[Webkit-unassigned] [Bug 215841] DFG ASSERTION FAILED: m_value.isNumber() in DFGAbstractValue.cpp

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Aug 26 18:09:05 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=215841

Alexey Proskuryakov <ap at webkit.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fpizlo at apple.com,
                   |                            |keith_miller at apple.com,
                   |                            |mark.lam at apple.com,
                   |                            |sbarati at apple.com,
                   |                            |webkit-bug-importer at group.a
                   |                            |pple.com
            Summary|Assertion failure in        |DFG ASSERTION FAILED:
                   |DFGAbstractValue.cpp        |m_value.isNumber() in
                   |                            |DFGAbstractValue.cpp

--- Comment #1 from Alexey Proskuryakov <ap at webkit.org> ---
DFG ASSERTION FAILED: m_value.isNumber()
./dfg/DFGAbstractValue.cpp(133) : void JSC::DFG::AbstractValue::fixTypeForRepresentation(JSC::DFG::Graph &, JSC::DFG::NodeFlags, JSC::DFG::Node *)
undefined
>>> 1   0x105130839 WTFCrash
2   0x10675fdbb WTFCrashWithInfo(int, char const*, char const*, int)
3   0x105dd6532 JSC::DFG::AbstractValue::fixTypeForRepresentation(JSC::DFG::Graph&, unsigned int, JSC::DFG::Node*)
4   0x105dd6b83 JSC::DFG::AbstractValue::fixTypeForRepresentation(JSC::DFG::Graph&, JSC::DFG::Node*)
5   0x105390557 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::setBuiltInConstant(JSC::DFG::Node*, JSC::DFG::FrozenValue)
6   0x1053905dc JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::setConstant(JSC::DFG::Node*, JSC::DFG::FrozenValue)
7   0x105393556 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::executeEffects(unsigned int, JSC::DFG::Node*)::'lambda'(JSC::DFG::Edge&, JSC::DFG::Edge&)::operator()(JSC::DFG::Edge&, JSC::DFG::Edge&) const
8   0x105385f83 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::executeEffects(unsigned int, JSC::DFG::Node*)
9   0x105e9316a JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::execute(unsigned int)
10  0x105e916d6 JSC::DFG::CFAPhase::performBlockCFA(JSC::DFG::BasicBlock*)
11  0x105e91029 JSC::DFG::CFAPhase::performForwardCFA()
12  0x105e90cd6 JSC::DFG::CFAPhase::run()
13  0x105e907c4 bool JSC::DFG::runAndLog<JSC::DFG::CFAPhase>(JSC::DFG::CFAPhase&)
14  0x105e5d7ab bool JSC::DFG::runPhase<JSC::DFG::CFAPhase>(JSC::DFG::Graph&)
15  0x105e5d775 JSC::DFG::performCFA(JSC::DFG::Graph&)
16  0x106168aa0 JSC::DFG::Plan::compileInThreadImpl()
17  0x106167348 JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*)
18  0x1062236de JSC::DFG::Worklist::ThreadBody::work()
19  0x105145c73 WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const
20  0x10514587e WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call()
21  0x1051578b2 WTF::Function<void ()>::operator()() const
22  0x1052055c8 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*)
23  0x105211568 WTF::wtfThreadEntryPoint(void*)
24  0x7fff6a51a109 _pthread_start
25  0x7fff6a515b8b thread_start
Segmentation fault: 11

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200827/326723cb/attachment-0001.htm>

More information about the webkit-unassigned mailing list