Bug 133574 - ASSERTION FAILED: is8Bit() at StringImpl::characters8()
Summary: ASSERTION FAILED: is8Bit() at StringImpl::characters8()
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Andreas Kling
Keywords: InRadar
: 135714 (view as bug list)
Depends on:
Reported: 2014-06-06 06:55 PDT by zalan
Modified: 2014-08-18 14:33 PDT (History)
5 users (show)

See Also:

Patch (7.47 KB, patch)
2014-08-18 12:15 PDT, Andreas Kling
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description zalan 2014-06-06 06:55:53 PDT
It happens when I fire up Safari with a bunch of tabs pointing to various bugs.webkit.org pages. Difficult to repro.

/Users/zbujtas/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/text/StringImpl.h(417) : const LChar *WTF::StringImpl::characters8() const
1   0x119c04ec0 WTFCrash
2   0x119445035 WTF::StringImpl::characters8() const
3   0x11998af4b JSC::JSRopeString::resolveRopeInternal8(unsigned char*) const
4   0x11998c0d2 JSC::JSRopeString::resolveRopeToExistingAtomicString(JSC::ExecState*) const
5   0x112d17d5d JSC::JSString::toExistingAtomicString(JSC::ExecState*) const
6   0x112d1000f WebCore::jsDocumentPrototypeFunctionGetElementById(JSC::ExecState*)
7   0x4c6f4b001034
8   0x119a10c74 llint_entry
9   0x119a10c74 llint_entry
10  0x119a0a4c4 callToJavaScript
11  0x1198a5bdd JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
12  0x11988a5fa JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
13  0x1194c9c8e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
14  0x1194c9cf3 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, JSC::JSValue*)
15  0x112c6bacb WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, JSC::JSValue*)
16  0x112df5174 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*)
17  0x1125db01f WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow>&)
18  0x1125da8ee WebCore::EventTarget::fireEventListeners(WebCore::Event*)
19  0x11250489b WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::EventTarget>)
20  0x11250c0d8 WebCore::DOMWindow::dispatchLoadEvent()
21  0x1123e43bd WebCore::Document::dispatchWindowLoadEvent()
22  0x1123e1883 WebCore::Document::implicitClose()
23  0x1127402fb WebCore::FrameLoader::checkCallImplicitClose()
24  0x11273ffb4 WebCore::FrameLoader::checkCompleted()
25  0x1127403e4 WebCore::FrameLoader::completed()
26  0x11273ffd1 WebCore::FrameLoader::checkCompleted()
27  0x11273e828 WebCore::FrameLoader::finishedParsing()
28  0x1123ed7ab WebCore::Document::finishedParsing()
29  0x112873098 WebCore::HTMLConstructionSite::finishedParsing()
30  0x112988cb7 WebCore::HTMLTreeBuilder::finished()
31  0x11288370e WebCore::HTMLDocumentParser::end()
Comment 1 Andreas Kling 2014-06-06 13:03:40 PDT
I can't seem to reproduce this :| Could you save all the tabs in a bookmark folder the next time it happens and pass me that bookmark?

I wonder if this could be related to <rdar://problem/14296167>; I don't see how we could end up with a rope string that thinks the rope is 8-bit clean, but has an individual 16-bit fiber inside..
Comment 2 Alexey Proskuryakov 2014-06-06 15:49:42 PDT
I also see this from time to time, and can never reproduce, not even when reloading the same page.
Comment 3 Andreas Kling 2014-08-18 12:05:17 PDT
Comment 4 Andreas Kling 2014-08-18 12:15:48 PDT
Created attachment 236775 [details]
Comment 5 Darin Adler 2014-08-18 13:03:23 PDT
Comment on attachment 236775 [details]

View in context: https://bugs.webkit.org/attachment.cgi?id=236775&action=review

> Source/JavaScriptCore/runtime/JSString.h:204
> +        mutable unsigned m_flags;

I think it’s a little peculiar to make this change, but I think what makes it clear that it’s right is that this is closely associated with m_value and the two need to match. Too bad m_length is between this and m_value, making it really hard to see that connection.
Comment 6 Mark Lam 2014-08-18 13:29:53 PDT
*** Bug 135714 has been marked as a duplicate of this bug. ***
Comment 7 WebKit Commit Bot 2014-08-18 14:33:14 PDT
Comment on attachment 236775 [details]

Clearing flags on attachment: 236775

Committed r172727: <http://trac.webkit.org/changeset/172727>
Comment 8 WebKit Commit Bot 2014-08-18 14:33:19 PDT
All reviewed patches have been landed.  Closing bug.