187807 – Regression (r233924) Unchecked JS exception: stress/json-stringify-getter-call.js

Bug 187807 - Regression (r233924) Unchecked JS exception: stress/json-stringify-getter-call.js

Summary: Regression (r233924) Unchecked JS exception: stress/json-stringify-getter-cal...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Tools / Tests (show other bugs)
Version:	Other
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Yusuke Suzuki

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2018-07-19 09:22 PDT by Dawei Fenton (:realdawei)
Modified:	2018-07-19 10:07 PDT (History)
CC List:	6 users (show)

See Also:	187724

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dawei Fenton (:realdawei) 2018-07-19 09:22:13 PDT

The following regression was introduced in https://trac.webkit.org/changeset/233924/webkit

sample error output: 
https://build.webkit.org/builders/Apple%20High%20Sierra%20Debug%20JSC%20%28Tests%29/builds/1281/steps/jscore-test/logs/stdio

stress/json-stringify-getter-call.js.default: ERROR: Unchecked JS exception:
stress/json-stringify-getter-call.js.default:     This scope can throw a JS exception: getPropertySlot @ /Volumes/Data/slave/highsierra-debug/build/Source/JavaScriptCore/runtime/JSObjectInlines.h:111
stress/json-stringify-getter-call.js.default:         (ExceptionScope::m_recursionDepth was 8)
stress/json-stringify-getter-call.js.default:     But the exception was unchecked as of this scope: callGetter @ ./runtime/GetterSetter.cpp:51
stress/json-stringify-getter-call.js.default:         (ExceptionScope::m_recursionDepth was 8)
stress/json-stringify-getter-call.js.default: 
stress/json-stringify-getter-call.js.default: Unchecked exception detected at:
stress/json-stringify-getter-call.js.default:     1   0x10b3b2b43 JSC::VM::verifyExceptionCheckNeedIsSatisfied(unsigned int, JSC::ExceptionEventLocation&)
stress/json-stringify-getter-call.js.default:     2   0x10b38c409 JSC::ThrowScope::ThrowScope(JSC::VM&, JSC::ExceptionEventLocation)
stress/json-stringify-getter-call.js.default:     3   0x10b38c44a JSC::ThrowScope::ThrowScope(JSC::VM&, JSC::ExceptionEventLocation)
stress/json-stringify-getter-call.js.default:     4   0x10b16d8a8 JSC::callGetter(JSC::ExecState*, JSC::JSValue, JSC::JSValue)
stress/json-stringify-getter-call.js.default:     5   0x10b2ff4ae JSC::PropertySlot::functionGetter(JSC::ExecState*) const
stress/json-stringify-getter-call.js.default:     6   0x10a0c5e6c JSC::PropertySlot::getValue(JSC::ExecState*, unsigned int) const
stress/json-stringify-getter-call.js.default:     7   0x10b245369 JSC::Stringifier::Holder::appendNextProperty(JSC::Stringifier&, WTF::StringBuilder&)
stress/json-stringify-getter-call.js.default:     8   0x10b24450c JSC::Stringifier::appendStringifiedValue(WTF::StringBuilder&, JSC::JSValue, JSC::Stringifier::Holder const&, JSC::PropertyNameForFunctionCall const&)
stress/json-stringify-getter-call.js.default:     9   0x10b2439c9 JSC::Stringifier::stringify(JSC::JSValue)
stress/json-stringify-getter-call.js.default:     10  0x10b248705 JSC::JSONProtoFuncStringify(JSC::ExecState*)
stress/json-stringify-getter-call.js.default:     11  0x2d941655177
stress/json-stringify-getter-call.js.default:     12  0x10a01f1a6 llint_entry
stress/json-stringify-getter-call.js.default:     13  0x10a016b92 vmEntryToJavaScript
stress/json-stringify-getter-call.js.default:     14  0x10ae749fa JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
stress/json-stringify-getter-call.js.default:     15  0x10ae73fa1 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*)
stress/json-stringify-getter-call.js.default:     16  0x10b12d8d7 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
stress/json-stringify-getter-call.js.default:     17  0x105b93d00 runWithOptions(GlobalObject*, CommandLine&, bool&)
stress/json-stringify-getter-call.js.default:     18  0x105b6b5dc jscmain(int, char**)::$_3::operator()(JSC::VM&, GlobalObject*, bool&) const
stress/json-stringify-getter-call.js.default:     19  0x105b52d84 int runJSC<jscmain(int, char**)::$_3>(CommandLine, bool, jscmain(int, char**)::$_3 const&)
stress/json-stringify-getter-call.js.default:     20  0x105b5186f jscmain(int, char**)
stress/json-stringify-getter-call.js.default:     21  0x105b517ce main
stress/json-stringify-getter-call.js.default:     22  0x7fff6e830015 start
stress/json-stringify-getter-call.js.default: 
stress/json-stringify-getter-call.js.default: ASSERTION FAILED: !m_needExceptionCheck
stress/json-stringify-getter-call.js.default: ./runtime/VM.cpp(1186) : void JSC::VM::verifyExceptionCheckNeedIsSatisfied(unsigned int, JSC::ExceptionEventLocation &)
stress/json-stringify-getter-call.js.default: 1   0x109f2b5e9 WTFCrash
stress/json-stringify-getter-call.js.default: 2   0x10b3b2c99 JSC::VM::verifyExceptionCheckNeedIsSatisfied(unsigned int, JSC::ExceptionEventLocation&)
stress/json-stringify-getter-call.js.default: 3   0x10b38c409 JSC::ThrowScope::ThrowScope(JSC::VM&, JSC::ExceptionEventLocation)
stress/json-stringify-getter-call.js.default: 4   0x10b38c44a JSC::ThrowScope::ThrowScope(JSC::VM&, JSC::ExceptionEventLocation)
stress/json-stringify-getter-call.js.default: 5   0x10b16d8a8 JSC::callGetter(JSC::ExecState*, JSC::JSValue, JSC::JSValue)
stress/json-stringify-getter-call.js.default: 6   0x10b2ff4ae JSC::PropertySlot::functionGetter(JSC::ExecState*) const
stress/json-stringify-getter-call.js.default: 7   0x10a0c5e6c JSC::PropertySlot::getValue(JSC::ExecState*, unsigned int) const
stress/json-stringify-getter-call.js.default: 8   0x10b245369 JSC::Stringifier::Holder::appendNextProperty(JSC::Stringifier&, WTF::StringBuilder&)
stress/json-stringify-getter-call.js.default: 9   0x10b24450c JSC::Stringifier::appendStringifiedValue(WTF::StringBuilder&, JSC::JSValue, JSC::Stringifier::Holder const&, JSC::PropertyNameForFunctionCall const&)
stress/json-stringify-getter-call.js.default: 10  0x10b2439c9 JSC::Stringifier::stringify(JSC::JSValue)
stress/json-stringify-getter-call.js.default: 11  0x10b248705 JSC::JSONProtoFuncStringify(JSC::ExecState*)
stress/json-stringify-getter-call.js.default: 12  0x2d941655177
stress/json-stringify-getter-call.js.default: 13  0x10a01f1a6 llint_entry
stress/json-stringify-getter-call.js.default: 14  0x10a016b92 vmEntryToJavaScript
stress/json-stringify-getter-call.js.default: 15  0x10ae749fa JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
stress/json-stringify-getter-call.js.default: 16  0x10ae73fa1 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*)
stress/json-stringify-getter-call.js.default: 17  0x10b12d8d7 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
stress/json-stringify-getter-call.js.default: 18  0x105b93d00 runWithOptions(GlobalObject*, CommandLine&, bool&)
stress/json-stringify-getter-call.js.default: 19  0x105b6b5dc jscmain(int, char**)::$_3::operator()(JSC::VM&, GlobalObject*, bool&) const
stress/json-stringify-getter-call.js.default: 20  0x105b52d84 int runJSC<jscmain(int, char**)::$_3>(CommandLine, bool, jscmain(int, char**)::$_3 const&)
stress/json-stringify-getter-call.js.default: 21  0x105b5186f jscmain(int, char**)
stress/json-stringify-getter-call.js.default: 22  0x105b517ce main
stress/json-stringify-getter-call.js.default: 23  0x7fff6e830015 start
stress/json-stringify-getter-call.js.default: test_script_15648: line 2: 31076 Segmentation fault: 11  ( "$@" ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --validateExceptionChecks\=true --useDollarVM\=true --maxPerThreadStackUsage\=1572864 --useFTLJIT\=true json-stringify-getter-call.js )
stress/json-stringify-getter-call.js.no-llint: ERROR: Unchecked JS exception:
stress/json-stringify-getter-call.js.no-llint:     This scope can throw a JS exception: getPropertySlot @ /Volumes/Data/slave/highsierra-debug/build/Source/JavaScriptCore/runtime/JSObjectInlines.h:111
stress/json-stringify-getter-call.js.no-llint:         (ExceptionScope::m_recursionDepth was 8)
stress/json-stringify-getter-call.js.no-llint:     But the exception was unchecked as of this scope: callGetter @ ./runtime/GetterSetter.cpp:51
stress/json-stringify-getter-call.js.no-llint:         (ExceptionScope::m_recursionDepth was 8)
stress/json-stringify-getter-call.js.no-llint: 
stress/json-stringify-getter-call.js.no-llint: Unchecked exception detected at:
stress/json-stringify-getter-call.js.no-llint:     1   0x11013db43 JSC::VM::verifyExceptionCheckNeedIsSatisfied(unsigned int, JSC::ExceptionEventLocation&)
stress/json-stringify-getter-call.js.no-llint:     2   0x110117409 JSC::ThrowScope::ThrowScope(JSC::VM&, JSC::ExceptionEventLocation)
stress/json-stringify-getter-call.js.no-llint:     3   0x11011744a JSC::ThrowScope::ThrowScope(JSC::VM&, JSC::ExceptionEventLocation)
stress/json-stringify-getter-call.js.no-llint:     4   0x10fef88a8 JSC::callGetter(JSC::ExecState*, JSC::JSValue, JSC::JSValue)
stress/json-stringify-getter-call.js.no-llint:     5   0x11008a4ae JSC::PropertySlot::functionGetter(JSC::ExecState*) const
stress/json-stringify-getter-call.js.no-llint:     6   0x10ee50e6c JSC::PropertySlot::getValue(JSC::ExecState*, unsigned int) const
stress/json-stringify-getter-call.js.no-llint:     7   0x10ffd0369 JSC::Stringifier::Holder::appendNextProperty(JSC::Stringifier&, WTF::StringBuilder&)
stress/json-stringify-getter-call.js.no-llint:     8   0x10ffcf50c JSC::Stringifier::appendStringifiedValue(WTF::StringBuilder&, JSC::JSValue, JSC::Stringifier::Holder const&, JSC::PropertyNameForFunctionCall const&)
stress/json-stringify-getter-call.js.no-llint:     9   0x10ffce9c9 JSC::Stringifier::stringify(JSC::JSValue)
stress/json-stringify-getter-call.js.no-llint:     10  0x10ffd3705 JSC::JSONProtoFuncStringify(JSC::ExecState*)
stress/json-stringify-getter-call.js.no-llint:     11  0x19f2b2ef177
stress/json-stringify-getter-call.js.no-llint:     12  0x19f2b2f1cf9
stress/json-stringify-getter-call.js.no-llint:     13  0x10eda1b92 vmEntryToJavaScript
stress/json-stringify-getter-call.js.no-llint:     14  0x10fbff9fa JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
stress/json-stringify-getter-call.js.no-llint:     15  0x10fbfefa1 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*)
stress/json-stringify-getter-call.js.no-llint:     16  0x10feb88d7 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
stress/json-stringify-getter-call.js.no-llint:     17  0x10ebf2d00 runWithOptions(GlobalObject*, CommandLine&, bool&)
stress/json-stringify-getter-call.js.no-llint:     18  0x10ebca5dc jscmain(int, char**)::$_3::operator()(JSC::VM&, GlobalObject*, bool&) const
stress/json-stringify-getter-call.js.no-llint:     19  0x10ebb1d84 int runJSC<jscmain(int, char**)::$_3>(CommandLine, bool, jscmain(int, char**)::$_3 const&)
stress/json-stringify-getter-call.js.no-llint:     20  0x10ebb086f jscmain(int, char**)
stress/json-stringify-getter-call.js.no-llint:     21  0x10ebb07ce main
stress/json-stringify-getter-call.js.no-llint:     22  0x7fff6e830015 start
stress/json-stringify-getter-call.js.no-llint: 
stress/json-stringify-getter-call.js.no-llint: ASSERTION FAILED: !m_needExceptionCheck
stress/json-stringify-getter-call.js.no-llint: ./runtime/VM.cpp(1186) : void JSC::VM::verifyExceptionCheckNeedIsSatisfied(unsigned int, JSC::ExceptionEventLocation &)
stress/json-stringify-getter-call.js.no-llint: 1   0x10ecb65e9 WTFCrash
stress/json-stringify-getter-call.js.no-llint: 2   0x11013dc99 JSC::VM::verifyExceptionCheckNeedIsSatisfied(unsigned int, JSC::ExceptionEventLocation&)
stress/json-stringify-getter-call.js.no-llint: 3   0x110117409 JSC::ThrowScope::ThrowScope(JSC::VM&, JSC::ExceptionEventLocation)
stress/json-stringify-getter-call.js.no-llint: 4   0x11011744a JSC::ThrowScope::ThrowScope(JSC::VM&, JSC::ExceptionEventLocation)
stress/json-stringify-getter-call.js.no-llint: 5   0x10fef88a8 JSC::callGetter(JSC::ExecState*, JSC::JSValue, JSC::JSValue)
stress/json-stringify-getter-call.js.no-llint: 6   0x11008a4ae JSC::PropertySlot::functionGetter(JSC::ExecState*) const
stress/json-stringify-getter-call.js.no-llint: 7   0x10ee50e6c JSC::PropertySlot::getValue(JSC::ExecState*, unsigned int) const
stress/json-stringify-getter-call.js.no-llint: 8   0x10ffd0369 JSC::Stringifier::Holder::appendNextProperty(JSC::Stringifier&, WTF::StringBuilder&)
stress/json-stringify-getter-call.js.no-llint: 9   0x10ffcf50c JSC::Stringifier::appendStringifiedValue(WTF::StringBuilder&, JSC::JSValue, JSC::Stringifier::Holder const&, JSC::PropertyNameForFunctionCall const&)
stress/json-stringify-getter-call.js.no-llint: 10  0x10ffce9c9 JSC::Stringifier::stringify(JSC::JSValue)
stress/json-stringify-getter-call.js.no-llint: 11  0x10ffd3705 JSC::JSONProtoFuncStringify(JSC::ExecState*)
stress/json-stringify-getter-call.js.no-llint: 12  0x19f2b2ef177
stress/json-stringify-getter-call.js.no-llint: 13  0x19f2b2f1cf9
stress/json-stringify-getter-call.js.no-llint: 14  0x10eda1b92 vmEntryToJavaScript
stress/json-stringify-getter-call.js.no-llint: 15  0x10fbff9fa JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
stress/json-stringify-getter-call.js.no-llint: 16  0x10fbfefa1 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*)
stress/json-stringify-getter-call.js.no-llint: 17  0x10feb88d7 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
stress/json-stringify-getter-call.js.no-llint: 18  0x10ebf2d00 runWithOptions(GlobalObject*, CommandLine&, bool&)
stress/json-stringify-getter-call.js.no-llint: 19  0x10ebca5dc jscmain(int, char**)::$_3::operator()(JSC::VM&, GlobalObject*, bool&) const
stress/json-stringify-getter-call.js.no-llint: 20  0x10ebb1d84 int runJSC<jscmain(int, char**)::$_3>(CommandLine, bool, jscmain(int, char**)::$_3 const&)
stress/json-stringify-getter-call.js.no-llint: 21  0x10ebb086f jscmain(int, char**)
stress/json-stringify-getter-call.js.no-llint: 22  0x10ebb07ce main
stress/json-stringify-getter-call.js.no-llint: 23  0x7fff6e830015 start
stress/json-stringify-getter-call.js.no-llint: test_script_15649: line 2: 31085 Segmentation fault: 11  ( "$@" ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --validateExceptionChecks\=true --useDollarVM\=true --maxPerThreadStackUsage\=1572864 --useLLInt\=false json-stringify-getter-call.js )
stress/json-stringify-getter-call.js.no-cjit-validate-phases: ERROR: Unchecked JS exception:
stress/json-stringify-getter-call.js.no-cjit-validate-phases:     This scope can throw a JS exception: getPropertySlot @ /Volumes/Data/slave/highsierra-debug/build/Source/JavaScriptCore/runtime/JSObjectInlines.h:111
stress/json-stringify-getter-call.js.no-cjit-validate-phases:         (ExceptionScope::m_recursionDepth was 8)
stress/json-stringify-getter-call.js.no-cjit-validate-phases:     But the exception was unchecked as of this scope: callGetter @ ./runtime/GetterSetter.cpp:51
stress/json-stringify-getter-call.js.no-cjit-validate-phases:         (ExceptionScope::m_recursionDepth was 8)
stress/json-stringify-getter-call.js.no-cjit-validate-phases: 
stress/json-stringify-getter-call.js.no-cjit-validate-phases: Unchecked exception detected at:
stress/json-stringify-getter-call.js.no-cjit-validate-phases:     1   0x10f5a8b43 JSC::VM::verifyExceptionCheckNeedIsSatisfied(unsigned int, JSC::ExceptionEventLocation&)
stress/json-stringify-getter-call.js.no-cjit-validate-phases:     2   0x10f582409 JSC::ThrowScope::ThrowScope(JSC::VM&, JSC::ExceptionEventLocation)
stress/json-stringify-getter-call.js.no-cjit-validate-phases:     3   0x10f58244a JSC::ThrowScope::ThrowScope(JSC::VM&, JSC::ExceptionEventLocation)
stress/json-stringify-getter-call.js.no-cjit-validate-phases:     4   0x10f3638a8 JSC::callGetter(JSC::ExecState*, JSC::JSValue, JSC::JSValue)
stress/json-stringify-getter-call.js.no-cjit-validate-phases:     5   0x10f4f54ae JSC::PropertySlot::functionGetter(JSC::ExecState*) const
stress/json-stringify-getter-call.js.no-cjit-validate-phases:     6   0x10e2bbe6c JSC::PropertySlot::getValue(JSC::ExecState*, unsigned int) const
stress/json-stringify-getter-call.js.no-cjit-validate-phases:     7   0x10f43b369 JSC::Stringifier::Holder::appendNextProperty(JSC::Stringifier&, WTF::StringBuilder&)
stress/json-stringify-getter-call.js.no-cjit-validate-phases:     8   0x10f43a50c JSC::Stringifier::appendStringifiedValue(WTF::StringBuilder&, JSC::JSValue, JSC::Stringifier::Holder const&, JSC::PropertyNameForFunctionCall const&)
stress/json-stringify-getter-call.js.no-cjit-validate-phases:     9   0x10f4399c9 JSC::Stringifier::stringify(JSC::JSValue)
stress/json-stringify-getter-call.js.no-cjit-validate-phases:     10  0x10f43e705 JSC::JSONProtoFuncStringify(JSC::ExecState*)
stress/json-stringify-getter-call.js.no-cjit-validate-phases:     11  0x3e4fe300177
stress/json-stringify-getter-call.js.no-cjit-validate-phases:     12  0x10e2151a6 llint_entry
stress/json-stringify-getter-call.js.no-cjit-validate-phases:     13  0x10e20cb92 vmEntryToJavaScript
stress/json-stringify-getter-call.js.no-cjit-validate-phases:     14  0x10f06a9fa JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
stress/json-stringify-getter-call.js.no-cjit-validate-phases:     15  0x10f069fa1 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*)
stress/json-stringify-getter-call.js.no-cjit-validate-phases:     16  0x10f3238d7 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
stress/json-stringify-getter-call.js.no-cjit-validate-phases:     17  0x10e05fd00 runWithOptions(GlobalObject*, CommandLine&, bool&)
stress/json-stringify-getter-call.js.no-cjit-validate-phases:     18  0x10e0375dc jscmain(int, char**)::$_3::operator()(JSC::VM&, GlobalObject*, bool&) const
stress/json-stringify-getter-call.js.no-cjit-validate-phases:     19  0x10e01ed84 int runJSC<jscmain(int, char**)::$_3>(CommandLine, bool, jscmain(int, char**)::$_3 const&)
stress/json-stringify-getter-call.js.no-cjit-validate-phases:     20  0x10e01d86f jscmain(int, char**)
stress/json-stringify-getter-call.js.no-cjit-validate-phases:     21  0x10e01d7ce main
stress/json-stringify-getter-call.js.no-cjit-validate-phases:     22  0x7fff6e830015 start

Comment 1 Yusuke Suzuki 2018-07-19 09:32:07 PDT

We should add `scope.release()`.

Comment 2 Yusuke Suzuki 2018-07-19 10:06:46 PDT

Committed r233987: <https://trac.webkit.org/changeset/233987>

Comment 3 Radar WebKit Bug Importer 2018-07-19 10:07:29 PDT

<rdar://problem/42388069>