Bug 196305 - Assertion failed at Source/JavaScriptCore/runtime/ExceptionHelpers.cpp:278
Summary: Assertion failed at Source/JavaScriptCore/runtime/ExceptionHelpers.cpp:278
Status: REOPENED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Tadeu Zagallo
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2019-03-27 10:47 PDT by Suyoung Lee
Modified: 2019-04-05 17:06 PDT (History)
11 users (show)

See Also:

Attachments
Patch (3.04 KB, patch)
2019-03-29 05:03 PDT, Tadeu Zagallo 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Suyoung Lee 2019-03-27 10:47:44 PDT 
The debug build of JavaScriptCore failed assertion at Source/JavaScriptCore/runtime/ExceptionHelpers.cpp:278.

PoC:
const var_1 = 'a'.padStart(2147483648 - 1);
new var_1();

Commit: 6369975
OS: Ubuntu 18.04.1 LTS
Arch: x86_64
Comment 1 Alexey Proskuryakov 2019-03-28 11:13:36 PDT 
JSObject* createError(ExecState* exec, JSValue value, const String& message, ErrorInstance::SourceAppender appender)
{
    VM& vm = exec->vm();
    auto scope = DECLARE_CATCH_SCOPE(vm);

    String valueDescription = errorDescriptionForValue(exec, value);
    ASSERT(scope.exception() || !!valueDescription); // Line 278
Comment 2 Alexey Proskuryakov 2019-03-28 11:13:57 PDT 
Sorry, didn't mean to mark this one as invalid.
Comment 3 Alexey Proskuryakov 2019-03-28 11:20:19 PDT 
Test crashes shipping Safari:

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x00007fff3f8b6edf JSC::errorDescriptionForValue(JSC::ExecState*, JSC::JSValue) + 559
1   com.apple.JavaScriptCore      	0x00007fff3f8b72f5 JSC::createError(JSC::ExecState*, JSC::JSValue, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred)) + 53
2   com.apple.JavaScriptCore      	0x00007fff3ef0e9e8 JSC::createNotAConstructorError(JSC::ExecState*, JSC::JSValue) + 56
3   com.apple.JavaScriptCore      	0x00007fff3f7776cb JSC::LLInt::setUpCall(JSC::ExecState*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*) + 187
4   com.apple.JavaScriptCore      	0x00007fff3f13ea8f llint_entry + 63468
Comment 4 Radar WebKit Bug Importer 2019-03-28 11:20:34 PDT 
<rdar://problem/49387382>
Comment 5 Tadeu Zagallo 2019-03-29 05:03:22 PDT 
Created attachment 366267 [details]
Patch
Comment 6 WebKit Commit Bot 2019-03-29 14:54:00 PDT 
Comment on attachment 366267 [details]
Patch

Clearing flags on attachment: 366267

Committed r243665: <https://trac.webkit.org/changeset/243665>
Comment 7 WebKit Commit Bot 2019-03-29 14:54:02 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 8 Ryan Haddad 2019-04-05 17:05:37 PDT 
Reverted r243665 for reason:

Caused iOS JSC tests to exit with an exception.

Committed r243955: <https://trac.webkit.org/changeset/243955>
Comment 9 Ryan Haddad 2019-04-05 17:06:13 PDT 
(In reply to Ryan Haddad from comment #8)
> Reverted r243665 for reason:
> 
> Caused iOS JSC tests to exit with an exception.
> 
> Committed r243955: <https://trac.webkit.org/changeset/243955>
See radar for details.