025-12-25 19:33:13 PST
A more simpler POC to trigger assertion failure is " function F0(a2, ...a3) { if (!new.target) { throw 'must be called with new'; } } class C4 extends F0 { } const v5 = new C4(); const v6 = new C4(); const v7 = new C4(); const v8 = new C4(); "
bigsean123
Comment 3
2026-01-20 10:23:10 PST
(In reply to bigsean123 from
comment #0
)
> Created
attachment 477847
[details]
> check out assertion failure > > While fuzzying i came across this sample triggering "DFG ASSERTION FAILED: > heapPair.value.hasNode()", with said flaky.js file. i narrowed down the > sample and cant seem to get it to trigger without > "--validateFTLOSRExitLiveness=false --forceEagerCompilation=true" passed to > jsc binary. > > "turnerhackz1@turnerhackz1-Aspire-A315-24P:~/Desktop/WebKitTest$ git > describe --tags > WebKit-7623.1.14.14.11 > turnerhackz1@turnerhackz1-Aspire-A315-24P:~/Desktop/WebKitTest$ git > rev-parse HEAD > 7732a1acb12f1f24f7e32a501947a0c76d4b9492 > " shows the current tag for build. > > > Last comments running sample as follows produces this output > > "turnerhackz1@turnerhackz1-Aspire-A315-24P:~/Desktop/fuzzilli-main$ > '/home/turnerhackz1/Desktop/WebKitTest/WebKitBuild/JSCOnly/Release/bin/jsc' > --validateFTLOSRExitLiveness=true --forceEagerCompilation=true > /home/turnerhackz1/Desktop/ggzfuzz/crashes/program_20251225112142_3329D242- > E1C5-4410-BB1A-31200A461B9B_flaky.js > Fuzzer output channel not available, printing to stdout instead. > EXPLORE_ACTION: > {"operation":"CALL_METHOD","inputs":[{"special":{"name":"exploredValue"}}, > {"string":{"value":"constructor"}}],"isGuarded":true,"id":"v4"} > EXPLORE_ACTION: > {"operation":"BITWISE_AND","inputs":[{"special":{"name":"exploredValue"}}, > {"argument":{"index":1}}],"isGuarded":false,"id":"v11"} > EXPLORE_ACTION: > {"operation":"GET_PROPERTY","inputs":[{"special":{"name":"exploredValue"}}, > {"int":{"value":1}}],"isGuarded":false,"id":"v15"} > DFG ASSERTION FAILED: heapPair.value.hasNode() > /home/turnerhackz1/Desktop/WebKitTest/Source/JavaScriptCore/dfg/ > DFGAvailabilityMap.cpp(109) : void > JSC::DFG::AvailabilityMap::validateAvailability(Graph &, Node *) const > > While handling node D@95 > > Graph at time of failure: > > 39: DFG for > apply#BWaJWD:[0x79f3e55773c0->0x79f3e54ebf20->0x79f3e5506600, > DFGFunctionCall, 35 (DidTryToEnterInLoop) (StrictMode)]: > 39: Fixpoint state: FixpointNotConverged; Form: SSA; Unification > state: GloballyUnified; Ref count state: EverythingIsLive > 39: Argument formats for entrypoint index: 0 : FlushedJSValue, > FlushedCell, FlushedCell, FlushedJSValue > > 0 39: Block #0 (bc#0): (OSR target) > 0 39: Execution count: 1.000000 > 0 39: Predecessors: > 0 39: Successors: #2 #1 > 0 39: Dominated by: #0 > 0 39: Dominates: #0 #1 #2 > 0 39: Dominance Frontier: > 0 39: Iterated Dominance Frontier: > 0 39: States: StructuresAreWatched > 0 39: Live: > 0 39: Values: > 0 0 39: D@4:< 12:-> JSConstant(JS|PureInt, Other, Undefined, bc#0, > ExitValid) > 1 0 39: D@17:< 1:-> JSConstant(JS|PureInt, Function, Weak:Object: > 0x79f3e5463d00 with butterfly (nil)(base=0xfffffffffffffff8) (Structure > %CI:Function), StructureID: 16782960, bc#0, ExitValid) > 2 0 39: D@82:< 0:-> JSConstant(JS|PureInt, Function, Weak:Object: > 0x79f3e5462e20 with butterfly 0x79f3e5457d48(base=0x79f3e5457d20) (Structure > %C0:Function), StructureID: 16817968, bc#0, ExitValid) > 3 0 39: D@31:< 1:-> > JSConstant(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, > StringIdent, Strong:String (atomic),8Bit:(1),length:(55): Reflect.apply > requires the first argument be a function, StructureID: 16777808, bc#0, > ExitValid) > 4 0 39: D@18:< 1:-> JSConstant(JS|PureInt, OtherObj, Weak:Object: > 0x79f3e503b088 with butterfly 0x79f3e5508968(base=0x79f3e5508160) (Structure > %BK:global), StructureID: 16800240, bc#0, ExitValid) > 5 0 39: D@101:< 1:-> > JSConstant(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, > StringIdent, Strong:String (atomic),8Bit:(1),length:(23): must be called > with new, StructureID: 16777808, bc#0, ExitValid) > 6 0 39: D@89:< 1:-> JSConstant(JS|PureInt, Empty, <JSValue()>, bc#0, > ExitValid) > 7 0 39: D@83:< 1:-> > JSConstant(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, OtherObj, > Weak:Object: 0x79f3e54ec130 with butterfly (nil)(base=0xfffffffffffffff8) > (Structure %D2:JSLexicalEnvironment), StructureID: 16785200, bc#0, ExitValid) > 8 0 39: D@38:< 1:-> > JSConstant(Boolean|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, Bool, > True, bc#0, ExitValid) > 9 0 39: D@59:<!0:-> ExitOK(MustGen, W:SideState, bc#0, ExitValid) > 10 0 39: D@109:<!0:-> InitializeEntrypointArguments(MustGen, W:SideState, > ClobbersExit, bc#0, ExitValid) > 11 0 39: D@121:<!0:-> ExitOK(MustGen, W:SideState, bc#0, ExitValid) > 12 0 39: D@123:< 0:-> GetStack(JS|PureInt, OtherObj, this, > FlushedJSValue, R:Stack(this), bc#0, ExitValid) > 13 0 39: D@100:< 4:-> GetStack(JS|PureInt, Function, arg1, FlushedCell, > R:Stack(arg1), bc#0, ExitValid) > 14 0 39: D@86:< 5:-> GetStack(JS|PureInt, Final|GlobalProxy, arg2, > FlushedCell, R:Stack(arg2), bc#0, ExitValid) > 15 0 39: D@114:<!0:-> AssertNotEmpty(Check:Untyped:D@86, MustGen, > W:SideState, Exits, bc#0, ExitValid) > 16 0 39: D@115:<!0:-> CheckStructure(Cell:D@86, MustGen, [%Ae:Object], > R:JSCell_structureID, Exits, bc#0, ExitValid) > 17 0 39: D@64:< 3:-> GetStack(JS|PureInt, Array|DirectArguments, arg3, > FlushedJSValue, R:Stack(arg3), bc#0, ExitValid) > 18 0 39: D@58:<!0:-> KillStack(MustGen, loc0, W:Stack(loc0), > ClobbersExit, bc#0, ExitValid) > 19 0 39: D@5:<!0:-> MovHint(Check:Untyped:D@4, MustGen, loc0, > W:SideState, ClobbersExit, bc#0, ExitInvalid) > 20 0 39: D@41:<!0:-> KillStack(MustGen, loc1, W:Stack(loc1), > ClobbersExit, bc#0, ExitInvalid) > 21 0 39: D@7:<!0:-> MovHint(Check:Untyped:D@4, MustGen, loc1, > W:SideState, ClobbersExit, bc#0, ExitInvalid) > 22 0 39: D@23:<!0:-> KillStack(MustGen, loc2, W:Stack(loc2), > ClobbersExit, bc#0, ExitInvalid) > 23 0 39: D@9:<!0:-> MovHint(Check:Untyped:D@4, MustGen, loc2, > W:SideState, ClobbersExit, bc#0, ExitInvalid) > 24 0 39: D@127:<!0:-> KillStack(MustGen, loc3, W:Stack(loc3), > ClobbersExit, bc#0, ExitInvalid) > 25 0 39: D@11:<!0:-> MovHint(Check:Untyped:D@4, MustGen, loc3, > W:SideState, ClobbersExit, bc#0, ExitInvalid) > 26 0 39: D@126:<!0:-> KillStack(MustGen, loc4, W:Stack(loc4), > ClobbersExit, bc#0, ExitInvalid) > 27 0 39: D@13:<!0:-> MovHint(Check:Untyped:D@4, MustGen, loc4, > W:SideState, ClobbersExit, bc#0, ExitInvalid) > 28 0 39: D@125:<!0:-> KillStack(MustGen, loc5, W:Stack(loc5), > ClobbersExit, bc#0, ExitInvalid) > 29 0 39: D@15:<!0:-> MovHint(Check:Untyped:D@4, MustGen, loc5, > W:SideState, ClobbersExit, bc#0, ExitInvalid) > 30 0 39: D@124:<!0:-> KillStack(MustGen, loc4, W:Stack(loc4), > ClobbersExit, bc#0, ExitInvalid) > 31 0 39: D@19:<!0:-> MovHint(Check:Untyped:Kill:D@18, MustGen, loc4, > W:SideState, ClobbersExit, bc#0, ExitInvalid) > 32 0 39: D@20:<!0:-> ExitOK(MustGen, W:SideState, bc#0, ExitValid) > 33 0 39: D@21:<!0:-> InvalidationPoint(MustGen, W:SideState, Exits, > bc#0, ExitValid) > 34 0 39: D@110:<!0:-> KillStack(MustGen, loc5, W:Stack(loc5), > ClobbersExit, bc#1, ExitValid) > 35 0 39: D@24:<!0:-> MovHint(Check:Untyped:Kill:D@17, MustGen, loc5, > W:SideState, ClobbersExit, bc#1, ExitInvalid) > 36 0 39: D@27:< 2:-> IsCallable(Check:Untyped:D@100, > Boolean|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, Bool, > R:MiscFields, Exits, bc#4, ExitValid) > 37 0 39: D@111:<!0:-> KillStack(MustGen, loc6, W:Stack(loc6), > ClobbersExit, bc#4, ExitValid) > 38 0 39: D@28:<!0:-> MovHint(Check:Untyped:D@27, MustGen, loc6, > W:SideState, ClobbersExit, bc#4, ExitInvalid) > 39 0 39: D@30:<!0:-> Branch(KnownBoolean:Kill:D@27, MustGen, > T:#2/w:1.000000, F:#1/w:1.000000, W:SideState, bc#7, ExitValid) > 0 39: States: TakeBoth, StructuresAreWatched > 0 39: Live: D@4, D@31, D@38, D@64, D@83, D@86, D@89, D@100, D@101 > 0 39: Values: D@4=>(Other, Undefined, 1:StructuresAreWatched), > D@31=>(StringIdent, NonArray, [%C2:string], String > (atomic),8Bit:(1),length:(55): Reflect.apply requires the first argument be > a function, StructureID: 16777808, 1:StructuresAreWatched), D@38=>(Bool, > True, 1:StructuresAreWatched), D@64=>(BytecodeTop, TOP, TOP, > 1:StructuresAreWatched), D@83=>(OtherObj, NonArray, > [%D2:JSLexicalEnvironment], Object: 0x79f3e54ec130 with butterfly > (nil)(base=0xfffffffffffffff8) (Structure %D2:JSLexicalEnvironment), > StructureID: 16785200, 1:StructuresAreWatched), D@86=>(Final, NonArray, > [%Ae:Object], 1:StructuresAreWatched), D@89=>(Empty, > 1:StructuresAreWatched), D@100=>(Cell|Empty, TOP, TOP, > 1:StructuresAreWatched), D@101=>(StringIdent, NonArray, [%C2:string], String > (atomic),8Bit:(1),length:(23): must be called with new, StructureID: > 16777808, 1:StructuresAreWatched) > > 1 39: Block #1 (bc#10): > 1 39: Execution count: 1.000000 > 1 39: Predecessors: #0 > 1 39: Successors: > 1 39: Dominated by: #0 #1 > 1 39: Dominates: #1 > 1 39: Dominance Frontier: > 1 39: Iterated Dominance Frontier: > 1 39: States: StructuresAreWatched > 1 39: Live: D@31 > 1 39: Values: D@31=>(StringIdent, NonArray, [%C2:string], String > (atomic),8Bit:(1),length:(55): Reflect.apply requires the first argument be > a function, StructureID: 16777808, 1:StructuresAreWatched) > 0 1 39: D@0:<!0:-> ExitOK(MustGen, W:SideState, bc#10, ExitValid) > 1 1 39: D@32:<!0:-> ThrowStaticError(String:Kill:D@31, MustGen, > R:World, W:SideState, Exits, bc#10, ExitValid) > 1 39: States: InvalidBranchDirection, StructuresAreWatched, > CFAInvalidated > 1 39: Live: > 1 39: Values: > > 2 39: Block #2 (bc#13): > 2 39: Execution count: 1.000000 > 2 39: Predecessors: #0 > 2 39: Successors: > 2 39: Dominated by: #0 #2 > 2 39: Dominates: #2 > 2 39: Dominance Frontier: > 2 39: Iterated Dominance Frontier: > 2 39: States: StructuresAreWatched > 2 39: Live: D@4, D@38, D@64, D@83, D@86, D@89, D@100, D@101 > 2 39: Values: D@4=>(Other, Undefined, 1:StructuresAreWatched), > D@38=>(Bool, True, 1:StructuresAreWatched), D@64=>(BytecodeTop, TOP, TOP, > 1:StructuresAreWatched), D@83=>(OtherObj, NonArray, > [%D2:JSLexicalEnvironment], Object: 0x79f3e54ec130 with butterfly > (nil)(base=0xfffffffffffffff8) (Structure %D2:JSLexicalEnvironment), > StructureID: 16785200, 1:StructuresAreWatched), D@86=>(Final, NonArray, > [%Ae:Object], 1:StructuresAreWatched), D@89=>(Empty, > 1:StructuresAreWatched), D@100=>(Cell|Empty, TOP, TOP, > 1:StructuresAreWatched), D@101=>(StringIdent, NonArray, [%C2:string], String > (atomic),8Bit:(1),length:(23): must be called with new, StructureID: > 16777808, 1:StructuresAreWatched) > 0 2 39: D@112:<!0:-> ExitOK(MustGen, W:SideState, bc#13, ExitValid) > 1 2 39: D@119:<!0:-> Check(Check:Object:D@64, MustGen, Exits, bc#13, > ExitValid) > 2 2 39: D@113:<!0:-> KillStack(MustGen, loc6, W:Stack(loc6), > ClobbersExit, bc#13, ExitValid) > 3 2 39: D@39:<!0:-> MovHint(Check:Untyped:Kill:D@38, MustGen, loc6, > W:SideState, ClobbersExit, bc#13, ExitInvalid) > 4 2 39: D@116:<!0:-> KillStack(MustGen, loc7, W:Stack(loc7), > ClobbersExit, bc#22, ExitValid) > 5 2 39: D@49:<!0:-> MovHint(Check:Untyped:D@100, MustGen, loc7, > W:SideState, ClobbersExit, bc#22, ExitInvalid) > 6 2 39: D@55:<!0:-> FilterCallLinkStatus(Check:Untyped:D@100, MustGen, > (Function: Object: 0x79f3e5462e20 with butterfly > 0x79f3e5457d48(base=0x79f3e5457d20) (Structure > 0x79f201009f30:[0x1009f30/16817968, Function, (0/0, 3/4){prototype:64, > length:65, name:66}, NonArray, PropertyAddition, Proto:0x79f3e70185c8, > Leaf]), StructureID: 16817968; Executable: > F3#Besus2:[0x79f3e55741e0->0x79f3e5475900, BaselineFunctionCall, 131 > (ShouldAlwaysBeInlined)]/F3#Besus3:[0x79f3e54e8e20->0x79f3e5475900, > BaselineFunctionConstruct, 134]), W:SideState, bc#25, ExitValid) > 7 2 39: D@57:<!0:-> CheckIsConstant(Cell:Kill:D@100, MustGen, > <0x79f3e5462e20, Function>, F3#Besus2/Besus3:[0x79f3e5475900], Exits, bc#25, > ExitValid) > 8 2 39: D@60:<!2:-> VarargsLength(Check:Untyped:D@64, > Int32|MustGen|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, start = > loc9, count = loc11, offset = 0, mandatoryMinimum = 0, limit = 1, R:World, > W:Heap, Exits, ClobbersExit, bc#25, ExitValid) > 9 2 39: D@120:<!0:-> KillStack(MustGen, tmp0, W:Stack(tmp0), > ClobbersExit, bc#25, ExitInvalid) > 10 2 39: D@61:<!0:-> MovHint(Check:Untyped:D@60, MustGen, tmp0, > W:SideState, ClobbersExit, bc#25, ExitInvalid) > 11 2 39: D@118:<!0:-> InvalidationPoint(MustGen, W:SideState, Exits, > bc#25, exit: bc#25cp#1, ExitValid) > 12 2 39: D@63:<!0:-> LoadVarargs(KnownInt32:Kill:D@60, > Check:Untyped:Kill:D@64, MustGen, start = loc9, count = loc11, offset = 0, > mandatoryMinimum = 0, limit = 1, R:World, W:Stack(loc11),Stack(loc9),Heap, > Exits, ClobbersExit, bc#25cp#1, ExitValid) > 13 2 39: D@122:< 0:-> GetStack(JS|PureInt, Int32, loc11, FlushedInt32, > R:Stack(loc11), bc#25cp#1, ExitInvalid) > 14 2 39: D@128:<!0:-> KillStack(MustGen, loc10, W:Stack(loc10), > ClobbersExit, bc#25cp#1, ExitInvalid) > 15 2 39: D@66:<!0:-> MovHint(Check:Untyped:D@86, MustGen, loc10, > W:SideState, ClobbersExit, bc#25cp#1, ExitInvalid) > 2 39: --> F3#Besus2:<0x79f3e55741e0, bc#25cp#1, TailCallVarargs, > known callee: Object: 0x79f3e5462e20 with butterfly > 0x79f3e5457d48(base=0x79f3e5457d20) (Structure %C0:Function), StructureID: > 16817968, numArgs+this = 1, numFixup = 0, stackOffset = -16 (loc0 maps to > loc16)> > 16 2 39: D@117:<!0:-> InvalidationPoint(MustGen, R:Stack(loc11), > W:SideState, Exits, bc#0, ExitValid) > 17 2 39: D@68:<!0:-> ExitOK(MustGen, R:Stack(loc11), W:SideState, > bc#0, ExitValid) > 18 2 39: D@108:<!0:-> KillStack(MustGen, loc16, R:Stack(loc11), > W:Stack(loc16), ClobbersExit, bc#0, ExitValid) > 19 2 39: D@70:<!0:-> MovHint(Check:Untyped:D@4, MustGen, loc16, > R:Stack(loc11), W:SideState, ClobbersExit, bc#0, ExitInvalid) > 20 2 39: D@107:<!0:-> KillStack(MustGen, loc17, R:Stack(loc11), > W:Stack(loc17), ClobbersExit, bc#0, ExitInvalid) > 21 2 39: D@72:<!0:-> MovHint(Check:Untyped:D@4, MustGen, loc17, > R:Stack(loc11), W:SideState, ClobbersExit, bc#0, ExitInvalid) > 22 2 39: D@106:<!0:-> KillStack(MustGen, loc18, R:Stack(loc11), > W:Stack(loc18), ClobbersExit, bc#0, ExitInvalid) > 23 2 39: D@74:<!0:-> MovHint(Check:Untyped:D@4, MustGen, loc18, > R:Stack(loc11), W:SideState, ClobbersExit, bc#0, ExitInvalid) > 24 2 39: D@105:<!0:-> KillStack(MustGen, loc19, R:Stack(loc11), > W:Stack(loc19), ClobbersExit, bc#0, ExitInvalid) > 25 2 39: D@76:<!0:-> MovHint(Check:Untyped:D@4, MustGen, loc19, > R:Stack(loc11), W:SideState, ClobbersExit, bc#0, ExitInvalid) > 26 2 39: D@104:<!0:-> KillStack(MustGen, loc20, R:Stack(loc11), > W:Stack(loc20), ClobbersExit, bc#0, ExitInvalid) > 27 2 39: D@78:<!0:-> MovHint(Check:Untyped:D@4, MustGen, loc20, > R:Stack(loc11), W:SideState, ClobbersExit, bc#0, ExitInvalid) > 28 2 39: D@103:<!0:-> KillStack(MustGen, loc21, R:Stack(loc11), > W:Stack(loc21), ClobbersExit, bc#0, ExitInvalid) > 29 2 39: D@80:<!0:-> MovHint(Check:Untyped:Kill:D@4, MustGen, loc21, > R:Stack(loc11), W:SideState, ClobbersExit, bc#0, ExitInvalid) > 30 2 39: D@99:<!0:-> KillStack(MustGen, loc20, R:Stack(loc11), > W:Stack(loc20), ClobbersExit, bc#0, ExitInvalid) > 31 2 39: D@84:<!0:-> MovHint(Check:Untyped:Kill:D@83, MustGen, loc20, > R:Stack(loc11), W:SideState, ClobbersExit, bc#0, ExitInvalid) > 32 2 39: D@85:<!0:-> ExitOK(MustGen, R:Stack(loc11), W:SideState, > bc#0, ExitValid) > 33 2 39: D@88:<!0:-> CheckStructure(Cell:D@86, MustGen, [%Ae:Object], > R:Stack(loc11),JSCell_structureID, Exits, bc#1, ExitValid) > 34 2 39: D@97:<!0:-> KillStack(MustGen, loc22, R:Stack(loc11), > W:Stack(loc22), ClobbersExit, bc#6, ExitValid) > 35 2 39: D@90:<!0:-> MovHint(Check:Untyped:Kill:D@89, MustGen, loc22, > R:Stack(loc11), W:SideState, ClobbersExit, bc#6, ExitInvalid) > 36 2 39: D@69:<!0:-> PutStack(Check:Untyped:Kill:D@86, MustGen, loc10, > FlushedJSValue, R:Stack(loc11), W:Stack(loc10), bc#9, ExitValid) > 37 2 39: D@92:< 1:-> > GetRestLength(Int32|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, > Int32, numberOfArgumentsToSkip = 0, R:Stack,Stack(loc11), bc#9, ExitValid) > 38 2 39: D@3:<!0:-> KillStack(MustGen, loc25, R:Stack(loc11), > W:Stack(loc25), ClobbersExit, bc#9, ExitValid) > 39 2 39: D@93:<!0:-> MovHint(Check:Untyped:Kill:D@92, MustGen, loc25, > R:Stack(loc11), W:SideState, ClobbersExit, bc#9, ExitInvalid) > 40 2 39: D@95:<!2:-> PhantomCreateRest(JS|MustGen|PureInt, Array, > numberOfArgumentsToSkip = 0, R:Stack(loc11),HeapObjectCount, > W:HeapObjectCount, Exits, bc#12, ExitValid) > 41 2 39: D@2:<!0:-> KillStack(MustGen, loc24, R:Stack(loc11), > W:Stack(loc24), ClobbersExit, bc#12, ExitValid) > 42 2 39: D@96:<!0:-> MovHint(Check:Untyped:D@95, MustGen, loc24, > R:Stack(loc11), W:SideState, ClobbersExit, bc#12, ExitInvalid) > 43 2 39: D@1:<!0:-> KillStack(MustGen, loc22, R:Stack(loc11), > W:Stack(loc22), ClobbersExit, bc#16, ExitValid) > 44 2 39: D@98:<!0:-> MovHint(Check:Untyped:Kill:D@95, MustGen, loc22, > R:Stack(loc11), W:SideState, ClobbersExit, bc#16, ExitInvalid) > 45 2 39: D@102:<!0:-> Throw(Check:Untyped:Kill:D@101, MustGen, > R:World,Stack(loc11), W:SideState, Exits, bc#22, ExitValid) > 2 39: States: InvalidBranchDirection, StructuresAreWatched, > CFAInvalidated > 2 39: Live: > 2 39: Values: > > 39: GC Values: > 39: Strong:Cell: 0x79f3e5506600 (%Bd:FunctionExecutable), > StructureID: 16778928 > 39: Weak:Object: 0x79f3e5463d00 with butterfly > (nil)(base=0xfffffffffffffff8) (Structure %CI:Function), StructureID: > 16782960 > 39: Weak:Object: 0x79f3e503b088 with butterfly > 0x79f3e5508968(base=0x79f3e5508160) (Structure %BK:global), StructureID: > 16800240 > 39: Strong:String (atomic),8Bit:(1),length:(55): Reflect.apply > requires the first argument be a function, StructureID: 16777808 > 39: Strong:String (atomic),8Bit:(1),length:(54): Reflect.apply > requires the third argument be an object, StructureID: 16777808 > 39: Weak:Object: 0x79f3e5462e20 with butterfly > 0x79f3e5457d48(base=0x79f3e5457d20) (Structure %C0:Function), StructureID: > 16817968 > 39: Weak:Object: 0x79f3e54ec130 with butterfly > (nil)(base=0xfffffffffffffff8) (Structure %D2:JSLexicalEnvironment), > StructureID: 16785200 > 39: Strong:String (atomic),8Bit:(1),length:(23): must be called > with new, StructureID: 16777808 > 39: Weak:Object: 0x79f3e7040408 with butterfly > (nil)(base=0xfffffffffffffff8) (Structure %Eo:JSGlobalLexicalEnvironment), > StructureID: 16782624 > 39: Weak:Object: 0x79f3e5463be0 with butterfly > (nil)(base=0xfffffffffffffff8) (Structure %BY:Function), StructureID: > 16783744 > 39: Strong:String (atomic),8Bit:(1),length:(2): v4, StructureID: > 16777808 > 39: Weak:Object: 0x79f3e5488370 with butterfly > 0x79f3e5456d08(base=0x79f3e5456ce0) (Structure %BD:Function), StructureID: > 16803712 > 39: Weak:Object: 0x79f3e701ac08 with butterfly > (nil)(base=0xfffffffffffffff8) (Structure %Ae0:Uint32Array), StructureID: > 16803488 > 39: Weak:Cell: 0x79f3e5504b00 (%Bd:FunctionExecutable), > StructureID: 16778928 > 39: Desired watchpoints: > 39: Watchpoint sets: 0x79f3e7077600, 0x79f3e7059a80, > 0x79f3e7077260, 0x79f3e7077500 > 39: Inline watchpoint sets: 0x79f2010001d8, 0x79f2010008d8, > 0x79f201000718, 0x79f2010002b8, 0x79f201001f98, 0x79f2010067e8, > 0x79f201001588, 0x79f2010016d8, 0x79f201006708 > 39: SymbolTables: > 39: FunctionExecutables: 0x79f3e5506600 > 39: Buffer views: > 39: Object property conditions: <Object: 0x79f3e503b088 with > butterfly 0x79f3e5508968(base=0x79f3e5508160) (Structure %BK:global), > StructureID: 16800240: Equivalence of Uint32Array with Object: > 0x79f3e5488370 with butterfly 0x79f3e5456d08(base=0x79f3e5456ce0) (Structure > %BD:Function), StructureID: 16803712> > 39: Structures: > 39: %Ae:Object = > 0x79f201009910:[0x1009910/16816400, Object, (0/2, 0/0){}, NonArray, Unknown, > Proto:0x79f3e547c240, Shady leaf] > 39: %Ae0:Uint32Array = > 0x79f2010066a0:[0x10066a0/16803488, Uint32Array, (0/0, 0/0){}, NonArray, > Unknown, Proto:0x79f3e5484280, Leaf] > 39: %BD:Function = > 0x79f201006780:[0x1006780/16803712, Function, (0/0, 4/4){length:64, name:65, > prototype:66, BYTES_PER_ELEMENT:67}, NonArray, Unknown, > Proto:0x79f3e5488340, Leaf] > 39: %BK:global = > 0x79f2010059f0:[0x10059f0/16800240, global, (0/0, 130/256){Object:64, > Function:65, Array:66, RegExp:67, Iterator:68, SharedArrayBuffer:69, > String:70, Promise:71, BigInt:72, Symbol:73, WeakRef:74, > FinalizationRegistry:75, Intl:76, WebAssembly:77, Symbol.toStringTag:78, > testLoopCount:79, wasmTestLoopCount:80, atob:81, btoa:82, > disassembleBase64:83, debug:84, describe:85, describeArray:86, print:87, > printErr:88, prettyPrint:89, quit:90, gc:91, fullGC:92, edenGC:93, > gcHeapSize:94, memoryUsageStatistics:95, MemoryFootprint:96, > resetMemoryPeak:97, addressOf:98, version:99, run:100, runString:101, > load:102, loadString:103, readFile:104, read:105, writeFile:106, write:107, > checkSyntax:108, sleepSeconds:109, jscStack:110, openFile:111, readline:112, > preciseTime:113, neverInlineFunction:114, noInline:115, noDFG:116, > noFTL:117, noOSRExitFuzzing:118, numberOfDFGCompiles:119, > callerIsBBQOrOMGCompiled:120, jscOptions:121, optimizeNextInvocation:122, > reoptimizationRetryCount:123, transferArrayBuffer:124, > failNextNewCodeBlock:125, OSRExit:126, isFinalTier:127, predictInt32:128, > isInt32:129, isPureNaN:130, fiatInt52:131, effectful42:132, > makeMasquerader:133, hasCustomProperties:134, createGlobalObject:135, > createHeapBigInt:136, useBigInt32:137, isBigInt32:138, isHeapBigInt:139, > createNonRopeNonAtomString:140, dumpTypesForAllVariables:141, > drainMicrotasks:142, setTimeout:143, releaseWeakRefs:144, > finalizationRegistryLiveCount:145, finalizationRegistryDeadCount:146, > getRandomSeed:147, setRandomSeed:148, isRope:149, callerSourceOrigin:150, > is32BitPlatform:151, checkModuleSyntax:152, checkScriptSyntax:153, > platformSupportsSamplingProfiler:154, generateHeapSnapshot:155, > generateHeapSnapshotForGCDebugging:156, resetSuperSamplerState:157, > ensureArrayStorage:158, startSamplingProfiler:159, > samplingProfilerStackTraces:160, maxArguments:161, asyncTestStart:162, > asyncTestPassed:163, WebAssemblyMemoryMode:164, > createWebAssemblyMemoryWithMode:165, console:166, $:167, $262:168, > waiterListSize:169, waitForReport:170, heapCapacity:171, > flashHeapAccess:172, disableRichSourceInfo:173, mallocInALoop:174, > totalCompileTime:175, setUnhandledRejectionCallback:176, asDoubleNumber:177, > dropAllLocks:178, performance:179, fuzzilli:180, Uint32Array:181, > Float64Array:182, Uint8ClampedArray:183, WeakSet:184, Int8Array:185, > Map:186, Proxy:187, Set:188, JSON:189, parseInt:190, Number:191, Math:192, > Reflect:193}, NonArray, ChangePrototype, Proto:0x79f3e70083d8, Dictionary, > Leaf (Watched)] > 39: %BY:Function = > 0x79f201001980:[0x1001980/16783744, Function, (0/0, 0/0){}, NonArray, > Unknown, Proto:0x79f3e70185c8, Shady leaf] > 39: %Bd:FunctionExecutable = > 0x79f2010006b0:[0x10006b0/16778928, FunctionExecutable, (0/0, 0/0){}, > NonArray, Unknown, Leaf (Watched)] > 39: %C0:Function = > 0x79f201009f30:[0x1009f30/16817968, Function, (0/0, 3/4){prototype:64, > length:65, name:66}, NonArray, PropertyAddition, Proto:0x79f3e70185c8, Leaf] > 39: %C2:string = > 0x79f201000250:[0x1000250/16777808, string, (0/0, 0/0){}, NonArray, Unknown, > Leaf (Watched)] > 39: %CI:Function = > 0x79f201001670:[0x1001670/16782960, Function, (0/0, 0/0){}, NonArray, > Unknown, Proto:0x79f3e70185c8, Leaf (Watched)] > 39: %D2:JSLexicalEnvironment = > 0x79f201001f30:[0x1001f30/16785200, JSLexicalEnvironment, (0/0, 0/0){}, > NonArray, Unknown, Leaf (Watched)] > 39: %Eo:JSGlobalLexicalEnvironment = > 0x79f201001520:[0x1001520/16782624, JSGlobalLexicalEnvironment, (0/0, > 0/0){}, NonArray, Unknown, Leaf] > > > DFG ASSERTION FAILED: heapPair.value.hasNode() > /home/turnerhackz1/Desktop/WebKitTest/Source/JavaScriptCore/dfg/ > DFGAvailabilityMap.cpp(109) : void > JSC::DFG::AvailabilityMap::validateAvailability(Graph &, Node *) const > Aborted (core dumped) > "
Keith Miller
Comment 4
2026-01-22 09:21:15 PST
Pull request:
https://github.com/WebKit/WebKit/pull/57053
EWS
Comment 5
2026-01-22 13:13:14 PST
Committed
306033@main
(77c9af245a2e): <
https://commits.webkit.org/306033@main
> Reviewed commits have been landed. Closing PR #57053 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug