[Webkit-unassigned] [Bug 196176] New: ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Mar 23 04:19:18 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=196176

            Bug ID: 196176
           Summary: ASSERTION FAILED: m_op == CompareStrictEq in
                    JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::Frozen
                    Value *, JSC::DFG::Edge)
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Macintosh
                OS: macOS 10.14
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: tslsgogogo at gmail.com

>>> ASSERTION FAILED: m_op == CompareStrictEq
../../Source/JavaScriptCore/dfg/DFGNode.h(713) : void JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
1   0x10a9e6849 WTFCrash
2   0x109295dfb WTFCrashWithInfo(int, char const*, char const*, int)
3   0x1099b4266 JSC::DFG::ConstantFoldingPhase::foldConstants(JSC::DFG::BasicBlock*)
4   0x1099aa646 JSC::DFG::ConstantFoldingPhase::run()
5   0x1099a44de bool JSC::DFG::runPhase<JSC::DFG::ConstantFoldingPhase>(JSC::DFG::Graph&)
6   0x109b6fa7e JSC::DFG::Plan::compileInThreadImpl()
7   0x109b6de3d JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*)
8   0x109d8ffc9 JSC::DFG::Worklist::ThreadBody::work()
9   0x10a9eae29 WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call()
10  0x10aa1b85a WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*)
11  0x10aad6edd WTF::wtfThreadEntryPoint(void*)
12  0x7fff7b0ba305 _pthread_body
13  0x7fff7b0bd26f _pthread_start
14  0x7fff7b0b9415 thread_start
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==61785==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x00010a9e684e bp 0x7000068f89f0 sp 0x7000068f89f0 T1709195)
==61785==The signal is caused by a WRITE memory access.
    #0 0x10a9e684d in WTFCrash Assertions.cpp:305

==61785==Register values:
rax = 0x00000000bbadbeef  rbx = 0x000000010accfcc1  rcx = 0x000000000007f702  rdx = 0x0000000000000004  
rdi = 0x000000010b28e544  rsi = 0x000000010c992000  rbp = 0x00007000068f89f0  rsp = 0x00007000068f89f0  
 r8 = 0x00000000000130a8   r9 = 0x0000000000000000  r10 = 0x00007fffadc9f048  r11 = 0x00007fffadc9f040  
r12 = 0x00007000068f8e20  r13 = 0x000000010dc735c8  r14 = 0x000000010acc4f8f  r15 = 0x0000000000000026  
UndefinedBehaviorSanitizer can not provide additional info.
==61785==ABORTING
Abort trap: 6

Poc:
function main() {
const v3 = [1337,1337,13.37,1337];
const v5 = [1337,13.37,1337,1337,1337,1337,13.37,1337,1337,1337];
const v8 = {getInt8:13.37};
const v9 = Object();
function v10(v11,v12,v13,v14) {
    for (const v15 of v5) {
        for (const v16 of v11) {
            let v18 = v8;
            do {
                const v20 = Object.is(0,v18);
                const v22 = ["name"];
                for (let v25 = 0; v25 < 100; v25++) {
                    const v26 = v25[100];
                }
                const v27 = v22 + 1;
                v18 = v27;
            } while (v18 < -9007199254740991);
        }
    }
}
const v28 = v10(v3,v9);
}
noDFG(main);
noFTL(main);
main();

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190323/fcd5bb5e/attachment-0001.html>

More information about the webkit-unassigned mailing list