Bug 196305

Summary: Assertion failed at Source/JavaScriptCore/runtime/ExceptionHelpers.cpp:278
Product: WebKit Reporter: Suyoung Lee <sevendays37>
Component: JavaScriptCoreAssignee: Tadeu Zagallo <tzagallo>
Status: REOPENED    
Severity: Normal CC: commit-queue, ews-watchlist, fpizlo, keith_miller, mark.lam, msaboff, ryanhaddad, saam, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=196089
Attachments:
Description Flags
Patch none

Suyoung Lee
Reported 2019-03-27 10:47:44 PDT
The debug build of JavaScriptCore failed assertion at Source/JavaScriptCore/runtime/ExceptionHelpers.cpp:278. PoC: const var_1 = 'a'.padStart(2147483648 - 1); new var_1(); Commit: 6369975 OS: Ubuntu 18.04.1 LTS Arch: x86_64
Attachments
Patch (3.04 KB, patch)
2019-03-29 05:03 PDT, Tadeu Zagallo 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2019-03-28 11:13:36 PDT
JSObject* createError(ExecState* exec, JSValue value, const String& message, ErrorInstance::SourceAppender appender) { VM& vm = exec->vm(); auto scope = DECLARE_CATCH_SCOPE(vm); String valueDescription = errorDescriptionForValue(exec, value); ASSERT(scope.exception() || !!valueDescription); // Line 278
Alexey Proskuryakov
Comment 2 2019-03-28 11:13:57 PDT
Sorry, didn't mean to mark this one as invalid.
Alexey Proskuryakov
Comment 3 2019-03-28 11:20:19 PDT
Test crashes shipping Safari: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x00007fff3f8b6edf JSC::errorDescriptionForValue(JSC::ExecState*, JSC::JSValue) + 559 1 com.apple.JavaScriptCore 0x00007fff3f8b72f5 JSC::createError(JSC::ExecState*, JSC::JSValue, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred)) + 53 2 com.apple.JavaScriptCore 0x00007fff3ef0e9e8 JSC::createNotAConstructorError(JSC::ExecState*, JSC::JSValue) + 56 3 com.apple.JavaScriptCore 0x00007fff3f7776cb JSC::LLInt::setUpCall(JSC::ExecState*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*) + 187 4 com.apple.JavaScriptCore 0x00007fff3f13ea8f llint_entry + 63468
Radar WebKit Bug Importer
Comment 4 2019-03-28 11:20:34 PDT
<rdar://problem/49387382>
Tadeu Zagallo
Comment 5 2019-03-29 05:03:22 PDT
Created attachment 366267 [details] Patch
WebKit Commit Bot
Comment 6 2019-03-29 14:54:00 PDT
Comment on attachment 366267 [details] Patch Clearing flags on attachment: 366267 Committed r243665: <https://trac.webkit.org/changeset/243665>
WebKit Commit Bot
Comment 7 2019-03-29 14:54:02 PDT
All reviewed patches have been landed. Closing bug.
Ryan Haddad
Comment 8 2019-04-05 17:05:37 PDT
Reverted r243665 for reason: Caused iOS JSC tests to exit with an exception. Committed r243955: <https://trac.webkit.org/changeset/243955>
Ryan Haddad
Comment 9 2019-04-05 17:06:13 PDT
(In reply to Ryan Haddad from comment #8) > Reverted r243665 for reason: > > Caused iOS JSC tests to exit with an exception. > > Committed r243955: <https://trac.webkit.org/changeset/243955> See radar for details.
Note You need to log in before you can comment on or make changes to this bug.