[Webkit-unassigned] [Bug 159603] REGRESSION(201900): validation failure for GetByOffset/PutByOffset in VALIDATE((node), node->child1().node() == node->child2().node() || node->child1()->result() == NodeResultStorage)

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=159603

--- Comment #1 from Filip Pizlo <fpizlo at apple.com> ---
This is what the IR actually looks like when we crash:

     2641:< 1:->    ValueRep(Check:DoubleRep:@858<Double>, JS|PureInt, Bytecodedouble, bc#9)
     889:<!0:->    CheckStructure(Check:Cell:@2641, MustGen, [%Ea:Object], R:JSCell_structureID, Exits, bc#9)
     2642:< 1:->    ValueRep(Check:DoubleRep:@858<Double>, JS|PureInt, Bytecodedouble, bc#9)
     2643:< 1:->    ValueRep(Check:DoubleRep:@858<Double>, JS|PureInt, Bytecodedouble, bc#9)
     890:< 1:->    GetByOffset(Check:KnownCell:@2642, Check:KnownCell:@2643, JS|PureInt|UseAsInt, Nonboolint32, id24{Ca}, 0, inferredType = Int32, R:NamedProperties(24), Exits, bc#9)  predicting Nonboolint32

We fail validation at the GetByOffset.  But the GetByOffset is dead anyway, and even if it wasn't, it would be OK to ignore the first child of the GetByOffset when doing analysis even if it was different from the second child.  Both children produce the same value!

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160709/d956680b/attachment.html>