215841 – DFG ASSERTION FAILED: m_value.isNumber() in DFGAbstractValue.cpp

Bug 215841 - DFG ASSERTION FAILED: m_value.isNumber() in DFGAbstractValue.cpp

Summary: DFG ASSERTION FAILED: m_value.isNumber() in DFGAbstractValue.cpp

Status:	RESOLVED DUPLICATE of bug 215894

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	All Linux

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2020-08-26 00:37 PDT by zhunkibatu
Modified:	2020-08-27 11:15 PDT (History)
CC List:	5 users (show)

See Also:

Attachments
the minimal poc (181 bytes, text/javascript) 2020-08-26 00:37 PDT, zhunkibatu	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description zhunkibatu 2020-08-26 00:37:53 PDT

Created attachment 407279 [details]
the minimal poc

The following test case cause a assersion failure in DFGAbstractValue.cpp:


function main() {
    let arr = [1.1];
    function opt() {
        (function (main = arr[0x1000]) {}())
    }
    for (var i = 0; i < 0x1000; i++)
        opt(() => 0);
}

main();

Comment 1 Alexey Proskuryakov 2020-08-26 18:09:05 PDT

DFG ASSERTION FAILED: m_value.isNumber()
./dfg/DFGAbstractValue.cpp(133) : void JSC::DFG::AbstractValue::fixTypeForRepresentation(JSC::DFG::Graph &, JSC::DFG::NodeFlags, JSC::DFG::Node *)
undefined
>>> 1   0x105130839 WTFCrash
2   0x10675fdbb WTFCrashWithInfo(int, char const*, char const*, int)
3   0x105dd6532 JSC::DFG::AbstractValue::fixTypeForRepresentation(JSC::DFG::Graph&, unsigned int, JSC::DFG::Node*)
4   0x105dd6b83 JSC::DFG::AbstractValue::fixTypeForRepresentation(JSC::DFG::Graph&, JSC::DFG::Node*)
5   0x105390557 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::setBuiltInConstant(JSC::DFG::Node*, JSC::DFG::FrozenValue)
6   0x1053905dc JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::setConstant(JSC::DFG::Node*, JSC::DFG::FrozenValue)
7   0x105393556 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::executeEffects(unsigned int, JSC::DFG::Node*)::'lambda'(JSC::DFG::Edge&, JSC::DFG::Edge&)::operator()(JSC::DFG::Edge&, JSC::DFG::Edge&) const
8   0x105385f83 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::executeEffects(unsigned int, JSC::DFG::Node*)
9   0x105e9316a JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::execute(unsigned int)
10  0x105e916d6 JSC::DFG::CFAPhase::performBlockCFA(JSC::DFG::BasicBlock*)
11  0x105e91029 JSC::DFG::CFAPhase::performForwardCFA()
12  0x105e90cd6 JSC::DFG::CFAPhase::run()
13  0x105e907c4 bool JSC::DFG::runAndLog<JSC::DFG::CFAPhase>(JSC::DFG::CFAPhase&)
14  0x105e5d7ab bool JSC::DFG::runPhase<JSC::DFG::CFAPhase>(JSC::DFG::Graph&)
15  0x105e5d775 JSC::DFG::performCFA(JSC::DFG::Graph&)
16  0x106168aa0 JSC::DFG::Plan::compileInThreadImpl()
17  0x106167348 JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*)
18  0x1062236de JSC::DFG::Worklist::ThreadBody::work()
19  0x105145c73 WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const
20  0x10514587e WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call()
21  0x1051578b2 WTF::Function<void ()>::operator()() const
22  0x1052055c8 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*)
23  0x105211568 WTF::wtfThreadEntryPoint(void*)
24  0x7fff6a51a109 _pthread_start
25  0x7fff6a515b8b thread_start
Segmentation fault: 11

Comment 2 Radar WebKit Bug Importer 2020-08-26 18:09:16 PDT

<rdar://problem/67841603>

Comment 3 Saam Barati 2020-08-27 11:15:04 PDT

Thanks for the report. Was actually just in the process of fixing this in 215894

*** This bug has been marked as a duplicate of bug 215894 ***