RESOLVED FIXED 173033
RELEASE_ASSERT(static_cast<size_t>(enumerationValue) < WTF_ARRAY_LENGTH(values)) hit in convertEnumerationToJS<WebCore::History::ScrollRestoration>() 
https://bugs.webkit.org/show_bug.cgi?id=173033
Summary RELEASE_ASSERT(static_cast<size_t>(enumerationValue) < WTF_ARRAY_LENGTH(value...
Chris Dumez
Reported 2017-06-06 14:21:16 PDT
RELEASE_ASSERT(static_cast<size_t>(enumerationValue) < WTF_ARRAY_LENGTH(values)) hit in convertEnumerationToJS<WebCore::History::ScrollRestoration>(): Thread[0] [ 0] 0x0000000188a1b424 WebCore`JSC::JSString* WebCore::convertEnumerationToJS<WebCore::History::ScrollRestoration>(JSC::ExecState&, WebCore::History::ScrollRestoration) + 228 at JSHistory.cpp:47:5 [ 1] 0x0000000188a1beef WebCore`WebCore::jsHistoryScrollRestoration(JSC::ExecState*, long long, JSC::PropertyName) [inlined] WebCore::JSConverter<WebCore::IDLEnumeration<WebCore::History::ScrollRestoration> >::convert(JSC::ExecState&, WebCore::History::ScrollRestoration) + 7 at JSDOMConvertEnumeration.h:65:16 [ 1] 0x0000000188a1bee8 WebCore`WebCore::jsHistoryScrollRestoration(JSC::ExecState*, long long, JSC::PropertyName) [inlined] JSC::JSValue WebCore::JSConverterOverloader<WebCore::IDLEnumeration<WebCore::History::ScrollRestoration>, true, false>::convert<WebCore::History::ScrollRestoration>(JSC::ExecState&, WebCore::History::ScrollRestoration&&) + 4 at JSDOMConvertBase.h:106 [ 1] 0x0000000188a1bee4 WebCore`WebCore::jsHistoryScrollRestoration(JSC::ExecState*, long long, JSC::PropertyName) [inlined] JSC::JSValue WebCore::toJS<WebCore::IDLEnumeration<WebCore::History::ScrollRestoration>, WebCore::History::ScrollRestoration>(JSC::ExecState&, WebCore::History::ScrollRestoration&&) at JSDOMConvertBase.h:135 [ 1] 0x0000000188a1bee4 WebCore`WebCore::jsHistoryScrollRestoration(JSC::ExecState*, long long, JSC::PropertyName) [inlined] JSC::JSValue WebCore::toJS<WebCore::IDLEnumeration<WebCore::History::ScrollRestoration>, WebCore::History::ScrollRestoration>(JSC::ExecState&, JSC::ThrowScope&, WebCore::ExceptionOr<WebCore::History::ScrollRestoration>&&) + 8 at JSDOMConvertBase.h:150 [ 1] 0x0000000188a1bedc WebCore`WebCore::jsHistoryScrollRestoration(JSC::ExecState*, long long, JSC::PropertyName) [inlined] WebCore::jsHistoryScrollRestorationGetter(JSC::ExecState&, WebCore::JSHistory&, JSC::ThrowScope&) + 12 at JSHistory.cpp:232 [ 1] 0x0000000188a1bed0 WebCore`WebCore::jsHistoryScrollRestoration(JSC::ExecState*, long long, JSC::PropertyName) [inlined] long long WebCore::IDLAttribute<WebCore::JSHistory>::get<&(WebCore::jsHistoryScrollRestorationGetter(JSC::ExecState&, WebCore::JSHistory&, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, long long, char const*) + 120 at JSDOMAttribute.h:65 [ 1] 0x0000000188a1be58 WebCore`WebCore::jsHistoryScrollRestoration(JSC::ExecState*, long long, JSC::PropertyName) + 20 at JSHistory.cpp:238 [ 2] 0x000000018750a7f7 JavaScriptCore`::llint_slow_path_get_by_id(JSC::ExecState *, JSC::Instruction *) [inlined] JSC::PropertySlot::getValue(JSC::ExecState*, JSC::PropertyName) const + 83 at PropertySlot.h:386:12 [ 2] 0x000000018750a7a4 JavaScriptCore`::llint_slow_path_get_by_id(JSC::ExecState *, JSC::Instruction *) [inlined] JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const + 680 at JSCJSValueInlines.h:799 [ 2] 0x000000018750a4fc JavaScriptCore`::llint_slow_path_get_by_id(JSC::ExecState *, JSC::Instruction *) + 196 at LLIntSlowPaths.cpp:657 [ 3] 0x0000000187beb1af JavaScriptCore`llint_entry + 10543 [ 4] 0x0000000187bef1af JavaScriptCore`llint_entry + 26927
Attachments
Patch (16.64 KB, patch)
2017-06-06 14:44 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (16.63 KB, patch)
2017-06-06 14:53 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2017-06-06 14:21:31 PDT
<rdar://problem/32591099>
Chris Dumez
Comment 2 2017-06-06 14:44:47 PDT
Created attachment 312122 [details] Patch
Simon Fraser (smfr)
Comment 3 2017-06-06 14:50:59 PDT
Comment on attachment 312122 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=312122&action=review > Source/WebKit2/Shared/SessionState.h:100 > + float pageScaleFactor { 1.0 }; We use pageScaleFactor = 0 to indicate "don't restore page scale" in history code, so I don't know if this 1 is correct.
Chris Dumez
Comment 4 2017-06-06 14:52:37 PDT
Comment on attachment 312122 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=312122&action=review >> Source/WebKit2/Shared/SessionState.h:100 >> + float pageScaleFactor { 1.0 }; > > We use pageScaleFactor = 0 to indicate "don't restore page scale" in history code, so I don't know if this 1 is correct. This will always be override this in practice so it likely does not change behavior at the moment. However, given the default value in HistoryItem, I agree it makes more sense to use 0 here.
Chris Dumez
Comment 5 2017-06-06 14:53:18 PDT
Created attachment 312124 [details] Patch
WebKit Commit Bot
Comment 6 2017-06-06 16:31:29 PDT
Comment on attachment 312124 [details] Patch Clearing flags on attachment: 312124 Committed r217867: <http://trac.webkit.org/changeset/217867>
WebKit Commit Bot
Comment 7 2017-06-06 16:31:31 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.