Created attachment 462944 [details] Testcase Tested on linux intel 64 and ARMv7. $ ./WebKitBuild/Debug/bin/jsc bar.js --useConcurrentGC=0 --returnEarlyFromInfiniteLoopsForFuzzing=1 --earlyReturnFromInfiniteLoopsLimit=1000000 --verifyGC=true --forceGCSlowPaths=true --forceEagerCompilation=1 --jitPolicyScale=0 --useConcurrentJIT=0 ASSERTION FAILED: node() /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGEdge.h(82) : JSC::DFG::UseKind JSC::DFG::Edge::useKind() const Aborted (core dumped) Backtrace: #6 0x0000555555a440fd in JSC::DFG::Edge::useKind (this=0x7fffffff6738) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGEdge.h:82 #7 0x0000555555f2be73 in JSC::DFG::StorageOperand::emplace (this=0x7fffffff6a20, jit=0x555558bc4190, edge=...) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:2048 #8 0x0000555555f03cc0 in JSC::DFG::StorageOperand::StorageOperand (this=0x7fffffff6a20, jit=0x555558bc4190, edge=...) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:2016 #9 0x0000555555ec8f5b in JSC::DFG::SpeculativeJIT::compileGetArrayLength (this=0x555558bc4190, node=0x555558bd6c00) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:8702 #10 0x000055555605f403 in JSC::DFG::SpeculativeJIT::compile (this=0x555558bc4190, node=0x555558bd6c00) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:4411 #11 0x0000555555e91097 in JSC::DFG::SpeculativeJIT::compileCurrentBlock (this=0x555558bc4190) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2370 #12 0x0000555555ea4a66 in JSC::DFG::SpeculativeJIT::compile (this=0x555558bc4190) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2480 #13 0x0000555555c8c304 in JSC::DFG::JITCompiler::compileBody (this=0x7fffffffa808) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:182 #14 0x0000555555c8ef8e in JSC::DFG::JITCompiler::compileFunction (this=0x7fffffffa808) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:485 #15 0x0000555555d58729 in JSC::DFG::Plan::compileInThreadImpl (this=0x555558c0d1f0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGPlan.cpp:343 #16 0x000055555659287f in JSC::JITPlan::compileInThread (this=0x555558c0d1f0, thread=0x0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/jit/JITPlan.cpp:172 #17 0x00005555565fb007 in JSC::JITWorklist::enqueue (this=0x555558bc4010, plan=...) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/jit/JITWorklist.cpp:84 #18 0x0000555555c10096 in JSC::DFG::compileImpl (vm=..., codeBlock=0x555558c23dc0, profiledDFGCodeBlock=0x0, mode=JSC::JITCompilationMode::DFG, osrEntryBytecodeIndex=..., mustHandleValues=..., callback=...) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGDriver.cpp:90 #19 0x0000555555c0fc63 in JSC::DFG::compile (vm=..., codeBlock=0x555558c23dc0, profiledDFGCodeBlock=0x0, mode=JSC::JITCompilationMode::DFG, osrEntryBytecodeIndex=..., mustHandleValues=..., callback=...) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGDriver.cpp:106 #20 0x0000555556571732 in operationOptimize (vmPointer=0x555558b3fd90, bytecodeIndexBits=0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/jit/JITOperations.cpp:2000 Found by Igalia Fuzzing Campaign.