273048 2024-04-21 13:35:04 -0700 REGRESSION(277770@main): [Mac WK1, GTK, WPE, Win] ASSERTION FAILED: v <= 0 under MacroAssemblerX86Common::sub32 2024-04-23 14:03:40 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=272901 InRadar P2 Normal --- 1 fujii d_degazio d_degazio j_stfleur qbtly201 vitaly webkit-bug-importer oldest_to_newest 2030108 0 fujii 2024-04-21 13:35:04 -0700 Mac WK1, GTK, WPE and Win Debug are crashing due to an assertion failure Buildbot: builder Apple-Ventura-Debug-WK1-Tests build 5364 : 277774@main https://build.webkit.org/#/builders/703/builds/5364 https://build.webkit.org/results/Apple-Ventura-Debug-WK1-Tests/277774@main%20(5364)/accessibility/accessibility-node-reparent-crash-log.txt ASSERTION FAILED: v <= 0 /Volumes/Data/worker/Apple-Ventura-Debug-Build/build/WebKitBuild/Debug/usr/local/include/wtf/MathExtras.h(787) : typename std::enable_if_t<std::is_integral_v<T> && std::is_signed_v<T>, std::make_unsigned_t<T>> WTF::negate(T) [T = int] 2030109 1 fujii 2024-04-21 13:35:17 -0700 https://build.webkit.org/results/GTK-Linux-64-bit-Debug-Tests/277774@main%20(13031)/accessibility/accessibility-node-memory-management-stderr.txt ASSERTION FAILED: v <= 0 /app/webkit/WebKitBuild/GTK/Debug/WTF/Headers/wtf/MathExtras.h(787) : constexpr std::enable_if_t<(is_integral_v<T> && is_signed_v<T>), typename std::make_unsigned<_Tp>::type> WTF::negate(T) [with T = int; std::enable_if_t<(is_integral_v<T> && is_signed_v<T>), typename std::make_unsigned<_Tp>::type> = unsigned int; typename std::make_unsigned<_Tp>::type = unsigned int] 1 0x7f3a1f387422 WTFCrash 2 0x7f3a1cf08b0a WTF::isIntegralOrPointerType() 3 0x7f3a1e29322e std::enable_if<(is_integral_v<int>)&&(is_signed_v<int>), std::make_unsigned<int>::type>::type WTF::negate<int>(int) 4 0x7f3a1ed8c67e JSC::MacroAssemblerX86Common::sub32(JSC::X86Registers::RegisterID, JSC::AbstractMacroAssembler<JSC::X86Assembler>::TrustedImm32, JSC::X86Registers::RegisterID) 5 0x7f3a1f221a36 JSC::MacroAssembler::sub32(JSC::X86Registers::RegisterID, JSC::AbstractMacroAssembler<JSC::X86Assembler>::Imm32, JSC::X86Registers::RegisterID) 6 0x7f3a1f239e97 JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::generate() 7 0x7f3a1f22ea97 JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::compile(JSC::Yarr::YarrCodeBlock&) 8 0x7f3a1f22aed1 JSC::Yarr::jitCompile(JSC::Yarr::YarrPattern&, WTF::StringView, JSC::Yarr::CharSize, std::optional<WTF::StringView>, JSC::VM*, JSC::Yarr::YarrCodeBlock&, JSC::Yarr::JITCompileMode) 9 0x7f3a1ec07b2c JSC::RegExp::compile(JSC::VM*, JSC::Yarr::CharSize, std::optional<WTF::StringView>) 10 0x7f3a1dadaf59 JSC::RegExp::compileIfNecessary(JSC::VM&, JSC::Yarr::CharSize, std::optional<WTF::StringView>) 11 0x7f3a1ec0e30f int JSC::RegExp::matchInline<WTF::Vector<int, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, (JSC::Yarr::MatchFrom)0>(JSC::JSGlobalObject*, JSC::VM&, WTF::String const&, unsigned int, WTF::Vector<int, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) 12 0x7f3a1ec07cf5 JSC::RegExp::match(JSC::JSGlobalObject*, WTF::String const&, unsigned int, WTF::Vector<int, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) 13 0x7f3a1ec17be0 JSC::RegExpGlobalData::performMatch(JSC::JSGlobalObject*, JSC::RegExp*, JSC::JSString*, WTF::String const&, int, int**) 14 0x7f3a1ec5c6d9 replaceUsingRegExpSearch 15 0x7f3a1ec5e175 replaceUsingRegExpSearch 16 0x7f3a1ec5ef7d stringProtoFuncReplaceUsingRegExp 17 0x7f39c9208038 ??? WebKitWebProcess terminated (pid 2422) for reason: crash 2030110 2 fujii 2024-04-21 13:35:27 -0700 https://build.webkit.org/results/WinCairo-64-bit-Debug-Tests/277774@main%20(22418)/animations/3d/transform-origin-vs-functions-crash-log.txt ASSERTION FAILED: v <= 0 C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf/MathExtras.h(787) : negate 1 00007FF8F53D1CA9 WTFCrash 2 00007FF8E4E4D22D WTFCrashWithInfo 3 00007FF8E5CC53BB WTF::negate<int> 4 00007FF8E6BE83A8 JSC::MacroAssemblerX86Common::sub32 5 00007FF8E6BDE08A JSC::MacroAssembler::sub32 6 00007FF8E6BD2E2D JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::generate 7 00007FF8E6BACC84 JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::compile 8 00007FF8E6BA90EF JSC::Yarr::jitCompile 9 00007FF8E66FCD53 JSC::RegExp::compile 10 00007FF8E577CB70 JSC::RegExp::compileIfNecessary 11 00007FF8E67057BA JSC::RegExp::matchInline<WTF::Vector<int,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>,0> 12 00007FF8E66FCFEE JSC::RegExp::match 13 00007FF8E671E224 JSC::RegExpGlobalData::performMatch 14 00007FF8E6718D4D JSC::genericSplit<`lambda at C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\runtime\RegExpPrototype.cpp:575:9',`lambda at C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\runtime\RegExpPrototype.cpp:580:9'> 15 00007FF8E67182A1 JSC::regExpProtoFuncSplitFast 16 000002130000119E (null) 2030125 3 fujii 2024-04-21 19:24:10 -0700 Pull request: https://github.com/WebKit/WebKit/pull/27569 2030277 4 webkit-bug-importer 2024-04-22 11:17:44 -0700 <rdar://problem/126872453> 2030332 5 d_degazio 2024-04-22 13:44:09 -0700 Stealing this, let's just make WTF::negate work for signed numbers. 2030349 6 d_degazio 2024-04-22 14:09:04 -0700 Pull request: https://github.com/WebKit/WebKit/pull/27598 2030366 7 fujii 2024-04-22 14:56:06 -0700 *** Bug 273066 has been marked as a duplicate of this bug. *** 2030555 8 ap 2024-04-23 08:57:04 -0700 *** Bug 273120 has been marked as a duplicate of this bug. *** 2030598 9 ews-feeder 2024-04-23 11:51:03 -0700 Committed 277883@main (884c93a89477): <https://commits.webkit.org/277883@main> Reviewed commits have been landed. Closing PR #27598 and removing active labels. 2030675 10 ryanhaddad 2024-04-23 14:03:40 -0700 *** Bug 273081 has been marked as a duplicate of this bug. ***