130448 2014-03-19 03:00:16 -0700 Crash in WTF::Checked<unsigned int, WTF::CrashOnOverflow>::Checked 2016-08-03 14:05:53 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified RESOLVED WORKSFORME P2 Normal --- 116980 1 rhodovan.u-szeged msaboff barraclough bfulgham msaboff oliver pvarga sam oldest_to_newest 992061 0 227170 rhodovan.u-szeged 2014-03-19 03:00:16 -0700 Created attachment 227170 Test case The crashing test: var open = '(?:'; var close = ')'; var pattern = ''; for (var i=0; i<100000; i++) { pattern += open; } for (i=0; i<100000; i++) { pattern += close; } var re = new RegExp(pattern); The backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7398254 in WTF::Checked<unsigned int, WTF::CrashOnOverflow>::Checked<unsigned int> (this=0x7fffff7ff040, value=0) at /home/reni2/data/REPOS/webkit_sec/Source/WTF/wtf/CheckedArithmetic.h:435 435 { (gdb) bt #0 0x00007ffff7398254 in WTF::Checked<unsigned int, WTF::CrashOnOverflow>::Checked<unsigned int> (this=0x7fffff7ff040, value=0) at /home/reni2/data/REPOS/webkit_sec/Source/WTF/wtf/CheckedArithmetic.h:435 #1 0x00007ffff73bda66 in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets (this=0x7fffffffc770, alternative=0x312bbc0, currentCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:571 #2 0x00007ffff73bde74 in JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets (this=0x7fffffffc770, disjunction=0x312b880, initialCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:665 #3 0x00007ffff73bdc36 in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets (this=0x7fffffffc770, alternative=0x312b7c0, currentCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:619 #4 0x00007ffff73bde74 in JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets (this=0x7fffffffc770, disjunction=0x312b480, initialCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:665 #5 0x00007ffff73bdc36 in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets (this=0x7fffffffc770, alternative=0x312b3c0, currentCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:619 #6 0x00007ffff73bde74 in JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets (this=0x7fffffffc770, disjunction=0x312b080, initialCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:665 #7 0x00007ffff73bdc36 in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets (this=0x7fffffffc770, alternative=0x312afc0, currentCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:619 ... the lines 619 and 665 in YarrPattern.cpp many-many times (23Mb) ... #87269 0x00007ffff73bdc36 in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets (this=0x7fffffffc770, alternative=0x68f630, currentCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:619 #87270 0x00007ffff73bde74 in JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets (this=0x7fffffffc770, disjunction=0x68d820, initialCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:665 #87271 0x00007ffff73bdc36 in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets (this=0x7fffffffc770, alternative=0x685bf0, currentCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:619 #87272 0x00007ffff73bde74 in JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets (this=0x7fffffffc770, disjunction=0x688cc0, initialCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:665 #87273 0x00007ffff73bdf99 in JSC::Yarr::YarrPatternConstructor::setupOffsets (this=0x7fffffffc770) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:682 #87274 0x00007ffff73ba995 in JSC::Yarr::YarrPattern::compile (this=0x7fffffffc830, patternString=...) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:857 #87275 0x00007ffff73baaba in JSC::Yarr::YarrPattern::YarrPattern (this=0x7fffffffc830, pattern=..., ignoreCase=false, multiline=false, error=0x7ffff7f85110) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:877 #87276 0x00007ffff7355805 in JSC::RegExp::finishCreation (this=0x7ffff7f850f0, vm=...) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/RegExp.cpp:239 #87277 0x00007ffff73558d8 in JSC::RegExp::createWithoutCaching (vm=..., patternString=..., flags=JSC::NoFlags) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/RegExp.cpp:258 #87278 0x00007ffff7356f1c in JSC::RegExpCache::lookupOrCreate (this=0x665ea0, patternString=..., flags=JSC::NoFlags) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/RegExpCache.cpp:44 #87279 0x00007ffff7355915 in JSC::RegExp::create (vm=..., patternString=..., flags=JSC::NoFlags) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/RegExp.cpp:264 #87280 0x00007ffff735af32 in JSC::constructRegExp (exec=0x7fffffffcc60, globalObject=0x7ffff7f2f970, args=..., callAsConstructor=true) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/RegExpConstructor.cpp:279 #87281 0x00007ffff735b051 in JSC::constructWithRegExpConstructor (exec=0x7fffffffcc60) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/RegExpConstructor.cpp:288 #87282 0x00007ffff719e9c7 in JSC::handleHostCall (execCallee=0x7fffffffcc60, callee=..., kind=JSC::CodeForConstruct) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITOperations.cpp:664 #87283 0x00007ffff71a5069 in JSC::linkFor (execCallee=0x7fffffffcc60, kind=JSC::CodeForConstruct, registers=JSC::RegisterPreservationNotRequired) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITOperations.cpp:686 #87284 0x00007ffff719eb49 in JSC::operationLinkConstruct (execCallee=0x7fffffffcc60) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITOperations.cpp:728 #87285 0x00007fffaa367973 in ?? () #87286 0x00007fffffffccc0 in ?? () #87287 0x00007fffaa368ac5 in ?? () #87288 0x0000000000000000 in ?? () 992128 1 oliver 2014-03-19 09:33:57 -0700 To which i say wut? 992130 2 oliver 2014-03-19 09:35:59 -0700 Sending to Michael as i'm working on another bug right now, and i know he's looking at regexp code right now. I have not looked at the code at all, but we should work out what is causing us to nuke construction. My assumption is that we must be passing a killed value into the construct? 1217169 3 bfulgham 2016-08-03 14:05:53 -0700 This issue no longer occurs under GuardMalloc or ASAN as of r204037. If you believe there is still a bug, please reopen this issue with a revised test case. 227170 2014-03-19 03:00:16 -0700 2014-03-19 03:00:16 -0700 Test case lastCrash.js application/javascript 195 rhodovan.u-szeged CnZhciBvcGVuID0gJyg/Oic7CnZhciBjbG9zZSA9ICcpJzsKdmFyIHBhdHRlcm4gPSAnJzsKICAK Zm9yICh2YXIgaT0wOyBpPDEwMDAwMDsgaSsrKSB7CiAgCXBhdHRlcm4gKz0gb3BlbjsKfQogIApm b3IgKGk9MDsgaTwxMDAwMDA7IGkrKykgewogCXBhdHRlcm4gKz0gY2xvc2U7Cn0KICAKdmFyIHJl ID0gbmV3IFJlZ0V4cChwYXR0ZXJuKTsK