Bug 230208

Summary: REGRESSION(r282278): ASSERTION FAILED: !m_needExceptionCheck in JSC::VM::verifyExceptionCheckNeedIsSatisfied
Product: WebKit Reporter: Fujii Hironori <Hironori.Fujii>
Component: WebCore Misc.Assignee: Fujii Hironori <Hironori.Fujii>
Status: RESOLVED FIXED    
Severity: Normal CC: webkit-bug-importer, youennf
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=230207
Bug Depends on: 230146    
Bug Blocks:    
Attachments:
Description Flags
Patch
none
Patch for landing none

Description Fujii Hironori 2021-09-12 21:26:30 PDT 
REGRESSION(r282278): ASSERTION FAILED: !m_needExceptionCheck in JSC::VM::verifyExceptionCheckNeedIsSatisfied

r282278 (Bug 230146) introduced a new assertion failure for WinCairo Debug WK2 test.

Regressions: Unexpected crashes (1)
  js/dom/transform-stream.html [ Crash ]


ERROR: 00000220F35B8AE0 - ResourceLoadStatisticsDatabaseStore::turnOnIncrementalAutoVacuum failed, error message: not an error
C:\home\webkit\gc\Source\WebKit\NetworkProcess/Classifier/ResourceLoadStatisticsDatabaseStore.cpp(315) : WebKit::ResourceLoadStatisticsDatabaseStore::ResourceLoadStatisticsDatabaseStore
ERROR: Unchecked JS exception:
    This scope can throw a JS exception: JSC::JSObject::get @ C:\home\webkit\gc\WebKitBuild\Debug\JavaScriptCore\PrivateHeaders\JavaScriptCore\JSObject.h:1504
        (ExceptionScope::m_recursionDepth was 13)
    But the exception was unchecked as of this scope: WebCore::invokeWritableStreamFunction @ C:\home\webkit\gc\Source\WebCore\bindings/js/InternalWritableStream.cpp:42
        (ExceptionScope::m_recursionDepth was 13)

Unchecked exception detected at:
    1   00007FFC0D8A464F JSC::VM::verifyExceptionCheckNeedIsSatisfied
    2   00007FFC0D878924 JSC::ThrowScope::ThrowScope
    3   00007FFBEE14D4EB WebCore::invokeWritableStreamFunction
    4   00007FFBEE14C6E1 WebCore::InternalWritableStream::create
    5   00007FFBEDF0733C WebCore::WritableStream::create
    6   00007FFBEDF07207 WebCore::WritableStream::create
    7   00007FFBEDAF98B6 WebCore::JSDOMConstructor<WebCore::JSWritableStream>::construct
    8   00007FFC0D05BB6F JSC::NativeFunction::operator()
    9   00007FFC0D05BBBC JSC::TaggedNativeFunction::operator()
    10  00007FFC0D0F567B JSC::LLInt::handleHostCall
    11  00007FFC0D10BC4A JSC::LLInt::setUpCall
    12  00007FFC0D1016D6 JSC::LLInt::genericCall<JSC::OpConstruct>
    13  00007FFC0D0EDBAF llint_slow_path_construct
    14  00007FFC0C02C4C6 llint_entry

ASSERTION FAILED: !m_needExceptionCheck
C:\home\webkit\gc\Source\JavaScriptCore\runtime/VM.cpp(1490) : JSC::VM::verifyExceptionCheckNeedIsSatisfied
1   00007FFC0A1F1DEB WTFCrash
2   00007FFC0C02FFBE WTFCrashWithInfo
3   00007FFC0D8A4790 JSC::VM::verifyExceptionCheckNeedIsSatisfied
4   00007FFC0D878924 JSC::ThrowScope::ThrowScope
5   00007FFBEE14D4EB WebCore::invokeWritableStreamFunction
6   00007FFBEE14C6E1 WebCore::InternalWritableStream::create
7   00007FFBEDF0733C WebCore::WritableStream::create
8   00007FFBEDF07207 WebCore::WritableStream::create
9   00007FFBEDAF98B6 WebCore::JSDOMConstructor<WebCore::JSWritableStream>::construct
10  00007FFC0D05BB6F JSC::NativeFunction::operator()
11  00007FFC0D05BBBC JSC::TaggedNativeFunction::operator()
12  00007FFC0D0F567B JSC::LLInt::handleHostCall
13  00007FFC0D10BC4A JSC::LLInt::setUpCall
14  00007FFC0D1016D6 JSC::LLInt::genericCall<JSC::OpConstruct>
15  00007FFC0D0EDBAF llint_slow_path_construct
16  00007FFC0C02C4C6 llint_entry
Comment 1 Fujii Hironori 2021-09-13 00:55:45 PDT 
Created attachment 438019 [details]
Patch
Comment 2 Fujii Hironori 2021-09-13 01:00:31 PDT 
This is not WinCairo specific issue. Other bug (Bug 230207) seems to hide this. Fixing Bug 230207 reveals this for Mac port.
Comment 3 youenn fablet 2021-09-13 01:59:14 PDT 
Comment on attachment 438019 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=438019&action=review

> Source/WebCore/bindings/js/InternalWritableStream.cpp:47
>      auto result = call(&globalObject, function, callData, JSC::jsUndefined(), arguments);

Can we also change the if(UNLIKELY(...) return Exception... 
with:
    RETURN_IF_EXCEPTION(scope, Exception { ExistingExceptionError });

This is more inline with other parts of the codebase.
Comment 4 Fujii Hironori 2021-09-13 12:52:54 PDT 
Created attachment 438066 [details]
Patch for landing
Comment 5 Fujii Hironori 2021-09-13 13:21:45 PDT 
Comment on attachment 438066 [details]
Patch for landing

Clearing flags on attachment: 438066

Committed r282351 (241617@main): <https://commits.webkit.org/241617@main>
Comment 6 Fujii Hironori 2021-09-13 13:21:49 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 7 Radar WebKit Bug Importer 2021-09-13 13:22:21 PDT 
<rdar://problem/83069483>