RESOLVED DUPLICATE of bug 187091 186989
ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset)) on nytimes.com 
https://bugs.webkit.org/show_bug.cgi?id=186989
Summary ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset)) o...
Simon Fraser (smfr)
Reported 2018-06-24 22:23:33 PDT
Had nytimes.com loaded in debug MiniBrowser, WebKit1, and hit this assertion: offset was 114, this was a FinalObjectType ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset)) /Volumes/Data/Development/apple/webkit/OpenSource/Source/JavaScriptCore/runtime/JSObjectInlines.h(335) : bool JSC::JSObject::putDirectInternal(JSC::VM &, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot &) 1 0x11517bac9 WTFCrash 2 0x115b7b99d bool JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)0>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&) 3 0x115b7af6b JSC::JSObject::putInlineForJSObject(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 4 0x1164e6835 JSC::JSObject::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 5 0x115b7a89e JSC::JSValue::put(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 6 0x115b04b3f void JSC::DFG::putByValInternal<false, false>(JSC::ExecState*, JSC::VM&, long long, long long, long long) 7 0x115b0480f operationPutByValNonStrict 8 0x2bbff2887cb 9 0x2bbff57fa17 10 0x2bbff3c3663 11 0x2bbff22dcc2 12 0x115280bf2 llint_entry 13 0x115280bf2 llint_entry 14 0x2bbff35f082 15 0x115280bf2 llint_entry 16 0x2bbff58ffc1 17 0x2bbff592122 18 0x2bbff3d206f 19 0x115278652 vmEntryToJavaScript 20 0x116113afa JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) 21 0x1161140d3 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 22 0x1163aa7ea JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 23 0x1163aa8cc JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) 24 0x1163aab6d JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) 25 0x10719377b WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) 26 0x107215036 WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext&) 27 0x107214ae0 WebCore::ScheduledAction::execute(WebCore::Document&) 28 0x1072149a3 WebCore::ScheduledAction::execute(WebCore::ScriptExecutionContext&) 29 0x108009899 WebCore::DOMTimer::fired() 30 0x108250b54 WebCore::ThreadTimers::sharedTimerFiredInternal() 31 0x1082668c1 WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0::operator()() const (lldb)
Attachments
Add attachment proposed patch, testcase, etc.
Simon Fraser (smfr)
Comment 1 2018-06-24 22:24:17 PDT
Was at WebKit r233132.
Simon Fraser (smfr)
Comment 2 2018-06-24 22:52:30 PDT
I can hit this pretty reliably. Just load nytimes.com and wait for a while.
Radar WebKit Bug Importer
Comment 3 2018-06-24 22:52:53 PDT
<rdar://problem/41415280>
Saam Barati
Comment 4 2018-06-25 00:57:56 PDT
Nice. This is revealing another bug that could lead to concurrent GC crashes
Alexey Proskuryakov
Comment 5 2018-07-03 02:33:06 PDT
Is this still an issue? It's supposed to be a duplicate of bug 187091 per Radar, but 32-bit tests are still hitting this (see bug 187255).
Michael Catanzaro
Comment 6 2018-07-03 07:17:42 PDT
*** Bug 187170 has been marked as a duplicate of this bug. ***
Mark Lam
Comment 7 2018-07-03 07:48:51 PDT
This is a dupe of https://bugs.webkit.org/show_bug.cgi?id=187091. The 32-bit issue is separate. I'll investigate that in bug 187255. *** This bug has been marked as a duplicate of bug 187091 ***
Note You need to log in before you can comment on or make changes to this bug.