Assertion failed in JSC::createError
authortzagallo@apple.com <tzagallo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 29 Mar 2019 21:53:54 +0000 (21:53 +0000)
committertzagallo@apple.com <tzagallo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 29 Mar 2019 21:53:54 +0000 (21:53 +0000)
https://bugs.webkit.org/show_bug.cgi?id=196305
<rdar://problem/49387382>

Reviewed by Saam Barati.

JSTests:

* stress/create-error-out-of-memory-rope-string-2.js: Added.
(assert):
(catch):

Source/JavaScriptCore:

JSC::createError assumes that `errorDescriptionForValue` will either
throw an exception or return a valid description string. However, that
is not true if the value is a rope string and we successfully resolve it,
but later fail to wrap the string in quotes with `tryMakeString`.

* runtime/ExceptionHelpers.cpp:
(JSC::createError):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243665 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/create-error-out-of-memory-rope-string-2.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/ExceptionHelpers.cpp

index 40bbbdb..4d87a46 100644 (file)
@@ -1,3 +1,15 @@
+2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
+
+        Assertion failed in JSC::createError
+        https://bugs.webkit.org/show_bug.cgi?id=196305
+        <rdar://problem/49387382>
+
+        Reviewed by Saam Barati.
+
+        * stress/create-error-out-of-memory-rope-string-2.js: Added.
+        (assert):
+        (catch):
+
 2019-03-28  Saam Barati  <sbarati@apple.com>
 
         BackwardsGraph needs to consider back edges as the backward's root successor
diff --git a/JSTests/stress/create-error-out-of-memory-rope-string-2.js b/JSTests/stress/create-error-out-of-memory-rope-string-2.js
new file mode 100644 (file)
index 0000000..45af68d
--- /dev/null
@@ -0,0 +1,12 @@
+function assert(a, message) {
+    if (!a)
+        throw new Error(message);
+}
+
+try {
+    const var_1 = 'a'.padStart(2147483648 - 1);
+    new var_1();
+    assert(false, `Should throw OOM error`);
+} catch (error) {
+    assert(error.message == "Out of memory", "Expected OutOfMemoryError, but got: " + error);
+}
index fae7022..465306d 100644 (file)
@@ -1,3 +1,19 @@
+2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
+
+        Assertion failed in JSC::createError
+        https://bugs.webkit.org/show_bug.cgi?id=196305
+        <rdar://problem/49387382>
+
+        Reviewed by Saam Barati.
+
+        JSC::createError assumes that `errorDescriptionForValue` will either
+        throw an exception or return a valid description string. However, that
+        is not true if the value is a rope string and we successfully resolve it,
+        but later fail to wrap the string in quotes with `tryMakeString`.
+
+        * runtime/ExceptionHelpers.cpp:
+        (JSC::createError):
+
 2019-03-29  Devin Rousso  <drousso@apple.com>
 
         Web Inspector: add fast returns for instrumentation hooks that have no affect before a frontend is connected
index 156c180..6486c06 100644 (file)
@@ -275,8 +275,7 @@ JSObject* createError(ExecState* exec, JSValue value, const String& message, Err
     auto scope = DECLARE_CATCH_SCOPE(vm);
 
     String valueDescription = errorDescriptionForValue(exec, value);
-    ASSERT(scope.exception() || !!valueDescription);
-    if (!valueDescription) {
+    if (scope.exception() || !valueDescription) {
         scope.clearException();
         return createOutOfMemoryError(exec);
     }