Bug 246930

Summary: REGRESSION(255859@main) dfg/DFGCFAPhase.cpp(240) : JSC::DFG::CFAPhase::performBlockCFA: DFG ASSERTION FAILED: AI-clobberize disagreement; AI says ClobberedStructures while clobberize says (Direct:[SideState], Super:[World])
Product: WebKit Reporter: Fujii Hironori <Hironori.Fujii>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: ysuzuki
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description Fujii Hironori 2022-10-23 20:34:02 PDT 
dfg/DFGCFAPhase.cpp(240) : JSC::DFG::CFAPhase::performBlockCFA: DFG ASSERTION FAILED: AI-clobberize disagreement; AI says ClobberedStructures while clobberize says (Direct:[SideState], Super:[World])

I'm testing with WinCairo WK1/WK2 255897@main Debug build.
Loading results.html of layout tests is causing an assertion failure.

1. Start WinCairo WK1/WK2 MiniBrowser (Debug build)
2. Load https://build.webkit.org/results/WinCairo-64-bit-WKL-Release-Tests/255899@main%20(8495)/results.html
3. Crash due to an assertion failure


DFG ASSERTION FAILED: AI-clobberize disagreement; AI says ClobberedStructures while clobberize says (Direct:[SideState], Super:[World])
C:\home\webkit\gc\Source\JavaScriptCore\dfg/DFGCFAPhase.cpp(240) : JSC::DFG::CFAPhase::performBlockCFA

While handling node D@50

Graph at time of failure:

       11: DFG for #<no-hash>:[000001A8F73A25E0->000001A8F73A24B0->000001A8B0B26350, DFGFunctionCall, 30 (StrictMode)]:
       11:   Fixpoint state: FixpointNotConverged; Form: ThreadedCPS; Unification state: GloballyUnified; Ref count state: EverythingIsLive
       11:   Arguments for block#0: D@0, D@1, D@2

     0 11: Block #0 (bc#0): (OSR target)
     0 11:   Execution count: 1.000000
     0 11:   Predecessors:
     0 11:   Successors: #1
     0 11:   Dominated by: #root #0
     0 11:   Dominates: #0 #1
     0 11:   Dominance Frontier: 
     0 11:   Iterated Dominance Frontier: 
     0 11:   States: StructuresAreWatched
     0 11:   Vars Before: arg2:(Cell|Empty, TOP, TOP, none:StructuresAreClobbered) arg1:(Cell|Empty, TOP, TOP, none:StructuresAreClobbered) arg0:(BytecodeTop, TOP, TOP, none:StructuresAreClobbered)
     0 11:   Intersected Vars Before: arg2:(FullTop, TOP, TOP, none:StructuresAreClobbered) arg1:(FullTop, TOP, TOP, none:StructuresAreClobbered) arg0:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc0:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc1:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc2:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc3:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc4:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc5:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc6:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc7:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc8:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc9:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc10:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc11:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc12:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc13:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc14:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc15:(FullTop, TOP, TOP, none:StructuresAreClobbered)
     0 11:   Var Links: arg2:D@2 arg1:D@1 arg0:D@0
  0  0 11:    D@0:< 1:->	SetArgumentDefinitely(IsFlushed, this(A~<Other>/FlushedJSValue), W:SideState, bc#0, ExitValid)  predicting Other
  1  0 11:    D@1:< 1:->	SetArgumentDefinitely(IsFlushed, arg1(B<Final>/FlushedCell), W:SideState, bc#0, ExitValid)  predicting Final
  2  0 11:   D@63:<!0:->	GetLocal(Check:Untyped:D@1, JS|MustGen|PureInt, Final, arg1(B<Final>/FlushedCell), R:Stack(arg1), bc#0, ExitValid)  predicting Final
  3  0 11:   D@64:<!0:->	CheckStructure(Cell:D@63, MustGen, [%Bb:Object], R:JSCell_structureID, Exits, bc#0, ExitValid)
  4  0 11:    D@2:< 1:->	SetArgumentDefinitely(IsFlushed, arg2(C<Final>/FlushedCell), W:SideState, bc#0, ExitValid)  predicting Final
  5  0 11:   D@65:<!0:->	GetLocal(Check:Untyped:D@2, JS|MustGen|PureInt, Final, arg2(C<Final>/FlushedCell), R:Stack(arg2), bc#0, ExitValid)  predicting Final
  6  0 11:   D@66:<!0:->	CheckStructure(Cell:D@65, MustGen, [%Bb:Object], R:JSCell_structureID, Exits, bc#0, ExitValid)
  7  0 11:    D@3:< 1:->	JSConstant(JS|PureInt, Other, Undefined, bc#0, ExitValid)
  8  0 11:    D@4:<!0:->	MovHint(Check:Untyped:D@3, MustGen, loc0, W:SideState, ClobbersExit, bc#0, ExitValid)
  9  0 11:    D@5:< 1:->	SetLocal(Check:Untyped:D@3, loc0(D~<Other>/FlushedJSValue), W:Stack(loc0), bc#0, ExitInvalid)  predicting Other
 10  0 11:    D@6:<!0:->	MovHint(Check:Untyped:D@3, MustGen, loc1, W:SideState, ClobbersExit, bc#0, ExitInvalid)
 11  0 11:    D@7:< 1:->	SetLocal(Check:Untyped:D@3, loc1(E~<Other>/FlushedJSValue), W:Stack(loc1), bc#0, ExitInvalid)  predicting Other
 12  0 11:    D@8:<!0:->	MovHint(Check:Untyped:D@3, MustGen, loc2, W:SideState, ClobbersExit, bc#0, ExitInvalid)
 13  0 11:    D@9:< 1:->	SetLocal(Check:Untyped:D@3, loc2(F~<Other>/FlushedJSValue), W:Stack(loc2), bc#0, ExitInvalid)  predicting Other
 14  0 11:   D@10:<!0:->	MovHint(Check:Untyped:D@3, MustGen, loc3, W:SideState, ClobbersExit, bc#0, ExitInvalid)
 15  0 11:   D@11:< 1:->	SetLocal(Check:Untyped:D@3, loc3(G~<Other>/FlushedJSValue), W:Stack(loc3), bc#0, ExitInvalid)  predicting Other
 16  0 11:   D@12:<!0:->	MovHint(Check:Untyped:D@3, MustGen, loc4, W:SideState, ClobbersExit, bc#0, ExitInvalid)
 17  0 11:   D@13:< 1:->	SetLocal(Check:Untyped:D@3, loc4(H~<Other>/FlushedJSValue), W:Stack(loc4), bc#0, ExitInvalid)  predicting Other
 18  0 11:   D@14:<!0:->	MovHint(Check:Untyped:D@3, MustGen, loc5, W:SideState, ClobbersExit, bc#0, ExitInvalid)
 19  0 11:   D@15:< 1:->	SetLocal(Check:Untyped:D@3, loc5(I~<Other>/FlushedJSValue), W:Stack(loc5), bc#0, ExitInvalid)  predicting Other
 20  0 11:   D@16:<!0:->	Jump(MustGen, T:#1, W:SideState, bc#1, ExitValid)
     0 11:   States: InvalidBranchDirection, StructuresAreWatched
     0 11:   Vars After: arg2:(Final, NonArray, [%Bb:Object], 1:StructuresAreWatched) arg1:(Final, NonArray, [%Bb:Object], 1:StructuresAreWatched) arg0:(BytecodeTop, TOP, TOP, 1:StructuresAreWatched) loc0:(Other, Undefined, 1:StructuresAreWatched) loc1:(Other, Undefined, 1:StructuresAreWatched) loc2:(Other, Undefined, 1:StructuresAreWatched) loc3:(Other, Undefined, 1:StructuresAreWatched) loc4:(Other, Undefined, 1:StructuresAreWatched) loc5:(Other, Undefined, 1:StructuresAreWatched)
     0 11:   Var Links: arg2:D@65 arg1:D@63 arg0:D@0 loc0:D@5 loc1:D@7 loc2:D@9 loc3:D@11 loc4:D@13 loc5:D@15

     1 11: Block #1 (bc#1):
     1 11:   Execution count: 1.000000
     1 11:   Predecessors: #0
     1 11:   Successors:
     1 11:   Dominated by: #root #0 #1
     1 11:   Dominates: #1
     1 11:   Dominance Frontier: 
     1 11:   Iterated Dominance Frontier: 
     1 11:   Phi Nodes: D@60<arg1,1, IsFlushed>->(D@1), D@61<arg2,1, IsFlushed>->(D@2), D@62<this,1, IsFlushed>->(D@0)
     1 11:   States: StructuresAreWatched
     1 11:   Vars Before: arg2:(Final, NonArray, [%Bb:Object], 1:StructuresAreWatched) arg1:(Final, NonArray, [%Bb:Object], 1:StructuresAreWatched) arg0:(BytecodeTop, TOP, TOP, 1:StructuresAreWatched)
     1 11:   Intersected Vars Before: arg2:(FullTop, TOP, TOP, none:StructuresAreClobbered) arg1:(FullTop, TOP, TOP, none:StructuresAreClobbered) arg0:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc0:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc1:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc2:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc3:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc4:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc5:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc6:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc7:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc8:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc9:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc10:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc11:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc12:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc13:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc14:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc15:(FullTop, TOP, TOP, none:StructuresAreClobbered)
     1 11:   Var Links: arg2:D@61 arg1:D@60 arg0:D@62
  0  1 11:   D@17:< 1:->	GetCallee(JS|UseAsOther, Function, R:Stack(callee), bc#1, ExitValid)
  1  1 11:   D@18:< 1:->	GetScope(KnownCell:D@17, JS|PureInt, OtherObj, bc#1, ExitValid)
  2  1 11:   D@19:<!0:->	MovHint(Check:Untyped:D@18, MustGen, loc4, W:SideState, ClobbersExit, bc#1, ExitValid)
  3  1 11:   D@20:< 1:->	SetLocal(Check:Untyped:D@18, loc4(J~<Object>/FlushedJSValue), W:Stack(loc4), bc#1, exit: bc#3, ExitValid)  predicting OtherObj
  4  1 11:   D@21:<!0:->	MovHint(Check:Untyped:D@18, MustGen, loc5, W:SideState, ClobbersExit, bc#3, ExitValid)
  5  1 11:   D@22:< 1:->	SetLocal(Check:Untyped:D@18, loc5(K~<Object>/FlushedJSValue), W:Stack(loc5), bc#3, exit: bc#6, ExitValid)  predicting OtherObj
  6  1 11:   D@23:<!0:->	CheckTraps(MustGen, R:InternalState, W:InternalState, Exits, ClobbersExit, bc#6, ExitValid)
  7  1 11:   D@24:<!0:->	GetLocal(Check:Untyped:D@60, JS|MustGen|UseAsOther, Final, arg1(B<Final>/FlushedCell), R:Stack(arg1), bc#7, ExitValid)  predicting Final
  8  1 11:   D@25:<!0:->	FilterGetByStatus(Check:Untyped:D@24, MustGen, (Simple, <id='uid:(name)', [000001A900040800:[0000000000040800/264192, Object, (2/2, 1/4){name:0, info:1, isExpected:64}, NonArray, Proto:000001A8B0A50200, Leaf (Watched)]], [], offset = 0>, seenInJIT = true), W:SideState, bc#7, ExitValid)
  9  1 11:   D@26:<!0:->	Check(MustGen, bc#7, ExitValid)
 10  1 11:   D@27:<!0:->	CheckStructure(Cell:D@24, MustGen, [%Bb:Object], R:JSCell_structureID, Exits, bc#7, ExitValid)
 11  1 11:   D@28:< 1:->	GetByOffset(KnownCell:D@24, KnownCell:D@24, JS|UseAsOther, String, id0{name}, 0, R:NamedProperties(0), Exits, bc#7, ExitValid)  predicting String
 12  1 11:   D@29:<!0:->	MovHint(Check:Untyped:D@28, MustGen, loc10, W:SideState, ClobbersExit, bc#7, ExitValid)
 13  1 11:   D@30:< 1:->	SetLocal(Check:Untyped:D@28, loc10(M~<String>/FlushedJSValue), W:Stack(loc10), bc#7, exit: bc#12, ExitValid)  predicting String
 14  1 11:   D@31:<!0:->	FilterGetByStatus(Check:Untyped:D@28, MustGen, (Simple, <id='uid:(localeCompare)', [000001A900004250:[0000000000004250/16976, string, (0/0, 0/0){}, NonArray, Leaf (Watched)]], [<Object: 000001A8B07E18C8 with butterfly 000001A8B0A486A8(base=000001A8B0A484A0) (Structure 000001A900040790:[0000000000040790/264080, String, (0/0, 34/64){toString:64, valueOf:65, charAt:66, charCodeAt:67, codePointAt:68, indexOf:69, lastIndexOf:70, replaceUsingRegExp:71, replaceUsingStringSearch:72, replaceAllUsingStringSearch:73, slice:74, substr:75, substring:76, toLowerCase:77, toUpperCase:78, localeCompare:79, toLocaleLowerCase:80, toLocaleUpperCase:81, trim:82, startsWith:83, endsWith:84, includes:85, normalize:86, charCodeAt:87, at:88, trimStart:89, trimLeft:90, trimEnd:91, trimRight:92, Symbol.iterator:93, substr:94, endsWith:95, constructor:96, split:97}, NonArray, Proto:000001A8B08260E8, Leaf (Watched)]), StructureID: 264080: Presence of localeCompare at 79 with attributes 4>], offset = 79>, seenInJIT = true), W:SideState, bc#12, ExitValid)
 15  1 11:   D@32:<!0:->	Check(MustGen, bc#12, ExitValid)
 16  1 11:   D@33:<!0:->	CheckStructure(Check:Cell:D@28, MustGen, [%Am:string], R:JSCell_structureID, Exits, bc#12, ExitValid)
 17  1 11:   D@34:< 1:->	JSConstant(JS|UseAsOther, Function, Weak:Object: 000001A8B0960C80 with butterfly 000001A8B0A14AA8(base=000001A8B0A14A80) (Structure %BQ:Function), StructureID: 23024, bc#12, ExitValid)
 18  1 11:   D@35:<!0:->	MovHint(Check:Untyped:D@34, MustGen, loc6, W:SideState, ClobbersExit, bc#12, ExitValid)
 19  1 11:   D@36:< 1:->	SetLocal(Check:Untyped:D@34, loc6(N~<Object>/FlushedJSValue), W:Stack(loc6), bc#12, exit: bc#17, ExitValid)  predicting Function
 20  1 11:   D@37:<!0:->	GetLocal(Check:Untyped:D@61, JS|MustGen|UseAsOther, Final, arg2(C<Final>/FlushedCell), R:Stack(arg2), bc#17, ExitValid)  predicting Final
 21  1 11:   D@38:<!0:->	FilterGetByStatus(Check:Untyped:D@37, MustGen, (Simple, <id='uid:(name)', [000001A900040800:[0000000000040800/264192, Object, (2/2, 1/4){name:0, info:1, isExpected:64}, NonArray, Proto:000001A8B0A50200, Leaf (Watched)]], [], offset = 0>, seenInJIT = true), W:SideState, bc#17, ExitValid)
 22  1 11:   D@39:<!0:->	Check(MustGen, bc#17, ExitValid)
 23  1 11:   D@40:<!0:->	CheckStructure(Cell:D@37, MustGen, [%Bb:Object], R:JSCell_structureID, Exits, bc#17, ExitValid)
 24  1 11:   D@41:< 1:->	GetByOffset(KnownCell:D@37, KnownCell:D@37, JS|UseAsOther, String, id0{name}, 0, R:NamedProperties(0), Exits, bc#17, ExitValid)  predicting String
 25  1 11:   D@42:<!0:->	MovHint(Check:Untyped:D@41, MustGen, loc9, W:SideState, ClobbersExit, bc#17, ExitValid)
 26  1 11:   D@43:< 1:->	SetLocal(Check:Untyped:D@41, loc9(P~<String>/FlushedJSValue), W:Stack(loc9), bc#17, exit: bc#22, ExitValid)  predicting String
 27  1 11:   D@44:<!0:->	Flush(Check:Untyped:D@61, MustGen|IsFlushed, arg2(C<Final>/FlushedCell), R:Stack(arg2), W:SideState, bc#22, ExitValid)  predicting Final
 28  1 11:   D@45:<!0:->	Flush(Check:Untyped:D@60, MustGen|IsFlushed, arg1(B<Final>/FlushedCell), R:Stack(arg1), W:SideState, bc#22, ExitValid)  predicting Final
 29  1 11:   D@46:<!0:->	Flush(Check:Untyped:D@62, MustGen|IsFlushed, this(A~<Other>/FlushedJSValue), R:Stack(this), W:SideState, bc#22, ExitValid)  predicting Other
 30  1 11:   D@47:<!0:->	FilterCallLinkStatus(Check:Untyped:D@34, MustGen, Statically Proved, (Function: Object: 000001A8B0960C80 with butterfly 000001A8B0A14AA8(base=000001A8B0A14A80) (Structure 000001A9000059F0:[00000000000059F0/23024, Function, (0/0, 2/4){length:64, name:65}, NonArray, Proto:000001A8B0853F28, Leaf (Watched)]), StructureID: 23024; Executable: NativeExecutable:00007FFC426D6F10/00007FFC42405D60), W:SideState, bc#22, ExitValid)
 31  1 11:   D@48:<!0:->	CheckIsConstant(Cell:D@34, MustGen, <000001A8B0960C80, Function>, <host function>, Exits, bc#22, ExitValid)
 32  1 11:   D@49:<!0:->	Check(MustGen, bc#22, ExitValid)
 33  1 11:   D@50:<!0:->	StringLocaleCompare(String:D@28, Check:String:D@41, Int32|MustGen|UseAsOther, Int32, R:World, W:SideState, Exits, bc#22, ExitValid)
 34  1 11:   D@51:<!0:->	MovHint(Check:Untyped:D@50, MustGen, loc6, W:SideState, ClobbersExit, bc#22, ExitValid)
 35  1 11:   D@52:<!0:->	Check(MustGen, bc#22, ExitInvalid)
 36  1 11:   D@53:<!0:->	Check(MustGen, bc#22, ExitInvalid)
 37  1 11:   D@54:<!0:->	Check(MustGen, bc#22, ExitInvalid)
 38  1 11:   D@55:< 1:->	SetLocal(Check:Untyped:D@50, loc6(R~<Int32>/FlushedJSValue), W:Stack(loc6), bc#22, exit: bc#28, ExitValid)  predicting Int32
 39  1 11:   D@56:<!0:->	Return(Check:Untyped:D@50, MustGen, W:SideState, Exits, bc#28, ExitValid)
 40  1 11:   D@57:<!0:->	Flush(Check:Untyped:D@61, MustGen|IsFlushed, arg2(C<Final>/FlushedCell), R:Stack(arg2), W:SideState, bc#28, ExitValid)  predicting Final
 41  1 11:   D@58:<!0:->	Flush(Check:Untyped:D@60, MustGen|IsFlushed, arg1(B<Final>/FlushedCell), R:Stack(arg1), W:SideState, bc#28, ExitValid)  predicting Final
 42  1 11:   D@59:<!0:->	Flush(Check:Untyped:D@62, MustGen|IsFlushed, this(A~<Other>/FlushedJSValue), R:Stack(this), W:SideState, bc#28, ExitValid)  predicting Other
     1 11:   States: InvalidBranchDirection, StructuresAreWatched
     1 11:   Vars After: 
     1 11:   Var Links: arg2:D@37 arg1:D@24 arg0:D@46 loc4:D@20 loc5:D@22 loc6:D@55 loc9:D@43 loc10:D@30

       11: GC Values:
       11:     Weak:Object: 000001A8B0960C80 with butterfly 000001A8B0A14AA8(base=000001A8B0A14A80) (Structure %BQ:Function), StructureID: 23024
       11: Desired watchpoints:
       11:     Watchpoint sets: 
       11:     Inline watchpoint sets: 000001A900005A58, 000001A9000041D8, 000001A900004868, 000001A900040868, 000001A9000042B8
       11:     SymbolTables: 
       11:     FunctionExecutables: 
       11:     Buffer views: 
       11:     Object property conditions: <Object: 000001A8B07E18C8 with butterfly 000001A8B0A486A8(base=000001A8B0A484A0) (Structure %DY:String), StructureID: 264080: Equivalence of localeCompare with Object: 000001A8B0960C80 with butterfly 000001A8B0A14AA8(base=000001A8B0A14A80) (Structure %BQ:Function), StructureID: 23024>
       11: Structures:
       11:     %Am:string   = 000001A900004250:[0000000000004250/16976, string, (0/0, 0/0){}, NonArray, Leaf (Watched)]
       11:     %BQ:Function = 000001A9000059F0:[00000000000059F0/23024, Function, (0/0, 2/4){length:64, name:65}, NonArray, Proto:000001A8B0853F28, Leaf (Watched)]
       11:     %Bb:Object   = 000001A900040800:[0000000000040800/264192, Object, (2/2, 1/4){name:0, info:1, isExpected:64}, NonArray, Proto:000001A8B0A50200, Leaf (Watched)]
       11:     %DY:String   = 000001A900040790:[0000000000040790/264080, String, (0/0, 34/64){toString:64, valueOf:65, charAt:66, charCodeAt:67, codePointAt:68, indexOf:69, lastIndexOf:70, replaceUsingRegExp:71, replaceUsingStringSearch:72, replaceAllUsingStringSearch:73, slice:74, substr:75, substring:76, toLowerCase:77, toUpperCase:78, localeCompare:79, toLocaleLowerCase:80, toLocaleUpperCase:81, trim:82, startsWith:83, endsWith:84, includes:85, normalize:86, charCodeAt:87, at:88, trimStart:89, trimLeft:90, trimEnd:91, trimRight:92, Symbol.iterator:93, substr:94, endsWith:95, constructor:96, split:97}, NonArray, Proto:000001A8B08260E8, Leaf (Watched)]


DFG ASSERTION FAILED: AI-clobberize disagreement; AI says ClobberedStructures while clobberize says (Direct:[SideState], Super:[World])
C:\home\webkit\gc\Source\JavaScriptCore\dfg/DFGCFAPhase.cpp(240) : JSC::DFG::CFAPhase::performBlockCFA
1   00007FFCB6F6248B WTFCrash
1   00007FFCB6F6248B WTFCrash
2   00007FFC40C9A90E WTFCrashWithInfo
2   00007FFC40C9A90E WTFCrashWithInfo
3   00007FFC413CC74B JSC::DFG::CFAPhase::performBlockCFA
3   00007FFC413CC74B JSC::DFG::CFAPhase::performBlockCFA
4   00007FFC413CC94B JSC::DFG::CFAPhase::performForwardCFA
4   00007FFC413CC94B JSC::DFG::CFAPhase::performForwardCFA
5   00007FFC413D2DB0 JSC::DFG::CFAPhase::run
5   00007FFC413D2DB0 JSC::DFG::CFAPhase::run
6   00007FFC41371570 JSC::DFG::runAndLog<JSC::DFG::CFAPhase>
6   00007FFC41371570 JSC::DFG::runAndLog<JSC::DFG::CFAPhase>
7   00007FFC41371D44 JSC::DFG::runPhase<JSC::DFG::CFAPhase>
7   00007FFC41371D44 JSC::DFG::runPhase<JSC::DFG::CFAPhase>
8   00007FFC41231724 JSC::DFG::performCFA
8   00007FFC41231724 JSC::DFG::performCFA
9   00007FFC4153F7BD JSC::DFG::Plan::compileInThreadImpl
9   00007FFC4153F7BD JSC::DFG::Plan::compileInThreadImpl
10  00007FFC41E5B75D JSC::JITPlan::compileInThread
10  00007FFC41E5B75D JSC::JITPlan::compileInThread
11  00007FFC41EF6969 JSC::JITWorklistThread::work
11  00007FFC41EF6969 JSC::JITWorklistThread::work
12  00007FFCB6F6AC0A `WTF::AutomaticThread::start'::`2'::<lambda_1>::operator()
12  00007FFCB6F6AC0A `WTF::AutomaticThread::start'::`2'::<lambda_1>::operator()
13  00007FFCB6F6B00B WTF::Detail::CallableWrapper<`WTF::AutomaticThread::start'::`2'::<lambda_1>,void>::call
13  00007FFCB6F6B00B WTF::Detail::CallableWrapper<`WTF::AutomaticThread::start'::`2'::<lambda_1>,void>::call
14  00007FFCB6F7A4A3 WTF::Function<void __cdecl(void)>::operator()
14  00007FFCB6F7A4A3 WTF::Function<void __cdecl(void)>::operator()
15  00007FFCB7018668 WTF::Thread::entryPoint
15  00007FFCB7018668 WTF::Thread::entryPoint
16  00007FFCB70F3244 WTF::wtfThreadEntryPoint
16  00007FFCB70F3244 WTF::wtfThreadEntryPoint
17  00007FFD3C321BB2 configthreadlocale
17  00007FFD3C321BB2 configthreadlocale
18  00007FFD3D5E7034 BaseThreadInitThunk
18  00007FFD3D5E7034 BaseThreadInitThunk
19  00007FFD3EC426A1 RtlUserThreadStart
19  00007FFD3EC426A1 RtlUserThreadStart
Exception thrown at 0x00007FFCB6F62490 (WTF.dll) in MiniBrowser.exe: 0xC0000005: Access violation writing location 0x00000000BBADBEEF.
Comment 1 Fujii Hironori 2022-10-23 20:48:14 PDT 
This is a regression between the following revision range:
 255858@main Good
 255866@main Bad

255859@main seems like the culprit.
Comment 2 Fujii Hironori 2022-10-24 13:15:47 PDT 
I confirmed this is reproducible with debug build of Mac port, too.
Comment 3 Yusuke Suzuki 2022-10-24 13:31:26 PDT 
Fixed in https://github.com/WebKit/WebKit/commit/748312d37ae615892bc463d456ed05a90a132ccf

*** This bug has been marked as a duplicate of bug 246954 ***