Bug 208766

Summary: REGRESSION (r258049): Unchecked JS exception in jsc::Stringifier::toJSON
Product: WebKit Reporter: Ryan Haddad <ryanhaddad>
Component: JavaScriptCoreAssignee: Alexey Shvayka <ashvayka>
Status: RESOLVED FIXED    
Severity: Trivial CC: ashvayka, commit-queue, ews-watchlist, keith_miller, mark.lam, msaboff, ross.kirsling, saam, tzagallo, webkit-bot-watchers-bugzilla, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
See Also: https://bugs.webkit.org/show_bug.cgi?id=208725
Attachments:
Description Flags
Patch none

Description Ryan Haddad 2020-03-07 10:16:46 PST 
After https://trac.webkit.org/changeset/258049/webkit, the debug JSC bit has 44 test failures due to an unchecked JS exception:

microbenchmarks/json-stringify-many-objects-to-json.js.default: ERROR: Unchecked JS exception:
microbenchmarks/json-stringify-many-objects-to-json.js.default:     This scope can throw a JS exception: executeCall @ ./interpreter/Interpreter.cpp:858
microbenchmarks/json-stringify-many-objects-to-json.js.default:         (ExceptionScope::m_recursionDepth was 10)
microbenchmarks/json-stringify-many-objects-to-json.js.default:     But the exception was unchecked as of this scope: toJSON @ ./runtime/JSONObject.cpp:301
microbenchmarks/json-stringify-many-objects-to-json.js.default:         (ExceptionScope::m_recursionDepth was 9)
microbenchmarks/json-stringify-many-objects-to-json.js.default: 
microbenchmarks/json-stringify-many-objects-to-json.js.default: Unchecked exception detected at:
microbenchmarks/json-stringify-many-objects-to-json.js.default:     1   0x10b9c30ae JSC::VM::verifyExceptionCheckNeedIsSatisfied(unsigned int, JSC::ExceptionEventLocation&)
microbenchmarks/json-stringify-many-objects-to-json.js.default:     2   0x10b99beed JSC::ThrowScope::~ThrowScope()
microbenchmarks/json-stringify-many-objects-to-json.js.default:     3   0x10b99c0f5 JSC::ThrowScope::~ThrowScope()
microbenchmarks/json-stringify-many-objects-to-json.js.default:     4   0x10b80713c JSC::Stringifier::toJSON(JSC::JSValue, JSC::PropertyNameForFunctionCall const&)
microbenchmarks/json-stringify-many-objects-to-json.js.default:     5   0x10b8063b9 JSC::Stringifier::appendStringifiedValue(WTF::StringBuilder&, JSC::JSValue, JSC::Stringifier::Holder const&, JSC::PropertyNameForFunctionCall const&)
microbenchmarks/json-stringify-many-objects-to-json.js.default:     6   0x10b807efa JSC::Stringifier::Holder::appendNextProperty(JSC::Stringifier&, WTF::StringBuilder&)
microbenchmarks/json-stringify-many-objects-to-json.js.default:     7   0x10b806cd5 JSC::Stringifier::appendStringifiedValue(WTF::StringBuilder&, JSC::JSValue, JSC::Stringifier::Holder const&, JSC::PropertyNameForFunctionCall const&)
microbenchmarks/json-stringify-many-objects-to-json.js.default:     8   0x10b80608c JSC::Stringifier::stringify(JSC::JSValue)
microbenchmarks/json-stringify-many-objects-to-json.js.default:     9   0x10b80b568 JSC::JSONProtoFuncStringify(JSC::JSGlobalObject*, JSC::CallFrame*)
microbenchmarks/json-stringify-many-objects-to-json.js.default:     10  0x547503e01178
microbenchmarks/json-stringify-many-objects-to-json.js.default:     11  0x10a4faeb3 llint_entry
microbenchmarks/json-stringify-many-objects-to-json.js.default:     12  0x10a4dda93 vmEntryToJavaScript
microbenchmarks/json-stringify-many-objects-to-json.js.default:     13  0x10b2ecf57 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
microbenchmarks/json-stringify-many-objects-to-json.js.default:     14  0x10b2ec5ac JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*)
microbenchmarks/json-stringify-many-objects-to-json.js.default:     15  0x10b671edc JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
microbenchmarks/json-stringify-many-objects-to-json.js.default:     16  0x109eade4f runWithOptions(GlobalObject*, CommandLine&, bool&)
microbenchmarks/json-stringify-many-objects-to-json.js.default:     17  0x109e7f19a jscmain(int, char**)::$_6::operator()(JSC::VM&, GlobalObject*, bool&) const
microbenchmarks/json-stringify-many-objects-to-json.js.default:     18  0x109e5997b int runJSC<jscmain(int, char**)::$_6>(CommandLine const&, bool, jscmain(int, char**)::$_6 const&)
microbenchmarks/json-stringify-many-objects-to-json.js.default:     19  0x109e58408 jscmain(int, char**)
microbenchmarks/json-stringify-many-objects-to-json.js.default:     20  0x109e581de main
microbenchmarks/json-stringify-many-objects-to-json.js.default:     21  0x7fff719c87fd start

https://build.webkit.org/builders/Apple-Catalina-Debug-JSC-Tests/builds/453
Comment 1 Alexey Shvayka 2020-03-07 10:53:08 PST 
Created attachment 392867 [details]
Patch
Comment 2 Yusuke Suzuki 2020-03-07 14:09:41 PST 
Comment on attachment 392867 [details]
Patch

r=me, nice fix!
Comment 3 Ross Kirsling 2020-03-07 14:29:02 PST 
Thanks for addressing this so quickly, Alexey!
Comment 4 Alexey Shvayka 2020-03-07 14:46:23 PST 
Thank you, folks.
I thought this kind of errors would have been caught by regular EWS.
Anyway, I will test future patches with JSC_validateExceptionChecks=true.
Comment 5 WebKit Commit Bot 2020-03-07 14:53:43 PST 
Comment on attachment 392867 [details]
Patch

Clearing flags on attachment: 392867

Committed r258081: <https://trac.webkit.org/changeset/258081>
Comment 6 WebKit Commit Bot 2020-03-07 14:53:45 PST 
All reviewed patches have been landed.  Closing bug.
Comment 7 Radar WebKit Bug Importer 2020-03-07 14:54:15 PST 
<rdar://problem/60192817>