Bug 215841

Summary: DFG ASSERTION FAILED: m_value.isNumber() in DFGAbstractValue.cpp
Product: WebKit Reporter: zhunkibatu
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: fpizlo, keith_miller, mark.lam, saam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: All   
OS: Linux   
Attachments:
Description Flags
the minimal poc none

Description zhunkibatu 2020-08-26 00:37:53 PDT 
Created attachment 407279 [details]
the minimal poc

The following test case cause a assersion failure in DFGAbstractValue.cpp:


function main() {
    let arr = [1.1];
    function opt() {
        (function (main = arr[0x1000]) {}())
    }
    for (var i = 0; i < 0x1000; i++)
        opt(() => 0);
}

main();
Comment 1 Alexey Proskuryakov 2020-08-26 18:09:05 PDT 
DFG ASSERTION FAILED: m_value.isNumber()
./dfg/DFGAbstractValue.cpp(133) : void JSC::DFG::AbstractValue::fixTypeForRepresentation(JSC::DFG::Graph &, JSC::DFG::NodeFlags, JSC::DFG::Node *)
undefined
>>> 1   0x105130839 WTFCrash
2   0x10675fdbb WTFCrashWithInfo(int, char const*, char const*, int)
3   0x105dd6532 JSC::DFG::AbstractValue::fixTypeForRepresentation(JSC::DFG::Graph&, unsigned int, JSC::DFG::Node*)
4   0x105dd6b83 JSC::DFG::AbstractValue::fixTypeForRepresentation(JSC::DFG::Graph&, JSC::DFG::Node*)
5   0x105390557 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::setBuiltInConstant(JSC::DFG::Node*, JSC::DFG::FrozenValue)
6   0x1053905dc JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::setConstant(JSC::DFG::Node*, JSC::DFG::FrozenValue)
7   0x105393556 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::executeEffects(unsigned int, JSC::DFG::Node*)::'lambda'(JSC::DFG::Edge&, JSC::DFG::Edge&)::operator()(JSC::DFG::Edge&, JSC::DFG::Edge&) const
8   0x105385f83 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::executeEffects(unsigned int, JSC::DFG::Node*)
9   0x105e9316a JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::execute(unsigned int)
10  0x105e916d6 JSC::DFG::CFAPhase::performBlockCFA(JSC::DFG::BasicBlock*)
11  0x105e91029 JSC::DFG::CFAPhase::performForwardCFA()
12  0x105e90cd6 JSC::DFG::CFAPhase::run()
13  0x105e907c4 bool JSC::DFG::runAndLog<JSC::DFG::CFAPhase>(JSC::DFG::CFAPhase&)
14  0x105e5d7ab bool JSC::DFG::runPhase<JSC::DFG::CFAPhase>(JSC::DFG::Graph&)
15  0x105e5d775 JSC::DFG::performCFA(JSC::DFG::Graph&)
16  0x106168aa0 JSC::DFG::Plan::compileInThreadImpl()
17  0x106167348 JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*)
18  0x1062236de JSC::DFG::Worklist::ThreadBody::work()
19  0x105145c73 WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const
20  0x10514587e WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call()
21  0x1051578b2 WTF::Function<void ()>::operator()() const
22  0x1052055c8 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*)
23  0x105211568 WTF::wtfThreadEntryPoint(void*)
24  0x7fff6a51a109 _pthread_start
25  0x7fff6a515b8b thread_start
Segmentation fault: 11
Comment 2 Radar WebKit Bug Importer 2020-08-26 18:09:16 PDT 
<rdar://problem/67841603>
Comment 3 Saam Barati 2020-08-27 11:15:04 PDT 
Thanks for the report. Was actually just in the process of fixing this in 215894

*** This bug has been marked as a duplicate of bug 215894 ***