Bug 196305

Summary: Assertion failed at Source/JavaScriptCore/runtime/ExceptionHelpers.cpp:278
Product: WebKit Reporter: Suyoung Lee <sevendays37>
Component: JavaScriptCoreAssignee: Tadeu Zagallo <tzagallo>
Status: REOPENED ---    
Severity: Normal CC: commit-queue, ews-watchlist, fpizlo, keith_miller, mark.lam, msaboff, ryanhaddad, saam, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=196089
Attachments:
Description Flags
Patch none

Description Suyoung Lee 2019-03-27 10:47:44 PDT 
The debug build of JavaScriptCore failed assertion at Source/JavaScriptCore/runtime/ExceptionHelpers.cpp:278.

PoC:
const var_1 = 'a'.padStart(2147483648 - 1);
new var_1();

Commit: 6369975
OS: Ubuntu 18.04.1 LTS
Arch: x86_64
Comment 1 Alexey Proskuryakov 2019-03-28 11:13:36 PDT 
JSObject* createError(ExecState* exec, JSValue value, const String& message, ErrorInstance::SourceAppender appender)
{
    VM& vm = exec->vm();
    auto scope = DECLARE_CATCH_SCOPE(vm);

    String valueDescription = errorDescriptionForValue(exec, value);
    ASSERT(scope.exception() || !!valueDescription); // Line 278
Comment 2 Alexey Proskuryakov 2019-03-28 11:13:57 PDT 
Sorry, didn't mean to mark this one as invalid.
Comment 3 Alexey Proskuryakov 2019-03-28 11:20:19 PDT 
Test crashes shipping Safari:

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x00007fff3f8b6edf JSC::errorDescriptionForValue(JSC::ExecState*, JSC::JSValue) + 559
1   com.apple.JavaScriptCore      	0x00007fff3f8b72f5 JSC::createError(JSC::ExecState*, JSC::JSValue, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred)) + 53
2   com.apple.JavaScriptCore      	0x00007fff3ef0e9e8 JSC::createNotAConstructorError(JSC::ExecState*, JSC::JSValue) + 56
3   com.apple.JavaScriptCore      	0x00007fff3f7776cb JSC::LLInt::setUpCall(JSC::ExecState*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*) + 187
4   com.apple.JavaScriptCore      	0x00007fff3f13ea8f llint_entry + 63468
Comment 4 Radar WebKit Bug Importer 2019-03-28 11:20:34 PDT 
<rdar://problem/49387382>
Comment 5 Tadeu Zagallo 2019-03-29 05:03:22 PDT 
Created attachment 366267 [details]
Patch
Comment 6 WebKit Commit Bot 2019-03-29 14:54:00 PDT 
Comment on attachment 366267 [details]
Patch

Clearing flags on attachment: 366267

Committed r243665: <https://trac.webkit.org/changeset/243665>
Comment 7 WebKit Commit Bot 2019-03-29 14:54:02 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 8 Ryan Haddad 2019-04-05 17:05:37 PDT 
Reverted r243665 for reason:

Caused iOS JSC tests to exit with an exception.

Committed r243955: <https://trac.webkit.org/changeset/243955>
Comment 9 Ryan Haddad 2019-04-05 17:06:13 PDT 
(In reply to Ryan Haddad from comment #8)
> Reverted r243665 for reason:
> 
> Caused iOS JSC tests to exit with an exception.
> 
> Committed r243955: <https://trac.webkit.org/changeset/243955>
See radar for details.