Bug 208766 - REGRESSION (r258049): Unchecked JS exception in jsc::Stringifier::toJSON
Summary: REGRESSION (r258049): Unchecked JS exception in jsc::Stringifier::toJSON
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Trivial
Assignee: Alexey Shvayka
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-03-07 10:16 PST by Ryan Haddad
Modified: 2020-03-07 14:54 PST (History)
12 users (show)

See Also:

Attachments
Patch (1.46 KB, patch)
2020-03-07 10:53 PST, Alexey Shvayka 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ryan Haddad 2020-03-07 10:16:46 PST 
After https://trac.webkit.org/changeset/258049/webkit, the debug JSC bit has 44 test failures due to an unchecked JS exception:

microbenchmarks/json-stringify-many-objects-to-json.js.default: ERROR: Unchecked JS exception:
microbenchmarks/json-stringify-many-objects-to-json.js.default:     This scope can throw a JS exception: executeCall @ ./interpreter/Interpreter.cpp:858
microbenchmarks/json-stringify-many-objects-to-json.js.default:         (ExceptionScope::m_recursionDepth was 10)
microbenchmarks/json-stringify-many-objects-to-json.js.default:     But the exception was unchecked as of this scope: toJSON @ ./runtime/JSONObject.cpp:301
microbenchmarks/json-stringify-many-objects-to-json.js.default:         (ExceptionScope::m_recursionDepth was 9)
microbenchmarks/json-stringify-many-objects-to-json.js.default: 
microbenchmarks/json-stringify-many-objects-to-json.js.default: Unchecked exception detected at:
microbenchmarks/json-stringify-many-objects-to-json.js.default:     1   0x10b9c30ae JSC::VM::verifyExceptionCheckNeedIsSatisfied(unsigned int, JSC::ExceptionEventLocation&)
microbenchmarks/json-stringify-many-objects-to-json.js.default:     2   0x10b99beed JSC::ThrowScope::~ThrowScope()
microbenchmarks/json-stringify-many-objects-to-json.js.default:     3   0x10b99c0f5 JSC::ThrowScope::~ThrowScope()
microbenchmarks/json-stringify-many-objects-to-json.js.default:     4   0x10b80713c JSC::Stringifier::toJSON(JSC::JSValue, JSC::PropertyNameForFunctionCall const&)
microbenchmarks/json-stringify-many-objects-to-json.js.default:     5   0x10b8063b9 JSC::Stringifier::appendStringifiedValue(WTF::StringBuilder&, JSC::JSValue, JSC::Stringifier::Holder const&, JSC::PropertyNameForFunctionCall const&)
microbenchmarks/json-stringify-many-objects-to-json.js.default:     6   0x10b807efa JSC::Stringifier::Holder::appendNextProperty(JSC::Stringifier&, WTF::StringBuilder&)
microbenchmarks/json-stringify-many-objects-to-json.js.default:     7   0x10b806cd5 JSC::Stringifier::appendStringifiedValue(WTF::StringBuilder&, JSC::JSValue, JSC::Stringifier::Holder const&, JSC::PropertyNameForFunctionCall const&)
microbenchmarks/json-stringify-many-objects-to-json.js.default:     8   0x10b80608c JSC::Stringifier::stringify(JSC::JSValue)
microbenchmarks/json-stringify-many-objects-to-json.js.default:     9   0x10b80b568 JSC::JSONProtoFuncStringify(JSC::JSGlobalObject*, JSC::CallFrame*)
microbenchmarks/json-stringify-many-objects-to-json.js.default:     10  0x547503e01178
microbenchmarks/json-stringify-many-objects-to-json.js.default:     11  0x10a4faeb3 llint_entry
microbenchmarks/json-stringify-many-objects-to-json.js.default:     12  0x10a4dda93 vmEntryToJavaScript
microbenchmarks/json-stringify-many-objects-to-json.js.default:     13  0x10b2ecf57 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
microbenchmarks/json-stringify-many-objects-to-json.js.default:     14  0x10b2ec5ac JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*)
microbenchmarks/json-stringify-many-objects-to-json.js.default:     15  0x10b671edc JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
microbenchmarks/json-stringify-many-objects-to-json.js.default:     16  0x109eade4f runWithOptions(GlobalObject*, CommandLine&, bool&)
microbenchmarks/json-stringify-many-objects-to-json.js.default:     17  0x109e7f19a jscmain(int, char**)::$_6::operator()(JSC::VM&, GlobalObject*, bool&) const
microbenchmarks/json-stringify-many-objects-to-json.js.default:     18  0x109e5997b int runJSC<jscmain(int, char**)::$_6>(CommandLine const&, bool, jscmain(int, char**)::$_6 const&)
microbenchmarks/json-stringify-many-objects-to-json.js.default:     19  0x109e58408 jscmain(int, char**)
microbenchmarks/json-stringify-many-objects-to-json.js.default:     20  0x109e581de main
microbenchmarks/json-stringify-many-objects-to-json.js.default:     21  0x7fff719c87fd start

https://build.webkit.org/builders/Apple-Catalina-Debug-JSC-Tests/builds/453
Comment 1 Alexey Shvayka 2020-03-07 10:53:08 PST 
Created attachment 392867 [details]
Patch
Comment 2 Yusuke Suzuki 2020-03-07 14:09:41 PST 
Comment on attachment 392867 [details]
Patch

r=me, nice fix!
Comment 3 Ross Kirsling 2020-03-07 14:29:02 PST 
Thanks for addressing this so quickly, Alexey!
Comment 4 Alexey Shvayka 2020-03-07 14:46:23 PST 
Thank you, folks.
I thought this kind of errors would have been caught by regular EWS.
Anyway, I will test future patches with JSC_validateExceptionChecks=true.
Comment 5 WebKit Commit Bot 2020-03-07 14:53:43 PST 
Comment on attachment 392867 [details]
Patch

Clearing flags on attachment: 392867

Committed r258081: <https://trac.webkit.org/changeset/258081>
Comment 6 WebKit Commit Bot 2020-03-07 14:53:45 PST 
All reviewed patches have been landed.  Closing bug.
Comment 7 Radar WebKit Bug Importer 2020-03-07 14:54:15 PST 
<rdar://problem/60192817>