Bug 126219

Summary: js/dom/dfg-custom-getter-throw.html and js/dom/dfg-custom-getter-throw-inlined.html hit assertions after r161051
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, fpizlo, ggaren, mark.lam, oliver, webkit-bug-importer
Priority: P2 Keywords: InRadar, Regression
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 45994    
Attachments:
Description Flags
The version of js/dom/dfg-custom-getter-throw.html that reproduces the assertion failure none

Ryosuke Niwa
Reported 2013-12-24 12:34:24 PST
js/dom/dfg-custom-getter-throw.html and js/dom/dfg-custom-getter-throw-inlined.html have started hitting assertions after http://trac.webkit.org/changeset/161051 ASSERTION FAILED: exec == topCallFrame || exec == exec->lexicalGlobalObject()->globalExec() || exec == exec->vmEntryGlobalObject()->globalExec() /Volumes/Data/slave/mavericks-debug/build/Source/JavaScriptCore/runtime/VM.cpp(634) : JSC::JSValue JSC::VM::throwException(JSC::ExecState *, JSC::JSValue) 1 0x10da505b0 WTFCrash 2 0x10d9f14af JSC::VM::throwException(JSC::ExecState*, JSC::JSValue) 3 0x10f6cb39f WebCore::setDOMException(JSC::ExecState*, int) 4 0x10fbe6119 WebCore::JSXMLHttpRequest::responseText(JSC::ExecState*) const 5 0x10fbe0d3f WebCore::jsXMLHttpRequestResponseText(JSC::ExecState*, long long, long long, JSC::PropertyName) 6 0x3ed880e68ffa http://build.webkit.org/results/Apple%20Mavericks%20Debug%20WK2%20(Tests)/r161053%20(1201)/results.html
Attachments
The version of js/dom/dfg-custom-getter-throw.html that reproduces the assertion failure (834 bytes, text/html)
2013-12-24 12:53 PST, Ryosuke Niwa 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2013-12-24 12:36:05 PST
Looks like this is a fairly recent regression in JSC. I certainly did not encounter it at r158715, and reverting the WebCore code change in r161051 confirms that the assertion failure exists without the patch.
Ryosuke Niwa
Comment 2 2013-12-24 12:53:20 PST
Created attachment 219979 [details] The version of js/dom/dfg-custom-getter-throw.html that reproduces the assertion failure
Radar WebKit Bug Importer
Comment 3 2013-12-24 12:54:32 PST
<rdar://problem/15723849>
Ryosuke Niwa
Comment 4 2013-12-24 12:57:00 PST
Committed r161059: <http://trac.webkit.org/changeset/161059>
Ryosuke Niwa
Comment 5 2013-12-24 12:58:48 PST
Sorry, didn't mean to close this bug.
Mark Lam
Comment 6 2014-03-06 16:07:16 PST
Testing with a recent build (r165197), I don't see this issue manifest anymore. There also have been numerous changes and bug fixes in the area of exception handling and stack management since the time this bug was filed. Those changes appear to have resolved the issue. There doesn't seem to be anything left to do for this bug. Will close.
Alexey Proskuryakov
Comment 7 2014-03-06 17:47:05 PST
Mark, did you unskip the skipped tests?
Mark Lam
Comment 8 2014-03-06 18:25:36 PST
(In reply to comment #7) > Mark, did you unskip the skipped tests? They were already unskipped. See https://bugs.webkit.org/show_bug.cgi?id=126219#c4.
Note You need to log in before you can comment on or make changes to this bug.