[Webkit-unassigned] [Bug 149965] REGRESSION: ASSERT (impl->isAtomic()) @ facebook.com

Fri Oct 9 13:01:51 PDT 2015

https://bugs.webkit.org/show_bug.cgi?id=149965

--- Comment #2 from Filip Pizlo <fpizlo at apple.com> ---
(In reply to comment #1)
> I debugged this a little.
> 
> In the crashing case, the AbstractInterpreter executes CheckIdent and *does
> not* find a constant. Then, the DFGConstantFoldingPhase executes CheckIdent
> and *does* find a constant. The DFGConstantFoldingPhase constant is string
> equal to the uid expected by CheckIdent, but it is a plain string and not an
> atomic string.

It's more subtle than that.

The constant folding phase code is assuming that it is running after m_interpreter.execute().  It's saying things like, "oh hey this has to be an atomic string because we already did StringIdentUse filtering".  It's true that if you had run edge filtering first, then StringIdentUse would have filtered an abstract value containing a plain string to the empty abstract value (representing the fact that we would have always exited).  And that's exactly what happens inside AbstractInterpreter - the executeEffects() method that has the CheckIdent case runs after edge filtering, so the AbstractInterpreter sees an empty AbstractValue because the StringIdentUse filtered the non-ident string to the empty value.

The solution is to fix the constant folder to no longer assume that edge filtering already ran.  If it sees a constant value, it should verify that the constant value is valid (i.e. would have passed edge filtering, i.e. would have been an atomic string).

Probably just replacing:

ASSERT(impl->isAtomic());

with:

if (!impl->isAtomic())
    break;

would go a long way.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20151009/30b65678/attachment.html>