RESOLVED FIXED 179185
REGRESSION(r224309): [WPE] ASSERTION FAILED: !m_needsOverflowCheck fires when starting WPE 
https://bugs.webkit.org/show_bug.cgi?id=179185
Summary REGRESSION(r224309): [WPE] ASSERTION FAILED: !m_needsOverflowCheck fires when...
Michael Catanzaro
Reported 2017-11-02 10:50:09 PDT
Created attachment 325734 [details] Full backtrace r224309 "Add support to throw OOM if MarkedArgumentBuffer may overflow" has caused WPE's MiniBrowser (dyz) to crash on start in debug mode on this assertion: ASSERTION FAILED: !m_needsOverflowCheck ../../Source/JavaScriptCore/runtime/ArgList.h(55) : JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer() Truncated backtrace (full backtrace attached): #0 0x00007f0551670fcf in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:270 #1 0x00007f054e68caee in JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer ( this=0x7ffd9c210038, __in_chrg=<optimized out>) at ../../Source/JavaScriptCore/runtime/ArgList.h:55 #2 0x00007f0551226322 in JSC::CachedCall::~CachedCall (this=0x7ffd9c20ffd0, __in_chrg=<optimized out>) at ../../Source/JavaScriptCore/interpreter/CachedCall.h:38 #3 0x00007f0551216d63 in JSC::replaceUsingRegExpSearch (vm=..., exec=0x7ffd9c210650, string=0x7f04e9d72060, searchValue=..., callData=..., callType=<incomplete type>, replacementString=..., replaceValue=...) at ../../Source/JavaScriptCore/runtime/StringPrototype.cpp:674 #4 0x00007f0551217a41 in JSC::replaceUsingRegExpSearch (vm=..., exec=0x7ffd9c210650, string=0x7f04e9d72060, searchValue=..., replaceValue=...) at ../../Source/JavaScriptCore/runtime/StringPrototype.cpp:818 #5 0x00007f05512185d5 in JSC::stringProtoFuncReplaceUsingRegExp ( exec=0x7ffd9c210650) at ../../Source/JavaScriptCore/runtime/StringPrototype.cpp:964 #6 0x00007f04fa7ff028 in ?? () #7 0x00007ffd9c2106f0 in ?? () #8 0x00007f0550ed7d23 in llint_entry () at ../../Source/JavaScriptCore/runtime/PropertySlot.h:139 Backtrace stopped: frame did not save the PC For some reason, the assertion only occurs for me with WPE, not GTK. At least for me. That's a bit surprising, though I have somewhat different build environments for both.
Attachments
Full backtrace (134.09 KB, text/plain)
2017-11-02 10:50 PDT, Michael Catanzaro 		no flags
Details
proposed patch. (4.74 KB, patch)
2017-11-02 20:20 PDT, Mark Lam 		no flags
DetailsFormatted DiffDiff
proposed patch. (4.78 KB, patch)
2017-11-02 20:24 PDT, Mark Lam 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2017-11-02 20:20:08 PDT
Created attachment 325831 [details] proposed patch.
Build Bot
Comment 2 2017-11-02 20:23:06 PDT
Attachment 325831 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/ChangeLog:1: ChangeLog entry has no bug number [changelog/bugnumber] [5] Total errors found: 1 in 6 files If any of these errors are false positives, please file a bug against check-webkit-style.
Mark Lam
Comment 3 2017-11-02 20:24:37 PDT
Created attachment 325835 [details] proposed patch.
JF Bastien
Comment 4 2017-11-02 21:17:04 PDT
Comment on attachment 325835 [details] proposed patch. r=me
WebKit Commit Bot
Comment 5 2017-11-03 09:03:11 PDT
Comment on attachment 325835 [details] proposed patch. Clearing flags on attachment: 325835 Committed r224399: <https://trac.webkit.org/changeset/224399>
WebKit Commit Bot
Comment 6 2017-11-03 09:03:12 PDT
All reviewed patches have been landed. Closing bug.
Michael Catanzaro
Comment 7 2017-11-03 15:16:40 PDT
Thanks Mark!
Radar WebKit Bug Importer
Comment 8 2017-11-15 12:22:30 PST
<rdar://problem/35567409>
Note You need to log in before you can comment on or make changes to this bug.