Bug 163314

Summary: Assertion failed under operationToLowerCase with a rope with zero length
Product: WebKit Reporter: Joseph Pecoraro <joepeck>
Component: JavaScriptCoreAssignee: Saam Barati <saam>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, commit-queue, fpizlo, ggaren, gskachkov, jfbastien, joepeck, keith_miller, mark.lam, msaboff, oliver, saam, ticaiolima, ysuzuki
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
patch
mark.lam: review+
patch for landing none

Description Joseph Pecoraro 2016-10-11 20:43:44 PDT
Summary:
Assertion failed under operationToLowerCase opening inspector²

Steps to Reproduce:
1. Get a debug build
2. Open inspector¹
3. Open inspector²
  => ASSERT

ASSERTION FAILED: length
Source/WTF/wtf/text/StringImpl.cpp(182) : static Ref<WTF::StringImpl> WTF::StringImpl::createUninitializedInternalNonEmpty(unsigned int, CharType *&) [CharType = unsigned char]
1   0x10ed908bd WTFCrash
2   0x10eddceb8 WTF::Ref<WTF::StringImpl> WTF::StringImpl::createUninitializedInternalNonEmpty<unsigned char>(unsigned int, unsigned char*&)
3   0x10eddda14 WTF::StringImpl::convertToLowercaseWithoutLocaleStartingAtFailingIndex8Bit(unsigned int)
4   0x10ee08b6d WTF::String::convertToLowercaseWithoutLocaleStartingAtFailingIndex8Bit(unsigned int) const
5   0x10e3000fa operationToLowerCase
6   0x48aabb23e3bf
7   0x48aabb23aa57
8   0x48aabb1cf352
9   0x48aabb22dd82
10  0x48aabb1c522c
11  0x48aabb189510
12  0x48aabb2020c6
13  0x48aabb2153ec
14  0x48aabb15bb20
15  0x48aabb17f001
16  0x10e9756ba llint_entry
17  0x10e975734 llint_entry
18  0x10e96e24e vmEntryToJavaScript
19  0x10e757429 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
20  0x10e6d6bbf JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
21  0x10df3c538 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
22  0x10e7b26cd JSC::boundThisNoArgsFunctionCall(JSC::ExecState*)
23  0x48aabb0126e7
24  0x10e975b7c llint_entry
25  0x10e9756ba llint_entry
26  0x10e9756ba llint_entry
27  0x10e9756ba llint_entry
28  0x10e96e24e vmEntryToJavaScript
29  0x10e757429 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
30  0x10e6d6bbf JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
31  0x10df3c538 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
Comment 1 Saam Barati 2016-10-11 21:10:49 PDT
*** Bug 163313 has been marked as a duplicate of this bug. ***
Comment 2 Joseph Pecoraro 2016-10-12 17:41:59 PDT
Caught in the debugger I can get the JavaScript frames:

(lldb) btjs
* thread #1: tid = 0x17c773, 0x000000010ed00804, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, addre?

    frame #0: 0x000000010ed00804 JavaScriptCore`::WTFCrash() + 36 at Assertions.cpp:323
    frame #1: 0x000000010ed4cdf8 JavaScriptCore`WTF::Ref<WTF::StringImpl> WTF::StringImpl::createUninitializedInternalNonEmpty<unsigned char>(length=0, data=<no value available>) + 72 at StringImpl.cpp:182
    frame #2: 0x000000010ed4d954 JavaScriptCore`WTF::StringImpl::convertToLowercaseWithoutLocaleStartingAtFailingIndex8Bit(this={ length = 0, is8bit = 1, contents = '' }, failingIndex=0) + 116 at StringImpl.cpp:429
    frame #3: 0x000000010ed78aad JavaScriptCore`WTF::String::convertToLowercaseWithoutLocaleStartingAtFailingIndex8Bit(this={ length = 0, contents = '' }, failingIndex=0) const + 93 at WTFString.cpp:365
    frame #4: 0x000000010e26fe1a JavaScriptCore`::operationToLowerCase(exec=0x00007fff57c30700, string=0x0000000122d540a0, failingIndex=0) + 266 at DFGOperations.cpp:1526
    frame #5: 0x00004550dae2c41f parseURL#CeJir5 [DFG](Cell[Window ID: 14469]: 0x11f75c0a0, "file:///Users/pecoraro/Build/Debug/WebInspectorUI.framework/Resources/Models/ResourceQueryMatch.js")
    frame #6: 0x00004550dae289ae _updateTitles#Cagyoq [DFG](Cell[Object ID: 12179]: 0x1262467e0)
    frame #7: 0x00004550dad8eeb3 _updateResource#BX7IA4 [Baseline](Cell[Object ID: 12179]: 0x1262467e0, Cell[Object ID: 12229]: 0x1262463c0)
    frame #8: 0x00004550dae21d02 ResourceTreeElement#BrPePF [DFG](<JSValue()>, Cell[Object ID: 12229]: 0x1262463c0)
    frame #9: 0x00004550dad8736c _addTreeElementForSourceCodeToTreeOutline#EYkdVP [Baseline](Cell[Object ID: 12240]: 0x122da7e60, Cell[Object ID: 12229]: 0x1262463c0, Cell[Object ID: 14708]: 0x122d62780)
    frame #10: 0x00004550dad705b0 _addResource#Ab2oND [Baseline](Cell[Object ID: 12240]: 0x122da7e60, Cell[Object ID: 12229]: 0x1262463c0)
    frame #11: 0x00004550dadc24a6 _resourceAdded#A1GokE [DFG](Cell[Object ID: 12240]: 0x122da7e60, Cell[Object ID: 11290]: 0x126225c20)
    frame #12: 0x00004550dae11502 dispatch#ALOGGc [DFG](Undefined, Cell[Function ID: 4013]: 0x120a339a0)
    frame #13: 0x00004550dad43d3c dispatchEventToListeners#B97qyR [DFG](Cell[Object ID: 12571]: 0x122d63640, "frame-resource-was-added", Cell[Object ID: 12072]: 0x1262465a0)
    frame #14: 0x00004550dad660a1 addResource#AvzKyY [Baseline](Cell[Object ID: 12571]: 0x122d63640, Cell[Object ID: 12229]: 0x1262463c0)
    frame #15: 0x000000010e8e561a _addFrameTreeFromFrameResourceTreePayload#Ar2abc [LLInt](Cell[Object ID: 14466]: 0x11f62b660, Cell[Object ID: 14336]: 0x122cd6b60, True)
    frame #16: 0x000000010e8e5694 _processMainFrameResourceTreePayload#AiF4sn [LLInt](Cell[Object ID: 14466]: 0x11f62b660, Null, Cell[Object ID: 14336]: 0x122cd6b60)
    frame #17: 0x000000010e8de1ae JavaScriptCore`vmEntryToJavaScript + 334 at LowLevelInterpreter64.asm:253
    frame #18: 0x000000010e6c7149 JavaScriptCore`JSC::JITCode::execute(this=0x0000000121656618, vm=0x000000011f5f2000, protoCallFrame=0x00007fff57c31120) + 329 at JITCode.cpp:81
    frame #19: 0x000000010e6468df JavaScriptCore`JSC::Interpreter::executeCall(this=0x000000011efc0b40, callFrame=0x00007fff57c313d0, function=0x0000000121b0ef20, callType=JS, callData=0x00007fff57c31320, thisValue=JSValue @ 0x00007fff57c31220, args=0x00007fff57c312e8) + 1215 at Interpreter.cpp:948
    frame #20: 0x000000010deac258 JavaScriptCore`JSC::call(exec=0x00007fff57c313d0, functionObject=JSValue @ 0x00007fff57c312a0, callType=JS, callData=0x00007fff57c31320, thisValue=JSValue @ 0x00007fff57c31298, args=0x00007fff57c312e8) + 184 at CallData.cpp:40
Comment 3 Saam Barati 2016-10-12 18:08:17 PDT
Created attachment 291432 [details]
patch
Comment 4 Mark Lam 2016-10-12 18:16:15 PDT
Comment on attachment 291432 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=291432&action=review

r=me

> JSTests/ChangeLog:3
> +        Assertion failed under operationToLowerCase opening inspector²

Please remove the non-ascii char.

> Source/JavaScriptCore/ChangeLog:3
> +        Assertion failed under operationToLowerCase opening inspector²

Fix non-ascii char.
Comment 5 Saam Barati 2016-10-14 10:18:55 PDT
Created attachment 291643 [details]
patch for landing
Comment 6 WebKit Commit Bot 2016-10-15 13:59:03 PDT
Comment on attachment 291643 [details]
patch for landing

Clearing flags on attachment: 291643

Committed r207377: <http://trac.webkit.org/changeset/207377>
Comment 7 WebKit Commit Bot 2016-10-15 13:59:08 PDT
All reviewed patches have been landed.  Closing bug.
Comment 8 Darin Adler 2016-10-15 14:29:58 PDT
Comment on attachment 291643 [details]
patch for landing

View in context: https://bugs.webkit.org/attachment.cgi?id=291643&action=review

> Source/JavaScriptCore/dfg/DFGOperations.cpp:1526
> +    if (!inputString.length())

String has an isEmpty function; I normally assume we should always use that instead of checking length for 0 just in case we some day come up with a more efficient way to implement it. Unless we are also using the length.