Bug 262181

Summary:	[JSC][armv7] Assertion failure in dfg NewMap/NewSet implementations
Product:	WebKit	Reporter:	Joseph Griego <joseph.j.griego>
Component:	JavaScriptCore	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

Joseph Griego

Reported 2023-09-27 06:30:25 PDT

e.g. ``` stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js.default: ASSERTION FAILED: JSMap::BucketType::offsetOfKey() + 8 == JSMap::BucketType::offsetOfValue() stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js.default: /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp(11937) : void JSC::DFG::SpeculativeJIT::compileNewMap(JSC::DFG::Node*) ``` These assertions aren't true on 32-bit and rather than make them portable, I think it makes sense to sink them into the `if CPU(ARM64)` block where they're needed anyways.

Attachments
Add attachment proposed patch, testcase, etc.

Joseph Griego

Comment 1 2023-09-27 06:31:35 PDT

Pull request: https://github.com/WebKit/WebKit/pull/18276

EWS

Comment 2 2023-09-27 11:38:13 PDT

Committed 268525@main (77e6461ff053): <https://commits.webkit.org/268525@main> Reviewed commits have been landed. Closing PR #18276 and removing active labels.

Radar WebKit Bug Importer

Comment 3 2023-09-27 11:39:19 PDT

<rdar://problem/116133577>

Note You need to log in before you can comment on or make changes to this bug.