[Webkit-unassigned] [Bug 149965] REGRESSION: ASSERT (impl->isAtomic()) @ facebook.com

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Oct 10 22:41:09 PDT 2015 

https://bugs.webkit.org/show_bug.cgi?id=149965

Yusuke Suzuki <utatane.tea at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|webkit-unassigned at lists.web |utatane.tea at gmail.com
                   |kit.org                     |

--- Comment #3 from Yusuke Suzuki <utatane.tea at gmail.com> ---
(In reply to comment #2)
> (In reply to comment #1)
> > I debugged this a little.
> > 
> > In the crashing case, the AbstractInterpreter executes CheckIdent and *does
> > not* find a constant. Then, the DFGConstantFoldingPhase executes CheckIdent
> > and *does* find a constant. The DFGConstantFoldingPhase constant is string
> > equal to the uid expected by CheckIdent, but it is a plain string and not an
> > atomic string.
> 
> It's more subtle than that.
> 
> The constant folding phase code is assuming that it is running after
> m_interpreter.execute().  It's saying things like, "oh hey this has to be an
> atomic string because we already did StringIdentUse filtering".  It's true
> that if you had run edge filtering first, then StringIdentUse would have
> filtered an abstract value containing a plain string to the empty abstract
> value (representing the fact that we would have always exited).  And that's
> exactly what happens inside AbstractInterpreter - the executeEffects()
> method that has the CheckIdent case runs after edge filtering, so the
> AbstractInterpreter sees an empty AbstractValue because the StringIdentUse
> filtered the non-ident string to the empty value.
> 
> The solution is to fix the constant folder to no longer assume that edge
> filtering already ran.  If it sees a constant value, it should verify that
> the constant value is valid (i.e. would have passed edge filtering, i.e.
> would have been an atomic string).
> 
> Probably just replacing:
> 
> ASSERT(impl->isAtomic());
> 
> with:
> 
> if (!impl->isAtomic())
>     break;
> 
> would go a long way.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20151011/a7c429b6/attachment.html>

More information about the webkit-unassigned mailing list