Bug 206665

Summary: REGRESSION: (r254969) css3/shapes/shape-outside/values/shape-outside-ellipse-004.html is crashing
Product: WebKit Reporter: Jacob Uphoff <jacob_uphoff>
Component: CSSAssignee: Nobody <webkit-unassigned>
Status: RESOLVED INVALID    
Severity: Normal CC: webkit-bot-watchers-bugzilla, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description Jacob Uphoff 2020-01-23 08:52:28 PST 
css3/shapes/shape-outside/values/shape-outside-ellipse-004.html is crashing and this started on commit 254969

I did not try to reproduce the crash. It is happening on debug with wk1 and wk2 on macOS and iOS.

History: 
https://results.webkit.org/?suite=layout-tests&test=css3%2Fshapes%2Fshape-outside%2Fvalues%2Fshape-outside-ellipse-004.html

Crasher:

No crash log found for com.apple.WebKit.WebContent.Development:19258.

stdout:

stderr:
ASSERTION FAILED: bits < (1ULL << maxBits)
/Volumes/Data/slave/ios-simulator-13-debug/build/Source/JavaScriptCore/bytecode/Operands.h(79) : uint64_t JSC::Operand::asBits() const
1   0x3e4f76be9 WTFCrash
2   0x3e61777fb WTFCrashWithInfo(int, char const*, char const*, int)
3   0x3e57137ee JSC::Operand::asBits() const
4   0x3e572eac1 JSC::DFG::OpInfo::OpInfo(JSC::Operand)
5   0x3e572ea2d JSC::DFG::OpInfo::OpInfo(JSC::Operand)
6   0x3e5752b67 JSC::DFG::ByteCodeParser::setDirect(JSC::Operand, JSC::DFG::Node*, JSC::DFG::ByteCodeParser::SetMode)
7   0x3e579b4d8 JSC::DFG::ByteCodeParser::handleVarargsInlining(JSC::DFG::Node*, JSC::VirtualRegister, JSC::CallLinkStatus const&, int, JSC::VirtualRegister, JSC::VirtualRegister, unsigned int, JSC::DFG::NodeType, JSC::InlineCallFrame::Kind)::$_3::operator()(JSC::CodeBlock*) const
8   0x3e5751b3a void JSC::DFG::ByteCodeParser::inlineCall<JSC::DFG::ByteCodeParser::handleVarargsInlining(JSC::DFG::Node*, JSC::VirtualRegister, JSC::CallLinkStatus const&, int, JSC::VirtualRegister, JSC::VirtualRegister, unsigned int, JSC::DFG::NodeType, JSC::InlineCallFrame::Kind)::$_3>(JSC::DFG::Node*, JSC::VirtualRegister, JSC::CallVariant, int, int, JSC::InlineCallFrame::Kind, JSC::DFG::BasicBlock*, JSC::DFG::ByteCodeParser::handleVarargsInlining(JSC::DFG::Node*, JSC::VirtualRegister, JSC::CallLinkStatus const&, int, JSC::VirtualRegister, JSC::VirtualRegister, unsigned int, JSC::DFG::NodeType, JSC::InlineCallFrame::Kind)::$_3 const&)
9   0x3e5751815 JSC::DFG::ByteCodeParser::handleVarargsInlining(JSC::DFG::Node*, JSC::VirtualRegister, JSC::CallLinkStatus const&, int, JSC::VirtualRegister, JSC::VirtualRegister, unsigned int, JSC::DFG::NodeType, JSC::InlineCallFrame::Kind)
10  0x3e57748dc JSC::DFG::ByteCodeParser::Terminality JSC::DFG::ByteCodeParser::handleVarargsCall<JSC::OpCallVarargs>(JSC::Instruction const*, JSC::DFG::NodeType, JSC::CallMode)
11  0x3e5768b93 JSC::DFG::ByteCodeParser::parseBlock(unsigned int)
12  0x3e5778ba4 JSC::DFG::ByteCodeParser::parseCodeBlock()
13  0x3e57792b0 JSC::DFG::ByteCodeParser::parse()
14  0x3e577a7bb JSC::DFG::parse(JSC::DFG::Graph&)
15  0x3e59f4af8 JSC::DFG::Plan::compileInThreadImpl()
16  0x3e59f4298 JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*)
17  0x3e5b3a8c0 JSC::DFG::Worklist::ThreadBody::work()
18  0x3e4f8d139 WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const
19  0x3e4f8cd29 WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call()
20  0x3e4fa10aa WTF::Function<void ()>::operator()() const
21  0x3e504a610 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*)
22  0x3e5056795 WTF::wtfThreadEntryPoint(void*)
23  0x10e8cad76 _pthread_start
24  0x10e8c75d7 thread_start
LEAK: 1 WebPageProxy
Comment 1 Radar WebKit Bug Importer 2020-01-23 08:53:00 PST 
<rdar://problem/58836312>
Comment 2 Jacob Uphoff 2020-01-23 08:59:12 PST 
This bug looks like it has been fixed https://trac.webkit.org/changeset/254975/webkit
Comment 3 Radar WebKit Bug Importer 2020-01-23 08:59:24 PST 
<rdar://problem/58836481>