Bug 126219

Summary: js/dom/dfg-custom-getter-throw.html and js/dom/dfg-custom-getter-throw-inlined.html hit assertions after r161051
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Severity: Normal CC: ap, fpizlo, ggaren, mark.lam, oliver, webkit-bug-importer
Priority: P2 Keywords: InRadar, Regression
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 45994    
Description Flags
The version of js/dom/dfg-custom-getter-throw.html that reproduces the assertion failure none

Description Ryosuke Niwa 2013-12-24 12:34:24 PST
have started hitting assertions after http://trac.webkit.org/changeset/161051

ASSERTION FAILED: exec == topCallFrame || exec == exec->lexicalGlobalObject()->globalExec() || exec == exec->vmEntryGlobalObject()->globalExec()
/Volumes/Data/slave/mavericks-debug/build/Source/JavaScriptCore/runtime/VM.cpp(634) : JSC::JSValue JSC::VM::throwException(JSC::ExecState *, JSC::JSValue)
1   0x10da505b0 WTFCrash
2   0x10d9f14af JSC::VM::throwException(JSC::ExecState*, JSC::JSValue)
3   0x10f6cb39f WebCore::setDOMException(JSC::ExecState*, int)
4   0x10fbe6119 WebCore::JSXMLHttpRequest::responseText(JSC::ExecState*) const
5   0x10fbe0d3f WebCore::jsXMLHttpRequestResponseText(JSC::ExecState*, long long, long long, JSC::PropertyName)
6   0x3ed880e68ffa

Comment 1 Ryosuke Niwa 2013-12-24 12:36:05 PST
Looks like this is a fairly recent regression in JSC.

I certainly did not encounter it at r158715, and reverting the WebCore code change in r161051 confirms that the assertion failure exists without the patch.
Comment 2 Ryosuke Niwa 2013-12-24 12:53:20 PST
Created attachment 219979 [details]
The version of js/dom/dfg-custom-getter-throw.html that reproduces the assertion failure
Comment 3 Radar WebKit Bug Importer 2013-12-24 12:54:32 PST
Comment 4 Ryosuke Niwa 2013-12-24 12:57:00 PST
Committed r161059: <http://trac.webkit.org/changeset/161059>
Comment 5 Ryosuke Niwa 2013-12-24 12:58:48 PST
Sorry, didn't mean to close this bug.
Comment 6 Mark Lam 2014-03-06 16:07:16 PST
Testing with a recent build (r165197), I don't see this issue manifest anymore.  There also have been numerous changes and bug fixes in the area of exception handling and stack management since the time this bug was filed.  Those changes appear to have resolved the issue. 

There doesn't seem to be anything left to do for this bug.  Will close.
Comment 7 Alexey Proskuryakov 2014-03-06 17:47:05 PST
Mark, did you unskip the skipped tests?
Comment 8 Mark Lam 2014-03-06 18:25:36 PST
(In reply to comment #7)
> Mark, did you unskip the skipped tests?

They were already unskipped.  See https://bugs.webkit.org/show_bug.cgi?id=126219#c4.