[Webkit-unassigned] [Bug 216214] New: DFG ASSERTION FAILED: Value not defined in FTLLowerDFGToB3.cpp
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Sep 5 04:50:33 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=216214
Bug ID: 216214
Summary: DFG ASSERTION FAILED: Value not defined in
FTLLowerDFGToB3.cpp
Product: WebKit
Version: WebKit Nightly Build
Hardware: All
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: zhunkibatu at gmail.com
Created attachment 408082
--> https://bugs.webkit.org/attachment.cgi?id=408082&action=review
the minimal poc
the following poc cause a DFG ASSERTION FAILED in ../../Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp(17338) : JSC::FTL::LValue JSC::FTL::(anonymous namespace)::LowerDFGToB3::lowJSValue(JSC::DFG::Edge, JSC::DFG::OperandSpeculationMode)
function main() {
const v1 = {};
v1.p = {a: 42};
const v3 = [1];
v3.toString = [];
if (!v3) {
v4 = {
get v4(){
[...{v4 = 1.45}] = [];
v4.v4;
}
}
}
for (const v5 of "asdf") {
v1.b = 43;
}
const v4 = v1.p;
let = String.fromCharCode("");
for (let i = 0; i < 2; i++) {
r = v4;
}
}
for (let v0 = 0; v0 < 100000; v0++) {
main();
}
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200905/5f95d7ae/attachment.htm>
More information about the webkit-unassigned
mailing list