[Webkit-unassigned] [Bug 228839] New: Assertion failure when checking array in DFG (32 bits)
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Aug 5 12:40:25 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=228839
Bug ID: 228839
Summary: Assertion failure when checking array in DFG (32 bits)
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mikhail at igalia.com
Created attachment 435014
--> https://bugs.webkit.org/attachment.cgi?id=435014&action=review
Testcase
The failure:
ASSERTION FAILED: typeFilterFor(node->child1().useKind()) & SpecEmpty
../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp(861) : void JSC::DFG::SpeculativeJIT::checkArray(JSC::DFG::Node*)
Aborted
It happens because in 32 bits empty value doesn't pass the cell check. From SpeculatedType.h:
static constexpr SpeculatedType SpecCellCheck = is64Bit() ? (SpecCell | SpecEmpty) : SpecCell;
So when we reach the assertion, SpecEmpty is not set.
There is no assertion failure when running jsc in release mode.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210805/b513a1b6/attachment-0001.htm>
More information about the webkit-unassigned
mailing list