Bug 208766

Summary: REGRESSION (r258049): Unchecked JS exception in jsc::Stringifier::toJSON
Product: WebKit Reporter: Ryan Haddad <ryanhaddad>
Component: JavaScriptCoreAssignee: Alexey Shvayka <ashvayka>
Status: RESOLVED FIXED    
Severity: Trivial CC: ashvayka, commit-queue, ews-watchlist, keith_miller, mark.lam, msaboff, ross.kirsling, saam, tzagallo, webkit-bot-watchers-bugzilla, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
See Also: https://bugs.webkit.org/show_bug.cgi?id=208725
Attachments:
Description Flags
Patch none

Ryan Haddad
Reported 2020-03-07 10:16:46 PST
After https://trac.webkit.org/changeset/258049/webkit, the debug JSC bit has 44 test failures due to an unchecked JS exception: microbenchmarks/json-stringify-many-objects-to-json.js.default: ERROR: Unchecked JS exception: microbenchmarks/json-stringify-many-objects-to-json.js.default: This scope can throw a JS exception: executeCall @ ./interpreter/Interpreter.cpp:858 microbenchmarks/json-stringify-many-objects-to-json.js.default: (ExceptionScope::m_recursionDepth was 10) microbenchmarks/json-stringify-many-objects-to-json.js.default: But the exception was unchecked as of this scope: toJSON @ ./runtime/JSONObject.cpp:301 microbenchmarks/json-stringify-many-objects-to-json.js.default: (ExceptionScope::m_recursionDepth was 9) microbenchmarks/json-stringify-many-objects-to-json.js.default: microbenchmarks/json-stringify-many-objects-to-json.js.default: Unchecked exception detected at: microbenchmarks/json-stringify-many-objects-to-json.js.default: 1 0x10b9c30ae JSC::VM::verifyExceptionCheckNeedIsSatisfied(unsigned int, JSC::ExceptionEventLocation&) microbenchmarks/json-stringify-many-objects-to-json.js.default: 2 0x10b99beed JSC::ThrowScope::~ThrowScope() microbenchmarks/json-stringify-many-objects-to-json.js.default: 3 0x10b99c0f5 JSC::ThrowScope::~ThrowScope() microbenchmarks/json-stringify-many-objects-to-json.js.default: 4 0x10b80713c JSC::Stringifier::toJSON(JSC::JSValue, JSC::PropertyNameForFunctionCall const&) microbenchmarks/json-stringify-many-objects-to-json.js.default: 5 0x10b8063b9 JSC::Stringifier::appendStringifiedValue(WTF::StringBuilder&, JSC::JSValue, JSC::Stringifier::Holder const&, JSC::PropertyNameForFunctionCall const&) microbenchmarks/json-stringify-many-objects-to-json.js.default: 6 0x10b807efa JSC::Stringifier::Holder::appendNextProperty(JSC::Stringifier&, WTF::StringBuilder&) microbenchmarks/json-stringify-many-objects-to-json.js.default: 7 0x10b806cd5 JSC::Stringifier::appendStringifiedValue(WTF::StringBuilder&, JSC::JSValue, JSC::Stringifier::Holder const&, JSC::PropertyNameForFunctionCall const&) microbenchmarks/json-stringify-many-objects-to-json.js.default: 8 0x10b80608c JSC::Stringifier::stringify(JSC::JSValue) microbenchmarks/json-stringify-many-objects-to-json.js.default: 9 0x10b80b568 JSC::JSONProtoFuncStringify(JSC::JSGlobalObject*, JSC::CallFrame*) microbenchmarks/json-stringify-many-objects-to-json.js.default: 10 0x547503e01178 microbenchmarks/json-stringify-many-objects-to-json.js.default: 11 0x10a4faeb3 llint_entry microbenchmarks/json-stringify-many-objects-to-json.js.default: 12 0x10a4dda93 vmEntryToJavaScript microbenchmarks/json-stringify-many-objects-to-json.js.default: 13 0x10b2ecf57 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) microbenchmarks/json-stringify-many-objects-to-json.js.default: 14 0x10b2ec5ac JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) microbenchmarks/json-stringify-many-objects-to-json.js.default: 15 0x10b671edc JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) microbenchmarks/json-stringify-many-objects-to-json.js.default: 16 0x109eade4f runWithOptions(GlobalObject*, CommandLine&, bool&) microbenchmarks/json-stringify-many-objects-to-json.js.default: 17 0x109e7f19a jscmain(int, char**)::$_6::operator()(JSC::VM&, GlobalObject*, bool&) const microbenchmarks/json-stringify-many-objects-to-json.js.default: 18 0x109e5997b int runJSC<jscmain(int, char**)::$_6>(CommandLine const&, bool, jscmain(int, char**)::$_6 const&) microbenchmarks/json-stringify-many-objects-to-json.js.default: 19 0x109e58408 jscmain(int, char**) microbenchmarks/json-stringify-many-objects-to-json.js.default: 20 0x109e581de main microbenchmarks/json-stringify-many-objects-to-json.js.default: 21 0x7fff719c87fd start https://build.webkit.org/builders/Apple-Catalina-Debug-JSC-Tests/builds/453
Attachments
Patch (1.46 KB, patch)
2020-03-07 10:53 PST, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Shvayka
Comment 1 2020-03-07 10:53:08 PST
Created attachment 392867 [details] Patch
Yusuke Suzuki
Comment 2 2020-03-07 14:09:41 PST
Comment on attachment 392867 [details] Patch r=me, nice fix!
Ross Kirsling
Comment 3 2020-03-07 14:29:02 PST
Thanks for addressing this so quickly, Alexey!
Alexey Shvayka
Comment 4 2020-03-07 14:46:23 PST
Thank you, folks. I thought this kind of errors would have been caught by regular EWS. Anyway, I will test future patches with JSC_validateExceptionChecks=true.
WebKit Commit Bot
Comment 5 2020-03-07 14:53:43 PST
Comment on attachment 392867 [details] Patch Clearing flags on attachment: 392867 Committed r258081: <https://trac.webkit.org/changeset/258081>
WebKit Commit Bot
Comment 6 2020-03-07 14:53:45 PST
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 7 2020-03-07 14:54:15 PST
<rdar://problem/60192817>
Note You need to log in before you can comment on or make changes to this bug.