246922 – DFG ASSERTION FAILED: AI-clobberize disagreement; AI says ClobberedStructures while clobberize says (Direct:[SideState], Super:[World])

Bug 246922 - DFG ASSERTION FAILED: AI-clobberize disagreement; AI says ClobberedStructures while clobberize says (Direct:[SideState], Super:[World])

Summary: DFG ASSERTION FAILED: AI-clobberize disagreement; AI says ClobberedStructures...

Status:	RESOLVED DUPLICATE of bug 246954

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2022-10-23 07:57 PDT by Mikhail R. Gadelha
Modified:	2022-10-26 15:48 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
testcase (1.31 KB, text/javascript) 2022-10-23 07:57 PDT, Mikhail R. Gadelha	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mikhail R. Gadelha 2022-10-23 07:57:28 PDT

Created attachment 463181 [details]
testcase

Tested on linux intel 64 and ARMv7.

Running the attached test case fails with the following message:

While handling node D@42

Graph at time of failure:

       11: DFG for #<no-hash>:[0x555558c4d0c0->0x555558c4ce80->0x555558beda00, DFGFunctionCall, 32]:
       11:   Fixpoint state: FixpointNotConverged; Form: ThreadedCPS; Unification state: GloballyUnified; Ref count state: EverythingIsLive
       11:   Arguments for block#0: D@0, D@1

     0 11: Block #0 (bc#0): (OSR target)
     0 11:   Execution count: 1.000000
     0 11:   Predecessors:
     0 11:   Successors:
     0 11:   Dominated by: #root #0
     0 11:   Dominates: #0
     0 11:   Dominance Frontier: 
     0 11:   Iterated Dominance Frontier: 
     0 11:   States: StructuresAreWatched
     0 11:   Vars Before: arg1:(BytecodeTop, TOP, TOP, none:StructuresAreClobbered) arg0:(Cell|Empty, TOP, TOP, none:StructuresAreClobbered)
     0 11:   Intersected Vars Before: arg1:(FullTop, TOP, TOP, none:StructuresAreClobbered) arg0:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc0:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc1:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc2:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc3:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc4:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc5:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc6:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc7:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc8:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc9:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc10:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc11:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc12:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc13:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc14:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc15:(FullTop, TOP, TOP, none:StructuresAreClobbered)
     0 11:   Var Links: arg1:D@1 arg0:D@0
  0  0 11:    D@0:< 1:->	SetArgumentDefinitely(IsFlushed, this(A<Final>/FlushedCell), W:SideState, bc#0, ExitValid)  predicting Final
  1  0 11:   D@52:<!0:->	GetLocal(Check:Untyped:D@0, JS|MustGen|PureInt, Final, this(A<Final>/FlushedCell), R:Stack(this), bc#0, ExitValid)  predicting Final
  2  0 11:   D@53:<!0:->	CheckStructureOrEmpty(Cell:D@52, MustGen, [%CZ:Object], R:JSCell_structureID, Exits, bc#0, ExitValid)
  3  0 11:    D@1:< 1:->	SetArgumentDefinitely(IsFlushed, arg1(B~<Other>/FlushedJSValue), W:SideState, bc#0, ExitValid)  predicting Other
  4  0 11:    D@2:< 1:->	JSConstant(JS|PureInt, Other, Undefined, bc#0, ExitValid)
  5  0 11:    D@3:<!0:->	MovHint(Check:Untyped:D@2, MustGen, loc0, W:SideState, ClobbersExit, bc#0, ExitValid)
  6  0 11:    D@4:< 1:->	SetLocal(Check:Untyped:D@2, loc0(C~<Other>/FlushedJSValue), W:Stack(loc0), bc#0, ExitInvalid)  predicting Other
  7  0 11:    D@5:<!0:->	MovHint(Check:Untyped:D@2, MustGen, loc1, W:SideState, ClobbersExit, bc#0, ExitInvalid)
  8  0 11:    D@6:< 1:->	SetLocal(Check:Untyped:D@2, loc1(D~<Other>/FlushedJSValue), W:Stack(loc1), bc#0, ExitInvalid)  predicting Other
  9  0 11:    D@7:<!0:->	MovHint(Check:Untyped:D@2, MustGen, loc2, W:SideState, ClobbersExit, bc#0, ExitInvalid)
 10  0 11:    D@8:< 1:->	SetLocal(Check:Untyped:D@2, loc2(E~<Other>/FlushedJSValue), W:Stack(loc2), bc#0, ExitInvalid)  predicting Other
 11  0 11:    D@9:<!0:->	MovHint(Check:Untyped:D@2, MustGen, loc3, W:SideState, ClobbersExit, bc#0, ExitInvalid)
 12  0 11:   D@10:< 1:->	SetLocal(Check:Untyped:D@2, loc3(F~<Other>/FlushedJSValue), W:Stack(loc3), bc#0, ExitInvalid)  predicting Other
 13  0 11:   D@11:<!0:->	MovHint(Check:Untyped:D@2, MustGen, loc4, W:SideState, ClobbersExit, bc#0, ExitInvalid)
 14  0 11:   D@12:< 1:->	SetLocal(Check:Untyped:D@2, loc4(G~<Other>/FlushedJSValue), W:Stack(loc4), bc#0, ExitInvalid)  predicting Other
 15  0 11:   D@13:<!0:->	MovHint(Check:Untyped:D@2, MustGen, loc5, W:SideState, ClobbersExit, bc#0, ExitInvalid)
 16  0 11:   D@14:< 1:->	SetLocal(Check:Untyped:D@2, loc5(H~<Other>/FlushedJSValue), W:Stack(loc5), bc#0, ExitInvalid)  predicting Other
 17  0 11:   D@15:< 1:->	JSConstant(JS|PureInt, Function, Weak:Object: 0x555558bd6020 with butterfly (nil)(base=0xfffffffffffffff8) (Structure %AG:Function), StructureID: 22464, bc#1, ExitValid)
 18  0 11:   D@16:< 1:->	JSConstant(JS|PureInt, OtherObj, Weak:Object: 0x555558ba1cc8 with butterfly (nil)(base=0xfffffffffffffff8) (Structure %DO:JSGlobalLexicalEnvironment), StructureID: 21792, bc#1, ExitValid)
 19  0 11:   D@17:<!0:->	MovHint(Check:Untyped:D@16, MustGen, loc4, W:SideState, ClobbersExit, bc#1, ExitValid)
 20  0 11:   D@18:< 1:->	SetLocal(Check:Untyped:D@16, loc4(I~<Object>/FlushedJSValue), W:Stack(loc4), bc#1, exit: bc#3, ExitValid)  predicting OtherObj
 21  0 11:   D@19:<!0:->	MovHint(Check:Untyped:D@16, MustGen, loc5, W:SideState, ClobbersExit, bc#3, ExitValid)
 22  0 11:   D@20:< 1:->	SetLocal(Check:Untyped:D@16, loc5(J~<Object>/FlushedJSValue), W:Stack(loc5), bc#3, exit: bc#6, ExitValid)  predicting OtherObj
 23  0 11:   D@21:<!0:->	InvalidationPoint(MustGen, W:SideState, Exits, bc#6, ExitValid)
 24  0 11:   D@22:<!0:->	GetLocal(Check:Untyped:D@0, JS|MustGen|UseAsOther, Final, this(A<Final>/FlushedCell), R:Stack(this), bc#7, ExitValid)  predicting Final
 25  0 11:   D@23:<!0:->	CheckStructure(Cell:D@52, MustGen, [%CZ:Object], R:JSCell_structureID, Exits, bc#7, ExitValid)
 26  0 11:   D@24:<!0:->	FilterGetByStatus(Check:Untyped:D@52, MustGen, (Simple, <id='uid:(_value)', [0x7ffe000093d0:[0x93d0/37840, Object, (1/2, 0/0){_value:0}, NonArray, Proto:0x555558c04180, Leaf (Watched)]], [], offset = 0>, seenInJIT = true), W:SideState, bc#11, ExitValid)
 27  0 11:   D@25:<!0:->	Check(MustGen, bc#11, ExitValid)
 28  0 11:   D@26:<!0:->	CheckStructure(Cell:D@52, MustGen, [%CZ:Object], R:JSCell_structureID, Exits, bc#11, ExitValid)
 29  0 11:   D@27:< 1:->	GetByOffset(KnownCell:D@52, KnownCell:D@52, JS|UseAsOther, StringIdent, id0{_value}, 0, R:NamedProperties(0), Exits, bc#11, ExitValid)  predicting StringIdent
 30  0 11:   D@28:<!0:->	MovHint(Check:Untyped:D@27, MustGen, loc10, W:SideState, ClobbersExit, bc#11, ExitValid)
 31  0 11:   D@29:< 1:->	SetLocal(Check:Untyped:D@27, loc10(K~<StringIdent>/FlushedJSValue), W:Stack(loc10), bc#11, exit: bc#16, ExitValid)  predicting StringIdent
 32  0 11:   D@30:<!0:->	FilterGetByStatus(Check:Untyped:D@27, MustGen, (Simple, <id='uid:(localeCompare)', [0x7ffe00004250:[0x4250/16976, string, (0/0, 0/0){}, NonArray, Leaf (Watched)]], [<Object: 0x555558c13df8 with butterfly 0x555558bfc6a8(base=0x555558bfc4a0) (Structure 0x7ffe00006b70:[0x6b70/27504, String, (0/0, 33/64){toString:64, valueOf:65, charAt:66, charCodeAt:67, codePointAt:68, indexOf:69, lastIndexOf:70, replaceUsingRegExp:71, replaceUsingStringSearch:72, replaceAllUsingStringSearch:73, slice:74, substr:75, substring:76, toLowerCase:77, toUpperCase:78, localeCompare:79, toLocaleLowerCase:80, toLocaleUpperCase:81, trim:82, startsWith:83, endsWith:84, includes:85, normalize:86, charCodeAt:87, at:88, trimStart:89, trimLeft:90, trimEnd:91, trimRight:92, Symbol.iterator:93, substr:94, endsWith:95, constructor:96}, NonArray, Proto:0x555558bb5d98, Leaf (Watched)]), StructureID: 27504: Presence of localeCompare at 79 with attributes 4>], offset = 79>, seenInJIT = true), W:SideState, bc#16, ExitValid)
 33  0 11:   D@31:<!0:->	Check(MustGen, bc#16, ExitValid)
 34  0 11:   D@32:<!0:->	CheckStructure(Check:Cell:D@27, MustGen, [%AV:string], R:JSCell_structureID, Exits, bc#16, ExitValid)
 35  0 11:   D@33:< 1:->	JSConstant(JS|UseAsOther, Function, Weak:Object: 0x555558bd4c80 with butterfly 0x555558bbca88(base=0x555558bbca60) (Structure %DI:Function), StructureID: 22800, bc#16, ExitValid)
 36  0 11:   D@34:<!0:->	MovHint(Check:Untyped:D@33, MustGen, loc6, W:SideState, ClobbersExit, bc#16, ExitValid)
 37  0 11:   D@35:< 1:->	SetLocal(Check:Untyped:D@33, loc6(L~<Object>/FlushedJSValue), W:Stack(loc6), bc#16, exit: bc#21, ExitValid)  predicting Function
 38  0 11:   D@36:<!0:->	GetLocal(Check:Untyped:D@1, JS|MustGen|UseAsOther, Other, arg1(B~<Other>/FlushedJSValue), R:Stack(arg1), bc#21, ExitValid)  predicting Other
 39  0 11:   D@37:<!0:->	MovHint(Check:Untyped:D@36, MustGen, loc9, W:SideState, ClobbersExit, bc#21, ExitValid)
 40  0 11:   D@38:< 1:->	SetLocal(Check:Untyped:D@36, loc9(M~<Other>/FlushedJSValue), W:Stack(loc9), bc#21, exit: bc#24, ExitValid)  predicting Other
 41  0 11:   D@39:<!0:->	FilterCallLinkStatus(Check:Untyped:D@33, MustGen, Statically Proved, (Function: Object: 0x555558bd4c80 with butterfly 0x555558bbca88(base=0x555558bbca60) (Structure 0x7ffe00005910:[0x5910/22800, Function, (0/0, 2/4){length:64, name:65}, NonArray, Proto:0x555558bb48e8, Leaf]), StructureID: 22800; Executable: NativeExecutable:0x555556cbb510/0x555556a595b0), W:SideState, bc#24, ExitValid)
 42  0 11:   D@40:<!0:->	CheckIsConstant(Cell:D@33, MustGen, <0x555558bd4c80, Function>, <host function>, Exits, bc#24, ExitValid)
 43  0 11:   D@41:<!0:->	Check(MustGen, bc#24, ExitValid)
 44  0 11:   D@42:<!0:->	StringLocaleCompare(String:D@27, Check:String:D@36, Int32|MustGen|PureInt, Int32, R:World, W:SideState, Exits, bc#24, ExitValid)
 45  0 11:   D@43:<!0:->	MovHint(Check:Untyped:D@42, MustGen, loc6, W:SideState, ClobbersExit, bc#24, ExitValid)
 46  0 11:   D@44:<!0:->	Check(MustGen, bc#24, ExitInvalid)
 47  0 11:   D@45:<!0:->	Check(MustGen, bc#24, ExitInvalid)
 48  0 11:   D@46:<!0:->	Check(MustGen, bc#24, ExitInvalid)
 49  0 11:   D@47:< 1:->	SetLocal(Check:Untyped:D@42, loc6(N~<Int32>/FlushedJSValue), W:Stack(loc6), bc#24, exit: bc#30, ExitValid)  predicting Int32
 50  0 11:   D@48:< 1:->	JSConstant(JS|UseAsOther, Other, Undefined, bc#30, ExitValid)
 51  0 11:   D@49:<!0:->	Return(Check:Untyped:D@48, MustGen, W:SideState, Exits, bc#30, ExitValid)
 52  0 11:   D@50:<!0:->	Flush(Check:Untyped:D@1, MustGen|IsFlushed, arg1(B~<Other>/FlushedJSValue), R:Stack(arg1), W:SideState, bc#30, ExitValid)  predicting Other
 53  0 11:   D@51:<!0:->	Flush(Check:Untyped:D@0, MustGen|IsFlushed, this(A<Final>/FlushedCell), R:Stack(this), W:SideState, bc#30, ExitValid)  predicting Final
     0 11:   States: InvalidBranchDirection, StructuresAreWatched
     0 11:   Vars After: 
     0 11:   Var Links: arg1:D@36 arg0:D@52 loc0:D@4 loc1:D@6 loc2:D@8 loc3:D@10 loc4:D@18 loc5:D@20 loc6:D@47 loc9:D@38 loc10:D@29

       11: GC Values:
       11:     Weak:Object: 0x555558bd4c80 with butterfly 0x555558bbca88(base=0x555558bbca60) (Structure %DI:Function), StructureID: 22800
       11:     Weak:Object: 0x555558ba1cc8 with butterfly (nil)(base=0xfffffffffffffff8) (Structure %DO:JSGlobalLexicalEnvironment), StructureID: 21792
       11:     Weak:Object: 0x555558bd6020 with butterfly (nil)(base=0xfffffffffffffff8) (Structure %AG:Function), StructureID: 22464
       11: Desired watchpoints:
       11:     Watchpoint sets: 
       11:     Inline watchpoint sets: 0x7ffe00005978, 0x7ffe000041d8, 0x7ffe00005588, 0x7ffe00004868, 0x7ffe00009438, 0x7ffe000042b8
       11:     SymbolTables: 
       11:     FunctionExecutables: 0x555558beda00
       11:     Buffer views: 
       11:     Object property conditions: <Object: 0x555558c13df8 with butterfly 0x555558bfc6a8(base=0x555558bfc4a0) (Structure %BO:String), StructureID: 27504: Equivalence of localeCompare with Object: 0x555558bd4c80 with butterfly 0x555558bbca88(base=0x555558bbca60) (Structure %DI:Function), StructureID: 22800>
       11: Structures:
       11:     %AG:Function                   = 0x7ffe000057c0:[0x57c0/22464, Function, (0/0, 0/0){}, NonArray, Proto:0x555558bb48e8]
       11:     %AV:string                     = 0x7ffe00004250:[0x4250/16976, string, (0/0, 0/0){}, NonArray, Leaf (Watched)]
       11:     %BO:String                     = 0x7ffe00006b70:[0x6b70/27504, String, (0/0, 33/64){toString:64, valueOf:65, charAt:66, charCodeAt:67, codePointAt:68, indexOf:69, lastIndexOf:70, replaceUsingRegExp:71, replaceUsingStringSearch:72, replaceAllUsingStringSearch:73, slice:74, substr:75, substring:76, toLowerCase:77, toUpperCase:78, localeCompare:79, toLocaleLowerCase:80, toLocaleUpperCase:81, trim:82, startsWith:83, endsWith:84, includes:85, normalize:86, charCodeAt:87, at:88, trimStart:89, trimLeft:90, trimEnd:91, trimRight:92, Symbol.iterator:93, substr:94, endsWith:95, constructor:96}, NonArray, Proto:0x555558bb5d98, Leaf (Watched)]
       11:     %CZ:Object                     = 0x7ffe000093d0:[0x93d0/37840, Object, (1/2, 0/0){_value:0}, NonArray, Proto:0x555558c04180, Leaf (Watched)]
       11:     %DI:Function                   = 0x7ffe00005910:[0x5910/22800, Function, (0/0, 2/4){length:64, name:65}, NonArray, Proto:0x555558bb48e8, Leaf]
       11:     %DO:JSGlobalLexicalEnvironment = 0x7ffe00005520:[0x5520/21792, JSGlobalLexicalEnvironment, (0/0, 0/0){}, NonArray, Leaf (Watched)]


DFG ASSERTION FAILED: AI-clobberize disagreement; AI says ClobberedStructures while clobberize says (Direct:[SideState], Super:[World])
/home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGCFAPhase.cpp(240) : void JSC::DFG::CFAPhase::performBlockCFA(JSC::DFG::BasicBlock *)

The backtrace:

#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140736231028288) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=140736231028288) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=140736231028288, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007ffff5935476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007ffff591b7f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x000055555562d72b in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:754
#6  0x0000555555b2155e in JSC::DFG::CFAPhase::performBlockCFA (this=0x7fffb50e8448, block=0x7fffa80015f0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGCFAPhase.cpp:240
#7  0x0000555555b20eeb in JSC::DFG::CFAPhase::performForwardCFA (this=0x7fffb50e8448) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGCFAPhase.cpp:263
#8  0x0000555555b20b6a in JSC::DFG::CFAPhase::run (this=0x7fffb50e8448) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGCFAPhase.cpp:119
#9  0x0000555555b20111 in JSC::DFG::runAndLog<JSC::DFG::CFAPhase> (phase=...) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGPhase.h:84
#10 0x0000555555afd7db in JSC::DFG::runPhase<JSC::DFG::CFAPhase> (graph=...) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGPhase.h:95
#11 0x0000555555aa9b35 in JSC::DFG::performCFA (graph=...) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGCFAPhase.cpp:279
#12 0x0000555555d593f6 in JSC::DFG::Plan::compileInThreadImpl (this=0x555558d20c60) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGPlan.cpp:276
#13 0x000055555659644f in JSC::JITPlan::compileInThread (this=0x555558d20c60, thread=0x555558c28ed0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/jit/JITPlan.cpp:172
#14 0x00005555566178f0 in JSC::JITWorklistThread::work (this=0x555558c28ed0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/jit/JITWorklistThread.cpp:123
#15 0x0000555557735bd2 in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const (this=0x555558c424c8) at /home/mgadelha/tools/WebKit/Source/WTF/wtf/AutomaticThread.cpp:229
#16 0x0000555557735919 in WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() (this=0x555558c424c0)
    at /home/mgadelha/tools/WebKit/Source/WTF/wtf/Function.h:53
#17 0x0000555555efe2d2 in WTF::Function<void ()>::operator()() const (this=0x7fffb50eae20) at /home/mgadelha/tools/WebKit/Source/WTF/wtf/Function.h:82
#18 0x000055555777f7c8 in WTF::Thread::entryPoint (newThreadContext=0x555558c42520) at /home/mgadelha/tools/WebKit/Source/WTF/wtf/Threading.cpp:250
#19 0x000055555780c5a5 in WTF::wtfThreadEntryPoint (context=0x555558c42520) at /home/mgadelha/tools/WebKit/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:242
#20 0x00007ffff5987b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#21 0x00007ffff5a19a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Found by Igalia Fuzzing Campaign.

Comment 1 Radar WebKit Bug Importer 2022-10-23 07:57:39 PDT

<rdar://problem/101474626>

Comment 2 Mikhail R. Gadelha 2022-10-25 05:25:08 PDT


*** This bug has been marked as a duplicate of bug 246954 ***

Comment 3 Yusuke Suzuki 2022-10-26 15:48:27 PDT

Not a security issue, debug only checking failure.