<html>
    <head>
      <base href="https://bugs.webkit.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Crash in DFG::AbstractValue::checkConsistency()"
   href="https://bugs.webkit.org/show_bug.cgi?id=170751">170751</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Crash in DFG::AbstractValue::checkConsistency()
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>WebKit
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>WebKit Nightly Build
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Unspecified
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Unspecified
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>Normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P2
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>JavaScriptCore
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>webkit-unassigned&#64;lists.webkit.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>jfbastien&#64;apple.com
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>fpizlo&#64;apple.com, jfbastien&#64;apple.com, keith_miller&#64;apple.com, mark.lam&#64;apple.com, msaboff&#64;apple.com, sbarati&#64;apple.com
          </td>
        </tr>

        <tr>
          <th>Depends on</th>
          <td>170628
          </td>
        </tr></table>
      <p>
        <div>
        <pre>A test I'm adding for <a class="bz_bug_link 
          bz_status_ASSIGNED "
   title="ASSIGNED - WebAssembly: manage memory better"
   href="show_bug.cgi?id=170628">bug #170628</a> is tripping an assertion failure in tip-of-tree (without my change, just this test). Older wasm memory code is broken so my repro disables fast memory (after #170628 it'll also repro, even with fast memory).

The crash isn't deterministic, only happen 1/10 times or so.

$ for i in `seq 1 1000`; do (cd ./JSTests/wasm/ &amp;&amp; JSC_useWebAssemblyFastMemory=0  ../../current-debug/bin/jsc -m ./function-tests/memory-multiagent.js  ); done
ASSERTION FAILED: mergeSpeculations(type, speculationFromValue(m_value)) == type
/Volumes/dev/wk/OpenSource/Source/JavaScriptCore/dfg/DFGAbstractValue.cpp(510) : void JSC::DFG::AbstractValue::checkConsistency() const
1   0x103e83b7d WTFCrash
2   0x103217f99 JSC::DFG::AbstractValue::checkConsistency() const
3   0x1032b0b22 JSC::DFG::AbstractValue::observeInvalidationPoint()
4   0x1032ada25 JSC::DFG::AbstractValue::observeInvalidationPointFor(JSC::DFG::AbstractValue&amp;)
5   0x1032b0aec void JSC::DFG::AbstractInterpreter&lt;JSC::DFG::InPlaceAbstractState&gt;::forAllValues&lt;void (JSC::DFG::AbstractValue&amp;)&gt;(unsigned int, void (&amp;)(JSC::DFG::AbstractValue&amp;))::'lambda'(JSC::DFG::NodeFlowProjection)::operator()(JSC::DFG::NodeFlowProjection) const
6   0x1032b0a65 void JSC::DFG::NodeFlowProjection::forEach&lt;void JSC::DFG::AbstractInterpreter&lt;JSC::DFG::InPlaceAbstractState&gt;::forAllValues&lt;void (JSC::DFG::AbstractValue&amp;)&gt;(unsigned int, void (&amp;)(JSC::DFG::AbstractValue&amp;))::'lambda'(JSC::DFG::NodeFlowProjection)&gt;(JSC::DFG::Node*, void  const(&amp;)(JSC::DFG::AbstractValue&amp;))
7   0x1032ad83b void JSC::DFG::AbstractInterpreter&lt;JSC::DFG::InPlaceAbstractState&gt;::forAllValues&lt;void (JSC::DFG::AbstractValue&amp;)&gt;(unsigned int, void (&amp;)(JSC::DFG::AbstractValue&amp;))
8   0x1032aa172 JSC::DFG::AbstractInterpreter&lt;JSC::DFG::InPlaceAbstractState&gt;::executeEffects(unsigned int, JSC::DFG::Node*)
9   0x1035142f3 JSC::DFG::AbstractInterpreter&lt;JSC::DFG::InPlaceAbstractState&gt;::executeEffects(unsigned int)
10  0x103513eda JSC::DFG::SpeculativeJIT::compileCurrentBlock()
11  0x103514953 JSC::DFG::SpeculativeJIT::compile()
12  0x1033e7ec7 JSC::DFG::JITCompiler::compileBody()
13  0x1033ea91e JSC::DFG::JITCompiler::compile()
14  0x1034c1bef JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&amp;)
15  0x1034bef49 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&amp;, JSC::DFG::ThreadData*)
16  0x103619ab5 JSC::DFG::Worklist::ThreadBody::work()
17  0x103e88907 WTF::AutomaticThread::start(WTF::AbstractLocker const&amp;)::$_0::operator()() const
18  0x103e886ad void std::__1::__invoke_void_return_wrapper&lt;void&gt;::__call&lt;WTF::AutomaticThread::start(WTF::AbstractLocker const&amp;)::$_0&amp;&gt;(WTF::AutomaticThread::start(WTF::AbstractLocker const&amp;)::$_0&amp;&amp;&amp;)
19  0x103e884f9 std::__1::__function::__func&lt;WTF::AutomaticThread::start(WTF::AbstractLocker const&amp;)::$_0, std::__1::allocator&lt;WTF::AutomaticThread::start(WTF::AbstractLocker const&amp;)::$_0&gt;, void ()&gt;::operator()()
20  0x10350acca std::__1::function&lt;void ()&gt;::operator()() const
21  0x103ea73d7 WTF::threadEntryPoint(void*)
22  0x103ef0f81 WTF::wtfThreadEntryPoint(void*)
23  0x7fffa1bc9aab _pthread_body
24  0x7fffa1bc99f7 _pthread_body
25  0x7fffa1bc91fd thread_start
ASSERTION FAILED: mergeSpeculations(type, speculationFromValue(m_value)) == type</pre>
        </div>
      </p>

        <div id="referenced">
          <hr style="border: 1px dashed #969696">
          <b>Referenced Bugs:</b>
          <ul>
              <li>
                [<a class="bz_bug_link 
          bz_status_ASSIGNED "
   title="ASSIGNED - WebAssembly: manage memory better"
   href="https://bugs.webkit.org/show_bug.cgi?id=170628">Bug 170628</a>] WebAssembly: manage memory better
              </li>
          </ul>
        </div>
        <br>

      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>