Bug 274281

Summary: [Apple-Ventura-AppleSilicon-Debug-JSC-Tests] ASSERTION FAILED: !m_needExceptionCheck in multiple tests in ChakraCore.yaml/ChakraCore/test
Product: WebKit Reporter: Marta Darbinyan <darbinyan>
Component: JavaScriptCoreAssignee: Dan Hecht <dan.hecht>
Status: RESOLVED FIXED    
Severity: Normal CC: keith_miller, mark.lam, msaboff, webkit-bot-watchers-bugzilla, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Marta Darbinyan
Reported 2024-05-16 15:06:48 PDT
The following tests regressed in Apple-Ventura-AppleSilicon-Debug-JSC-Tests. The first failed test occurred on 278541@main. First failed: 278541@main Last passed: 278465@main The possible culprit range is in https://commits.webkit.org/compare/278465@main...278541@main Failing tests: ChakraCore.yaml/ChakraCore/test/Bugs/OS_5553123.js.default ChakraCore.yaml/ChakraCore/test/Strings/HTMLHelpers.js.default ChakraCore.yaml/ChakraCore/test/UnitTestFramework/UTFTests.js.default ChakraCore.yaml/ChakraCore/test/es5/TypeConversions.js.default ChakraCore.yaml/ChakraCore/test/es5/defineProperty.js.default ChakraCore.yaml/ChakraCore/test/es6/ES6Function_bugs.js.default ChakraCore.yaml/ChakraCore/test/es6/NumericLiteralTest.js.default ChakraCore.yaml/ChakraCore/test/es6/map_basic.js.default ChakraCore.yaml/ChakraCore/test/es6/proxytest6.js.default ChakraCore.yaml/ChakraCore/test/es6/regex-quantifiers.js.default ChakraCore.yaml/ChakraCore/test/es6/set_basic.js.default ChakraCore.yaml/ChakraCore/test/es6/superDotOSBug3930962.js.default ChakraCore.yaml/ChakraCore/test/es6/weakmap_basic.js.default ChakraCore.yaml/ChakraCore/test/es6/weakset_basic.js.default Errors: ChakraCore.yaml/ChakraCore/test/es5/defineProperty.js.default: ASSERTION FAILED: !m_needExceptionCheck ChakraCore.yaml/ChakraCore/test/es5/defineProperty.js.default: ./runtime/VM.cpp(1441) : void JSC::VM::verifyExceptionCheckNeedIsSatisfied(unsigned int, JSC::ExceptionEventLocation &) ChakraCore.yaml/ChakraCore/test/es5/defineProperty.js.default: test_script_86783: line 2: 78655 Trace/BPT trap: 5 ( "$@" ../../../../../.vm/JavaScriptCore.framework/Helpers/jsc --validateOptions\=true --useFTLJIT\=false --useFunctionDotArguments\=true --validateExceptionChecks\=true --useDollarVM\=true --maxPerThreadStackUsage\=1572864 --useFTLJIT\=true --thresholdForJITAfterWarmUp\=10 --thresholdForJITSoon\=10 --thresholdForOptimizeAfterWarmUp\=20 --thresholdForOptimizeAfterLongWarmUp\=20 --thresholdForOptimizeSoon\=20 --thresholdForFTLOptimizeAfterWarmUp\=20 --thresholdForFTLOptimizeSoon\=20 --thresholdForOMGOptimizeAfterWarmUp\=20 --thresholdForOMGOptimizeSoon\=20 --maximumEvalCacheableSourceLength\=150000 --useEagerCodeBlockJettisonTiming\=true --repatchBufferingCountdown\=0 jsc-lib.js defineProperty.js ) ChakraCore.yaml/ChakraCore/test/es5/defineProperty.js.default: ERROR: Unexpected exit code: 133 FAIL: ChakraCore.yaml/ChakraCore/test/es5/defineProperty.js.default History: https://results.webkit.org/?style=debug&suite=javascriptcore-tests&suite=javascriptcore-tests&suite=javascriptcore-tests&suite=javascriptcore-tests&suite=javascriptcore-tests&suite=javascriptcore-tests&suite=javascriptcore-tests&suite=javascriptcore-tests&suite=javascriptcore-tests&suite=javascriptcore-tests&suite=javascriptcore-tests&suite=javascriptcore-tests&suite=javascriptcore-tests&suite=javascriptcore-tests&test=ChakraCore.yaml%2FChakraCore%2Ftest%2FBugs%2FOS_5553123.js.default&test=ChakraCore.yaml%2FChakraCore%2Ftest%2FStrings%2FHTMLHelpers.js.default&test=ChakraCore.yaml%2FChakraCore%2Ftest%2FUnitTestFramework%2FUTFTests.js.default&test=ChakraCore.yaml%2FChakraCore%2Ftest%2Fes5%2FTypeConversions.js.default&test=ChakraCore.yaml%2FChakraCore%2Ftest%2Fes5%2FdefineProperty.js.default&test=ChakraCore.yaml%2FChakraCore%2Ftest%2Fes6%2FES6Function_bugs.js.default&test=ChakraCore.yaml%2FChakraCore%2Ftest%2Fes6%2FNumericLiteralTest.js.default&test=ChakraCore.yaml%2FChakraCore%2Ftest%2Fes6%2Fmap_basic.js.default&test=ChakraCore.yaml%2FChakraCore%2Ftest%2Fes6%2Fproxytest6.js.default&test=ChakraCore.yaml%2FChakraCore%2Ftest%2Fes6%2Fregex-quantifiers.js.default&test=ChakraCore.yaml%2FChakraCore%2Ftest%2Fes6%2Fset_basic.js.default&test=ChakraCore.yaml%2FChakraCore%2Ftest%2Fes6%2FsuperDotOSBug3930962.js.default&test=ChakraCore.yaml%2FChakraCore%2Ftest%2Fes6%2Fweakmap_basic.js.default&test=ChakraCore.yaml%2FChakraCore%2Ftest%2Fes6%2Fweakset_basic.js.default&version_name=Ventura Test failure: https://build.webkit.org/#/builders/1026/builds/52/steps/12/logs/stdio
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2024-05-16 15:07:21 PDT
<rdar://problem/128228200>
Ryan Haddad
Comment 2 2024-05-16 15:16:13 PDT
Full log: https://s3-us-west-2.amazonaws.com/archives.webkit.org/mac-ventura-x86_64%20arm64-debug-jscore-test/278857@main.txt ERROR: Unchecked JS exception: This scope can throw a JS exception: toStringSlowCase @ ./runtime/JSCJSValue.cpp:376 (ExceptionScope::m_recursionDepth was 4) But the exception was unchecked as of this scope: matchInline @ /Volumes/Data/worker/Apple-Ventura-Debug-Build/build/Source/JavaScriptCore/runtime/RegExpObjectInlines.h:106 (ExceptionScope::m_recursionDepth was 4) Unchecked exception detected at: 1 0x11a2ac3cc JSC::VM::verifyExceptionCheckNeedIsSatisfied(unsigned int, JSC::ExceptionEventLocation&) 2 0x11a2885cc JSC::ThrowScope::ThrowScope(JSC::VM&, JSC::ExceptionEventLocation) 3 0x11a288600 JSC::ThrowScope::ThrowScope(JSC::VM&, JSC::ExceptionEventLocation) 4 0x119580094 JSC::RegExpObject::matchInline(JSC::JSGlobalObject*, JSC::JSString*) 5 0x1195343e4 JSC::RegExpObject::testInline(JSC::JSGlobalObject*, JSC::JSString*) 6 0x1195345c4 operationRegExpTest 7 0x121ae8754 6 ??? 0x0000000121ae8754 0x0 + 4860053332 8 0x11a9f8e2c llint_entry 9 0x11a9f8e2c llint_entry 10 0x11a9d25b4 vmEntryToJavaScript 11 0x119a54e84 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) 12 0x119d90c6c JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 13 0x104fd411c runWithOptions(GlobalObject*, CommandLine&, bool&) 14 0x104f7e3e8 jscmain(int, char**)::$_10::operator()(JSC::VM&, GlobalObject*, bool&) const 15 0x104f3b7f4 int runJSC<jscmain(int, char**)::$_10>(CommandLine const&, bool, jscmain(int, char**)::$_10 const&) 16 0x104f38d24 jscmain(int, char**) 17 0x104f38808 main 18 0x18ac2bf28 start
Dan Hecht
Comment 3 2024-05-17 11:00:22 PDT
Running the test case with --dumpSimulatedThrows=1 produces: ERROR: Unchecked JS exception: This scope can throw a JS exception: toStringSlowCase @ ./runtime/JSCJSValue.cpp:376 (ExceptionScope::m_recursionDepth was 4) But the exception was unchecked as of this scope: matchInline @ ./runtime/RegExpObjectInlines.h:106 (ExceptionScope::m_recursionDepth was 4) The simulated exception was thrown at: 1 0x10cee85e4 JSC::ThrowScope::simulateThrow() 2 0x10cee84a4 JSC::ThrowScope::~ThrowScope() 3 0x10cee8638 JSC::ThrowScope::~ThrowScope() 4 0x10cb2d960 JSC::JSValue::toStringSlowCase(JSC::JSGlobalObject*, bool) const 5 0x10c0c9f90 JSC::JSValue::toStringOrNull(JSC::JSGlobalObject*) const 6 0x10c0ce38c operationRegExpTest 7 0x11696f960 6 ??? 0x000000011696f960 0x0 + 4673960288 8 0x116918550 7 ??? 0x0000000116918550 0x0 + 4673602896 9 0x1168b0068 8 ??? 0x00000001168b0068 0x0 + 4673175656 10 0x11690a7e0 9 ??? 0x000000011690a7e0 0x0 + 4673546208 11 0x11690f8e4 10 ??? 0x000000011690f8e4 0x0 + 4673566948 12 0x1168b0008 11 ??? 0x00000001168b0008 0x0 + 4673175560 13 0x1168b0428 12 ??? 0x00000001168b0428 0x0 + 4673176616 14 0x10c63e2a8 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) 15 0x10c9afcd8 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 16 0x1009e3164 runWithOptions(GlobalObject*, CommandLine&, bool&) 17 0x100989f1c jscmain(int, char**)::$_10::operator()(JSC::VM&, GlobalObject*, bool&) const 18 0x1009433b0 int runJSC<jscmain(int, char**)::$_10>(CommandLine const&, bool, jscmain(int, char**)::$_10 const&) 19 0x1009406e8 jscmain(int, char**) 20 0x100940178 main 21 0x197a6e0e0 start Unchecked exception detected at: 1 0x10cf0dd50 JSC::VM::verifyExceptionCheckNeedIsSatisfied(unsigned int, JSC::ExceptionEventLocation&) 2 0x10cee82cc JSC::ThrowScope::ThrowScope(JSC::VM&, JSC::ExceptionEventLocation) 3 0x10cee830c JSC::ThrowScope::ThrowScope(JSC::VM&, JSC::ExceptionEventLocation) 4 0x10cdf9ca0 JSC::RegExpObject::matchInline(JSC::JSGlobalObject*, JSC::JSString*) 5 0x10c0ce1f8 JSC::RegExpObject::testInline(JSC::JSGlobalObject*, JSC::JSString*) 6 0x10c0ce3ec operationRegExpTest 7 0x11696f960 6 ??? 0x000000011696f960 0x0 + 4673960288 8 0x116918550 7 ??? 0x0000000116918550 0x0 + 4673602896 9 0x1168b0068 8 ??? 0x00000001168b0068 0x0 + 4673175656 10 0x11690a7e0 9 ??? 0x000000011690a7e0 0x0 + 4673546208 11 0x11690f8e4 10 ??? 0x000000011690f8e4 0x0 + 4673566948 12 0x1168b0008 11 ??? 0x00000001168b0008 0x0 + 4673175560 13 0x1168b0428 12 ??? 0x00000001168b0428 0x0 + 4673176616 14 0x10c63e2a8 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) 15 0x10c9afcd8 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 16 0x1009e3164 runWithOptions(GlobalObject*, CommandLine&, bool&) 17 0x100989f1c jscmain(int, char**)::$_10::operator()(JSC::VM&, GlobalObject*, bool&) const 18 0x1009433b0 int runJSC<jscmain(int, char**)::$_10>(CommandLine const&, bool, jscmain(int, char**)::$_10 const&) 19 0x1009406e8 jscmain(int, char**) 20 0x100940178 main 21 0x197a6e0e0 start ASSERTION FAILED: !m_needExceptionCheck In the common caller operationRegExpTest, there is no exception check between the call to toStringOrNull and testInline. The similar method uses this invariant to avoid an explicit exception check: EXCEPTION_ASSERT(!!scope.exception() == !input); which implies we will take the !input early return anyway if an exception is pending. Appears we should be able to do the same here (though I didn't exhaustively verify that this invariant is correct for all cases inside JSValue::toStringSlowCase()).
Dan Hecht
Comment 4 2024-05-17 11:05:26 PDT
Oops, meant to say: The similar method operationRegExpTestGeneric
Dan Hecht
Comment 5 2024-05-17 12:54:39 PDT
Pull request: https://github.com/WebKit/WebKit/pull/28728
EWS
Comment 6 2024-05-17 21:55:57 PDT
Committed 278947@main (4b7d246d6d63): <https://commits.webkit.org/278947@main> Reviewed commits have been landed. Closing PR #28728 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.