Bug 173033

Summary: RELEASE_ASSERT(static_cast<size_t>(enumerationValue) < WTF_ARRAY_LENGTH(values)) hit in convertEnumerationToJS<WebCore::History::ScrollRestoration>()
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: WebKit2Assignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, ggaren, joepeck, mark.lam, simon.fraser, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 173267    
Bug Blocks:    
Attachments:
Description Flags
Patch
none
Patch none

Description Chris Dumez 2017-06-06 14:21:16 PDT 
RELEASE_ASSERT(static_cast<size_t>(enumerationValue) < WTF_ARRAY_LENGTH(values)) hit in convertEnumerationToJS<WebCore::History::ScrollRestoration>():
Thread[0]
[  0] 0x0000000188a1b424 WebCore`JSC::JSString* WebCore::convertEnumerationToJS<WebCore::History::ScrollRestoration>(JSC::ExecState&, WebCore::History::ScrollRestoration) + 228 at JSHistory.cpp:47:5
[  1] 0x0000000188a1beef WebCore`WebCore::jsHistoryScrollRestoration(JSC::ExecState*, long long, JSC::PropertyName) [inlined] WebCore::JSConverter<WebCore::IDLEnumeration<WebCore::History::ScrollRestoration> >::convert(JSC::ExecState&, WebCore::History::ScrollRestoration) + 7 at JSDOMConvertEnumeration.h:65:16
[  1] 0x0000000188a1bee8 WebCore`WebCore::jsHistoryScrollRestoration(JSC::ExecState*, long long, JSC::PropertyName) [inlined] JSC::JSValue WebCore::JSConverterOverloader<WebCore::IDLEnumeration<WebCore::History::ScrollRestoration>, true, false>::convert<WebCore::History::ScrollRestoration>(JSC::ExecState&, WebCore::History::ScrollRestoration&&) + 4 at JSDOMConvertBase.h:106
[  1] 0x0000000188a1bee4 WebCore`WebCore::jsHistoryScrollRestoration(JSC::ExecState*, long long, JSC::PropertyName) [inlined] JSC::JSValue WebCore::toJS<WebCore::IDLEnumeration<WebCore::History::ScrollRestoration>, WebCore::History::ScrollRestoration>(JSC::ExecState&, WebCore::History::ScrollRestoration&&) at JSDOMConvertBase.h:135
[  1] 0x0000000188a1bee4 WebCore`WebCore::jsHistoryScrollRestoration(JSC::ExecState*, long long, JSC::PropertyName) [inlined] JSC::JSValue WebCore::toJS<WebCore::IDLEnumeration<WebCore::History::ScrollRestoration>, WebCore::History::ScrollRestoration>(JSC::ExecState&, JSC::ThrowScope&, WebCore::ExceptionOr<WebCore::History::ScrollRestoration>&&) + 8 at JSDOMConvertBase.h:150
[  1] 0x0000000188a1bedc WebCore`WebCore::jsHistoryScrollRestoration(JSC::ExecState*, long long, JSC::PropertyName) [inlined] WebCore::jsHistoryScrollRestorationGetter(JSC::ExecState&, WebCore::JSHistory&, JSC::ThrowScope&) + 12 at JSHistory.cpp:232
[  1] 0x0000000188a1bed0 WebCore`WebCore::jsHistoryScrollRestoration(JSC::ExecState*, long long, JSC::PropertyName) [inlined] long long WebCore::IDLAttribute<WebCore::JSHistory>::get<&(WebCore::jsHistoryScrollRestorationGetter(JSC::ExecState&, WebCore::JSHistory&, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, long long, char const*) + 120 at JSDOMAttribute.h:65
[  1] 0x0000000188a1be58 WebCore`WebCore::jsHistoryScrollRestoration(JSC::ExecState*, long long, JSC::PropertyName) + 20 at JSHistory.cpp:238
[  2] 0x000000018750a7f7 JavaScriptCore`::llint_slow_path_get_by_id(JSC::ExecState *, JSC::Instruction *) [inlined] JSC::PropertySlot::getValue(JSC::ExecState*, JSC::PropertyName) const + 83 at PropertySlot.h:386:12
[  2] 0x000000018750a7a4 JavaScriptCore`::llint_slow_path_get_by_id(JSC::ExecState *, JSC::Instruction *) [inlined] JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const + 680 at JSCJSValueInlines.h:799
[  2] 0x000000018750a4fc JavaScriptCore`::llint_slow_path_get_by_id(JSC::ExecState *, JSC::Instruction *) + 196 at LLIntSlowPaths.cpp:657
[  3] 0x0000000187beb1af JavaScriptCore`llint_entry + 10543
[  4] 0x0000000187bef1af JavaScriptCore`llint_entry + 26927
Comment 1 Chris Dumez 2017-06-06 14:21:31 PDT 
<rdar://problem/32591099>
Comment 2 Chris Dumez 2017-06-06 14:44:47 PDT 
Created attachment 312122 [details]
Patch
Comment 3 Simon Fraser (smfr) 2017-06-06 14:50:59 PDT 
Comment on attachment 312122 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=312122&action=review

> Source/WebKit2/Shared/SessionState.h:100
> +    float pageScaleFactor { 1.0 };

We use pageScaleFactor = 0 to indicate "don't restore page scale" in history code, so I don't know if this 1 is correct.
Comment 4 Chris Dumez 2017-06-06 14:52:37 PDT 
Comment on attachment 312122 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=312122&action=review

>> Source/WebKit2/Shared/SessionState.h:100
>> +    float pageScaleFactor { 1.0 };
> 
> We use pageScaleFactor = 0 to indicate "don't restore page scale" in history code, so I don't know if this 1 is correct.

This will always be override this in practice so it likely does not change behavior at the moment. However, given the default value in HistoryItem, I agree it makes more sense to use 0 here.
Comment 5 Chris Dumez 2017-06-06 14:53:18 PDT 
Created attachment 312124 [details]
Patch
Comment 6 WebKit Commit Bot 2017-06-06 16:31:29 PDT 
Comment on attachment 312124 [details]
Patch

Clearing flags on attachment: 312124

Committed r217867: <http://trac.webkit.org/changeset/217867>
Comment 7 WebKit Commit Bot 2017-06-06 16:31:31 PDT 
All reviewed patches have been landed.  Closing bug.