[Webkit-unassigned] [Bug 179185] New: REGRESSION(r224309): [WPE] ASSERTION FAILED: !m_needsOverflowCheck fires when starting WPE

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Nov 2 10:50:09 PDT 2017 

https://bugs.webkit.org/show_bug.cgi?id=179185

            Bug ID: 179185
           Summary: REGRESSION(r224309): [WPE] ASSERTION FAILED:
                    !m_needsOverflowCheck fires when starting WPE
           Product: WebKit
           Version: Other
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcatanzaro at igalia.com
                CC: mark.lam at apple.com
            Blocks: 178894

Created attachment 325734

  --> https://bugs.webkit.org/attachment.cgi?id=325734&action=review

Full backtrace

r224309 "Add support to throw OOM if MarkedArgumentBuffer may overflow" has caused WPE's MiniBrowser (dyz) to crash on start in debug mode on this assertion:

ASSERTION FAILED: !m_needsOverflowCheck
../../Source/JavaScriptCore/runtime/ArgList.h(55) : JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer()

Truncated backtrace (full backtrace attached):

#0  0x00007f0551670fcf in WTFCrash ()
    at ../../Source/WTF/wtf/Assertions.cpp:270
#1  0x00007f054e68caee in JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer (
    this=0x7ffd9c210038, __in_chrg=<optimized out>)
    at ../../Source/JavaScriptCore/runtime/ArgList.h:55
#2  0x00007f0551226322 in JSC::CachedCall::~CachedCall (this=0x7ffd9c20ffd0, 
    __in_chrg=<optimized out>)
    at ../../Source/JavaScriptCore/interpreter/CachedCall.h:38
#3  0x00007f0551216d63 in JSC::replaceUsingRegExpSearch (vm=..., 
    exec=0x7ffd9c210650, string=0x7f04e9d72060, searchValue=..., callData=..., 
    callType=<incomplete type>, replacementString=..., replaceValue=...)
    at ../../Source/JavaScriptCore/runtime/StringPrototype.cpp:674
#4  0x00007f0551217a41 in JSC::replaceUsingRegExpSearch (vm=..., 
    exec=0x7ffd9c210650, string=0x7f04e9d72060, searchValue=..., 
    replaceValue=...)
    at ../../Source/JavaScriptCore/runtime/StringPrototype.cpp:818
#5  0x00007f05512185d5 in JSC::stringProtoFuncReplaceUsingRegExp (
    exec=0x7ffd9c210650)
    at ../../Source/JavaScriptCore/runtime/StringPrototype.cpp:964
#6  0x00007f04fa7ff028 in ?? ()
#7  0x00007ffd9c2106f0 in ?? ()
#8  0x00007f0550ed7d23 in llint_entry ()
    at ../../Source/JavaScriptCore/runtime/PropertySlot.h:139
Backtrace stopped: frame did not save the PC

For some reason, the assertion only occurs for me with WPE, not GTK. At least for me. That's a bit surprising, though I have somewhat different build environments for both.


Referenced Bugs:

https://bugs.webkit.org/show_bug.cgi?id=178894
[Bug 178894] [WPE] Create the first stable release of WPE
-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20171102/e0e450ee/attachment.html>

More information about the webkit-unassigned mailing list