Bug 179185

Summary: REGRESSION(r224309): [WPE] ASSERTION FAILED: !m_needsOverflowCheck fires when starting WPE
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: buildbot, commit-queue, jfbastien, keith_miller, mark.lam, mcatanzaro, msaboff, saam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: PC   
OS: Linux   
See Also: https://bugs.webkit.org/show_bug.cgi?id=179092
Bug Depends on:    
Bug Blocks: 178894    
Attachments:
Description Flags
Full backtrace
none
proposed patch.
none
proposed patch. none

Description Michael Catanzaro 2017-11-02 10:50:09 PDT 
Created attachment 325734 [details]
Full backtrace

r224309 "Add support to throw OOM if MarkedArgumentBuffer may overflow" has caused WPE's MiniBrowser (dyz) to crash on start in debug mode on this assertion:

ASSERTION FAILED: !m_needsOverflowCheck
../../Source/JavaScriptCore/runtime/ArgList.h(55) : JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer()

Truncated backtrace (full backtrace attached):

#0  0x00007f0551670fcf in WTFCrash ()
    at ../../Source/WTF/wtf/Assertions.cpp:270
#1  0x00007f054e68caee in JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer (
    this=0x7ffd9c210038, __in_chrg=<optimized out>)
    at ../../Source/JavaScriptCore/runtime/ArgList.h:55
#2  0x00007f0551226322 in JSC::CachedCall::~CachedCall (this=0x7ffd9c20ffd0, 
    __in_chrg=<optimized out>)
    at ../../Source/JavaScriptCore/interpreter/CachedCall.h:38
#3  0x00007f0551216d63 in JSC::replaceUsingRegExpSearch (vm=..., 
    exec=0x7ffd9c210650, string=0x7f04e9d72060, searchValue=..., callData=..., 
    callType=<incomplete type>, replacementString=..., replaceValue=...)
    at ../../Source/JavaScriptCore/runtime/StringPrototype.cpp:674
#4  0x00007f0551217a41 in JSC::replaceUsingRegExpSearch (vm=..., 
    exec=0x7ffd9c210650, string=0x7f04e9d72060, searchValue=..., 
    replaceValue=...)
    at ../../Source/JavaScriptCore/runtime/StringPrototype.cpp:818
#5  0x00007f05512185d5 in JSC::stringProtoFuncReplaceUsingRegExp (
    exec=0x7ffd9c210650)
    at ../../Source/JavaScriptCore/runtime/StringPrototype.cpp:964
#6  0x00007f04fa7ff028 in ?? ()
#7  0x00007ffd9c2106f0 in ?? ()
#8  0x00007f0550ed7d23 in llint_entry ()
    at ../../Source/JavaScriptCore/runtime/PropertySlot.h:139
Backtrace stopped: frame did not save the PC

For some reason, the assertion only occurs for me with WPE, not GTK. At least for me. That's a bit surprising, though I have somewhat different build environments for both.
Comment 1 Mark Lam 2017-11-02 20:20:08 PDT 
Created attachment 325831 [details]
proposed patch.
Comment 2 Build Bot 2017-11-02 20:23:06 PDT 
Attachment 325831 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/ChangeLog:1:  ChangeLog entry has no bug number  [changelog/bugnumber] [5]
Total errors found: 1 in 6 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 3 Mark Lam 2017-11-02 20:24:37 PDT 
Created attachment 325835 [details]
proposed patch.
Comment 4 JF Bastien 2017-11-02 21:17:04 PDT 
Comment on attachment 325835 [details]
proposed patch.

r=me
Comment 5 WebKit Commit Bot 2017-11-03 09:03:11 PDT 
Comment on attachment 325835 [details]
proposed patch.

Clearing flags on attachment: 325835

Committed r224399: <https://trac.webkit.org/changeset/224399>
Comment 6 WebKit Commit Bot 2017-11-03 09:03:12 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 7 Michael Catanzaro 2017-11-03 15:16:40 PDT 
Thanks Mark!
Comment 8 Radar WebKit Bug Importer 2017-11-15 12:22:30 PST 
<rdar://problem/35567409>