[Webkit-unassigned] [Bug 197485] New: ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject.getOwnPropertySlotCommon/JSFunction.callerGetter

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed May 1 17:46:20 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=197485

            Bug ID: 197485
           Summary: ASSERTION FAILED: !m_needExceptionCheck with
                    --validateExceptionChecks=1;
                    ProxyObject.getOwnPropertySlotCommon/JSFunction.caller
                    Getter
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: msaboff at apple.com

When run with a debug version of JSC and the --validateExceptionChecks option set true, the following crashes:

function foo() {}
let a = {...new Proxy(foo, {})}

ERROR: Unchecked JS exception: 
    This scope can throw a JS exception: getOwnPropertySlotCommon @ ./runtime/ProxyObject.cpp:376
        (ExceptionScope::m_recursionDepth was 5)
    But the exception was unchecked as of this scope: callerGetter @ ./runtime/JSFunction.cpp:358 
        (ExceptionScope::m_recursionDepth was 5)

Unchecked exception detected at:
    1   0x10c2b8b8e JSC::VM::verifyExceptionCheckNeedIsSatisfied(unsigned int, JSC::ExceptionEventLocation&)
    2   0x10c2982ca JSC::ThrowScope::ThrowScope(JSC::VM&, JSC::ExceptionEventLocation)
    3   0x10c298313 JSC::ThrowScope::ThrowScope(JSC::VM&, JSC::ExceptionEventLocation)
    4   0x10bf9e806 JSC::JSFunction::callerGetter(JSC::ExecState*, long long, JSC::PropertyName)
    5   0x10c0e53ef JSC::PropertySlot::customGetter(JSC::ExecState*, JSC::PropertyName) const
    6   0x10afe1ae1 JSC::PropertySlot::getValue(JSC::ExecState*, JSC::PropertyName) const
    7   0x10c01a224 JSC::JSObject::getOwnPropertyDescriptor(JSC::ExecState*, JSC::PropertyName, JSC::PropertyDescriptor&)
    8   0x10bfb8bab JSC::globalFuncPropertyIsEnumerable(JSC::ExecState*)
    9   0x55792a20116b
    10  0x10af9ee81 llint_entry    
    11  0x10af9ef12 llint_entry    
    12  0x10af8ba30 vmEntryToJavaScript
    13  0x10bbc82b7 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
    14  0x10bbc7880 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*)
    15  0x10bedb955 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
    16  0x107f06e16 runWithOptions(GlobalObject*, CommandLine&, bool&)
    17  0x107edc56a jscmain(int, char**)::$_6::operator()(JSC::VM&, GlobalObject*, bool&) const
    18  0x107eba2cf int runJSC<jscmain(int, char**)::$_6>(CommandLine const&, bool, jscmain(int, char**)::$_6 const&)
    19  0x107eb8daf jscmain(int, char**)
    20  0x107eb8c1e main
    21  0x7fff57fca0a5 start

ASSERTION FAILED: !m_needExceptionCheck
./runtime/VM.cpp(1203) : void JSC::VM::verifyExceptionCheckNeedIsSatisfied(unsigned int, JSC::ExceptionEventLocation &) 
1   0x10abeacc9 WTFCrash
2   0x10abeda8b WTFCrashWithInfo(int, char const*, char const*, int) 
3   0x10c2b8cb8 JSC::VM::verifyExceptionCheckNeedIsSatisfied(unsigned int, JSC::ExceptionEventLocation&)
4   0x10c2982ca JSC::ThrowScope::ThrowScope(JSC::VM&, JSC::ExceptionEventLocation)
5   0x10c298313 JSC::ThrowScope::ThrowScope(JSC::VM&, JSC::ExceptionEventLocation)
6   0x10bf9e806 JSC::JSFunction::callerGetter(JSC::ExecState*, long long, JSC::PropertyName)
7   0x10c0e53ef JSC::PropertySlot::customGetter(JSC::ExecState*, JSC::PropertyName) const
8   0x10afe1ae1 JSC::PropertySlot::getValue(JSC::ExecState*, JSC::PropertyName) const
9   0x10c01a224 JSC::JSObject::getOwnPropertyDescriptor(JSC::ExecState*, JSC::PropertyName, JSC::PropertyDescriptor&)
10  0x10bfb8bab JSC::globalFuncPropertyIsEnumerable(JSC::ExecState*)
11  0x55792a20116b
12  0x10af9ee81 llint_entry
13  0x10af9ef12 llint_entry
14  0x10af8ba30 vmEntryToJavaScript
15  0x10bbc82b7 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
16  0x10bbc7880 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*)
17  0x10bedb955 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
18  0x107f06e16 runWithOptions(GlobalObject*, CommandLine&, bool&)
19  0x107edc56a jscmain(int, char**)::$_6::operator()(JSC::VM&, GlobalObject*, bool&) const
20  0x107eba2cf int runJSC<jscmain(int, char**)::$_6>(CommandLine const&, bool, jscmain(int, char**)::$_6 const&)
21  0x107eb8daf jscmain(int, char**)
22  0x107eb8c1e main
23  0x7fff57fca0a5 start

Looks like we aren't properly checking for exceptions up the caller tree of

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190502/458364bb/attachment.html>

More information about the webkit-unassigned mailing list