Bug 273048
| Summary: | REGRESSION(277770@main): [Mac WK1, GTK, WPE, Win] ASSERTION FAILED: v <= 0 under MacroAssemblerX86Common::sub32 | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Fujii Hironori <Hironori.Fujii> |
| Component: | JavaScriptCore | Assignee: | David Degazio <d_degazio> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | d_degazio, j_stfleur, qbtly201, vitaly, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| See Also: | https://bugs.webkit.org/show_bug.cgi?id=272901 | ||
Fujii Hironori
Mac WK1, GTK, WPE and Win Debug are crashing due to an assertion failure
Buildbot: builder Apple-Ventura-Debug-WK1-Tests build 5364 : 277774@main
https://build.webkit.org/#/builders/703/builds/5364
https://build.webkit.org/results/Apple-Ventura-Debug-WK1-Tests/277774@main%20(5364)/accessibility/accessibility-node-reparent-crash-log.txt
ASSERTION FAILED: v <= 0
/Volumes/Data/worker/Apple-Ventura-Debug-Build/build/WebKitBuild/Debug/usr/local/include/wtf/MathExtras.h(787) : typename std::enable_if_t<std::is_integral_v<T> && std::is_signed_v<T>, std::make_unsigned_t<T>> WTF::negate(T) [T = int]
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Fujii Hironori
https://build.webkit.org/results/GTK-Linux-64-bit-Debug-Tests/277774@main%20(13031)/accessibility/accessibility-node-memory-management-stderr.txt
ASSERTION FAILED: v <= 0
/app/webkit/WebKitBuild/GTK/Debug/WTF/Headers/wtf/MathExtras.h(787) : constexpr std::enable_if_t<(is_integral_v<T> && is_signed_v<T>), typename std::make_unsigned<_Tp>::type> WTF::negate(T) [with T = int; std::enable_if_t<(is_integral_v<T> && is_signed_v<T>), typename std::make_unsigned<_Tp>::type> = unsigned int; typename std::make_unsigned<_Tp>::type = unsigned int]
1 0x7f3a1f387422 WTFCrash
2 0x7f3a1cf08b0a WTF::isIntegralOrPointerType()
3 0x7f3a1e29322e std::enable_if<(is_integral_v<int>)&&(is_signed_v<int>), std::make_unsigned<int>::type>::type WTF::negate<int>(int)
4 0x7f3a1ed8c67e JSC::MacroAssemblerX86Common::sub32(JSC::X86Registers::RegisterID, JSC::AbstractMacroAssembler<JSC::X86Assembler>::TrustedImm32, JSC::X86Registers::RegisterID)
5 0x7f3a1f221a36 JSC::MacroAssembler::sub32(JSC::X86Registers::RegisterID, JSC::AbstractMacroAssembler<JSC::X86Assembler>::Imm32, JSC::X86Registers::RegisterID)
6 0x7f3a1f239e97 JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::generate()
7 0x7f3a1f22ea97 JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::compile(JSC::Yarr::YarrCodeBlock&)
8 0x7f3a1f22aed1 JSC::Yarr::jitCompile(JSC::Yarr::YarrPattern&, WTF::StringView, JSC::Yarr::CharSize, std::optional<WTF::StringView>, JSC::VM*, JSC::Yarr::YarrCodeBlock&, JSC::Yarr::JITCompileMode)
9 0x7f3a1ec07b2c JSC::RegExp::compile(JSC::VM*, JSC::Yarr::CharSize, std::optional<WTF::StringView>)
10 0x7f3a1dadaf59 JSC::RegExp::compileIfNecessary(JSC::VM&, JSC::Yarr::CharSize, std::optional<WTF::StringView>)
11 0x7f3a1ec0e30f int JSC::RegExp::matchInline<WTF::Vector<int, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, (JSC::Yarr::MatchFrom)0>(JSC::JSGlobalObject*, JSC::VM&, WTF::String const&, unsigned int, WTF::Vector<int, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&)
12 0x7f3a1ec07cf5 JSC::RegExp::match(JSC::JSGlobalObject*, WTF::String const&, unsigned int, WTF::Vector<int, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&)
13 0x7f3a1ec17be0 JSC::RegExpGlobalData::performMatch(JSC::JSGlobalObject*, JSC::RegExp*, JSC::JSString*, WTF::String const&, int, int**)
14 0x7f3a1ec5c6d9 replaceUsingRegExpSearch
15 0x7f3a1ec5e175 replaceUsingRegExpSearch
16 0x7f3a1ec5ef7d stringProtoFuncReplaceUsingRegExp
17 0x7f39c9208038 ???
WebKitWebProcess terminated (pid 2422) for reason: crash
Fujii Hironori
https://build.webkit.org/results/WinCairo-64-bit-Debug-Tests/277774@main%20(22418)/animations/3d/transform-origin-vs-functions-crash-log.txt
ASSERTION FAILED: v <= 0
C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf/MathExtras.h(787) : negate
1 00007FF8F53D1CA9 WTFCrash
2 00007FF8E4E4D22D WTFCrashWithInfo
3 00007FF8E5CC53BB WTF::negate<int>
4 00007FF8E6BE83A8 JSC::MacroAssemblerX86Common::sub32
5 00007FF8E6BDE08A JSC::MacroAssembler::sub32
6 00007FF8E6BD2E2D JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::generate
7 00007FF8E6BACC84 JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::compile
8 00007FF8E6BA90EF JSC::Yarr::jitCompile
9 00007FF8E66FCD53 JSC::RegExp::compile
10 00007FF8E577CB70 JSC::RegExp::compileIfNecessary
11 00007FF8E67057BA JSC::RegExp::matchInline<WTF::Vector<int,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>,0>
12 00007FF8E66FCFEE JSC::RegExp::match
13 00007FF8E671E224 JSC::RegExpGlobalData::performMatch
14 00007FF8E6718D4D JSC::genericSplit<`lambda at C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\runtime\RegExpPrototype.cpp:575:9',`lambda at C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\runtime\RegExpPrototype.cpp:580:9'>
15 00007FF8E67182A1 JSC::regExpProtoFuncSplitFast
16 000002130000119E (null)
Fujii Hironori
Pull request: https://github.com/WebKit/WebKit/pull/27569
Radar WebKit Bug Importer
<rdar://problem/126872453>
David Degazio
Stealing this, let's just make WTF::negate work for signed numbers.
David Degazio
Pull request: https://github.com/WebKit/WebKit/pull/27598
Fujii Hironori
*** Bug 273066 has been marked as a duplicate of this bug. ***
Alexey Proskuryakov
*** Bug 273120 has been marked as a duplicate of this bug. ***
EWS
Committed 277883@main (884c93a89477): <https://commits.webkit.org/277883@main>
Reviewed commits have been landed. Closing PR #27598 and removing active labels.
Ryan Haddad
*** Bug 273081 has been marked as a duplicate of this bug. ***