133009 2014-05-16 14:20:53 -0700 Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9 2014-05-16 15:10:27 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) All All RESOLVED FIXED InRadar P2 Normal --- 1 msaboff msaboff oldest_to_newest 1009845 0 msaboff 2014-05-16 14:20:53 -0700 Crashing in failed check in the Checked arithmetic class. $ jsc >>> ''.match(/(,9111111111{2257483648,}[:lower:])|(ab)/) 1 0x10aa048c0 WTFCrash 2 0x10a241d29 WTF::CrashOnOverflow::overflowed() 3 0x10a9e4771 WTF::Checked<int, WTF::CrashOnOverflow>::Checked<long long>(WTF::Checked<long long, WTF::CrashOnOverflow> const&) 4 0x10a9e436d WTF::Checked<int, WTF::CrashOnOverflow>::Checked<long long>(WTF::Checked<long long, WTF::CrashOnOverflow> const&) 5 0x10a9ee042 JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed(unsigned long) 6 0x10a9ed1f2 JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generateTerm(unsigned long) 7 0x10a9e73e7 JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generate() 8 0x10a9d8c58 JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::compile(JSC::VM*, JSC::Yarr::YarrCodeBlock&) 9 0x10a9d8742 JSC::Yarr::jitCompile(JSC::Yarr::YarrPattern&, JSC::Yarr::YarrCharSize, JSC::VM*, JSC::Yarr::YarrCodeBlock&, JSC::Yarr::YarrJITCompileMode) 10 0x10a9439b1 JSC::RegExp::compileMatchOnly(JSC::VM*, JSC::Yarr::YarrCharSize) 11 0x10a943b4d JSC::RegExp::compileIfNecessaryMatchOnly(JSC::VM&, JSC::Yarr::YarrCharSize) 12 0x10a943bf3 JSC::RegExp::match(JSC::VM&, WTF::String const&, unsigned int) 13 0x10a94d817 JSC::RegExpConstructor::performMatch(JSC::VM&, JSC::RegExp*, JSC::JSString*, WTF::String const&, int) 14 0x10a97a172 JSC::stringProtoFuncMatch(JSC::ExecState*) 15 0x32ff95c01034 16 0x10a810bc7 llint_entry 17 0x10a80a3a4 callToJavaScript 18 0x10a6a64ed JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) 19 0x10a68abd8 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) 20 0x10a3306a0 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) 21 0x10a1ce3b3 runInteractive(GlobalObject*) 22 0x10a1cd3d3 jscmain(int, char**) 23 0x10a1cd181 main 24 0x7fff8afa55fd start 25 0x1 Segmentation fault: 11 Looks like a mix of int and unsigned in a checked integer expression to create an offset for an BaseIndex address. The YARR JIT has an unhealthy mix of int and unsigned values to reference characters offset from its working pointer. This will require some refactoring to get right. A near term fix is to notice that a regular expression's offsets cannot be represented as a 32 bit integer and relegate them to the interpreter which can handle unsigned offsets. <rdar://problem/14326503> 1009867 1 231596 msaboff 2014-05-16 15:04:35 -0700 Created attachment 231596 Patch 1009869 2 msaboff 2014-05-16 15:10:27 -0700 Committed r168983: <http://trac.webkit.org/changeset/168983> 231596 2014-05-16 15:04:35 -0700 2014-05-16 15:07:54 -0700 Patch 133009.patch text/plain 5461 msaboff SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTY4OTgxKQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDMyIEBA CisyMDE0LTA1LTE2ICBNaWNoYWVsIFNhYm9mZiAgPG1zYWJvZmZAYXBwbGUuY29tPgorCisgICAg ICAgIENyYXNoIGluIEpTQzo6WWFycjo6WWFyckdlbmVyYXRvcjwoSlNDOjpZYXJyOjpZYXJySklU Q29tcGlsZU1vZGUpMD46OmdlbmVyYXRlUGF0dGVybkNoYXJhY3RlckZpeGVkKCkgZHVlIHRvIFdU Rjo6Q3Jhc2hPbk92ZXJmbG93OjpvdmVyZmxvd2VkICsgOQorICAgICAgICBodHRwczovL2J1Z3Mu d2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTMzMDA5CisKKyAgICAgICAgUmV2aWV3ZWQgYnkg Tk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgSWYgd2UgZGV0ZXJtaW5lIHRoYXQgYW55IGFsdGVy bmF0aXZlIHJlcXVpcmVzIGEgbWludW11bSBtYXRjaCBzaXplIGdyZWF0ZXIgdGhhbgorICAgICAg ICBJTlRfTUFYLCB3ZSBoYW5kbGUgdGhlIG1hdGNoIGluIHRoZSBpbnRlcnByZXRlci4KKworICAg ICAgICBDaGVjayB0byBzZWUgaWYgdGhlIHBhdHRlcm4gaGFzIHVuc2lnbmVkIGxlbmd0aHMgYmVm b3JlIGludm9raW5nIFlBUlIgSklULgorICAgICAgICAqIHJ1bnRpbWUvUmVnRXhwLmNwcDoKKyAg ICAgICAgKEpTQzo6UmVnRXhwOjpjb21waWxlKToKKyAgICAgICAgKEpTQzo6UmVnRXhwOjpjb21w aWxlTWF0Y2hPbmx5KToKKworICAgICAgICAqIHRlc3RzL3N0cmVzcy9sYXJnZS1yZWdleHAuanM6 IE5ldyB0ZXN0IGFkZGVkLgorCisgICAgICAgIFNldCBtX2NvbnRhaW5zVW5zaWduZWRMZW5ndGhQ YXR0ZXJuIGZsYWcgaWYgYW55IGFsdGVybmF0aXZlJ3MgbWluaW11bSBsZW5ndGgKKyAgICAgICAg ZG9lc24ndCBmaXQgaW4gYW4gaW50LgorICAgICAgICAqIHlhcnIvWWFyclBhdHRlcm4uY3BwOgor ICAgICAgICAoSlNDOjpZYXJyOjpZYXJyUGF0dGVybkNvbnN0cnVjdG9yOjpzZXR1cERpc2p1bmN0 aW9uT2Zmc2V0cyk6CisKKyAgICAgICAgQ2xlYXIgbmV3IG1fY29udGFpbnNVbnNpZ25lZExlbmd0 aFBhdHRlcm4gZmxhZy4KKyAgICAgICAgKiB5YXJyL1lhcnJQYXR0ZXJuLmNwcDoKKyAgICAgICAg KEpTQzo6WWFycjo6WWFyclBhdHRlcm46OllhcnJQYXR0ZXJuKToKKyAgICAgICAgKiB5YXJyL1lh cnJQYXR0ZXJuLmg6CisgICAgICAgIChKU0M6OllhcnI6OllhcnJQYXR0ZXJuOjpyZXNldCk6Cisg ICAgICAgIChKU0M6OllhcnI6OllhcnJQYXR0ZXJuOjpjb250YWluc1Vuc2lnbmVkTGVuZ3RoUGF0 dGVybik6CisKIDIwMTQtMDUtMTUgIE1hcmsgSGFobmVuYmVyZyAgPG1oYWhuZW5iZXJnQGFwcGxl LmNvbT4KIAogICAgICAgICBKU0RPTVdpbmRvdyBzaG91bGQgbm90IGNsYWltIEhhc0ltcHVyZUdl dE93blByb3BlcnR5U2xvdApJbmRleDogU291cmNlL0phdmFTY3JpcHRDb3JlL3J1bnRpbWUvUmVn RXhwLmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvSmF2YVNjcmlwdENvcmUvcnVudGltZS9SZWdF eHAuY3BwCShyZXZpc2lvbiAxNjg5NzUpCisrKyBTb3VyY2UvSmF2YVNjcmlwdENvcmUvcnVudGlt ZS9SZWdFeHAuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC0yODUsNyArMjg1LDcgQEAgdm9pZCBSZWdF eHA6OmNvbXBpbGUoVk0qIHZtLCBZYXJyOjpZYXJyQwogICAgIH0KIAogI2lmIEVOQUJMRShZQVJS X0pJVCkKLSAgICBpZiAoIXBhdHRlcm4ubV9jb250YWluc0JhY2tyZWZlcmVuY2VzICYmIHZtLT5j YW5Vc2VSZWdFeHBKSVQoKSkgeworICAgIGlmICghcGF0dGVybi5tX2NvbnRhaW5zQmFja3JlZmVy ZW5jZXMgJiYgIXBhdHRlcm4uY29udGFpbnNVbnNpZ25lZExlbmd0aFBhdHRlcm4oKSAmJiB2bS0+ Y2FuVXNlUmVnRXhwSklUKCkpIHsKICAgICAgICAgWWFycjo6aml0Q29tcGlsZShwYXR0ZXJuLCBj aGFyU2l6ZSwgdm0sIG1fcmVnRXhwSklUQ29kZSk7CiAjaWYgRU5BQkxFKFlBUlJfSklUX0RFQlVH KQogICAgICAgICBpZiAoIW1fcmVnRXhwSklUQ29kZS5pc0ZhbGxCYWNrKCkpCkBAIC00MDgsNyAr NDA4LDcgQEAgdm9pZCBSZWdFeHA6OmNvbXBpbGVNYXRjaE9ubHkoVk0qIHZtLCBZYQogICAgIH0K IAogI2lmIEVOQUJMRShZQVJSX0pJVCkKLSAgICBpZiAoIXBhdHRlcm4ubV9jb250YWluc0JhY2ty ZWZlcmVuY2VzICYmIHZtLT5jYW5Vc2VSZWdFeHBKSVQoKSkgeworICAgIGlmICghcGF0dGVybi5t X2NvbnRhaW5zQmFja3JlZmVyZW5jZXMgJiYgIXBhdHRlcm4uY29udGFpbnNVbnNpZ25lZExlbmd0 aFBhdHRlcm4oKSAmJiB2bS0+Y2FuVXNlUmVnRXhwSklUKCkpIHsKICAgICAgICAgWWFycjo6aml0 Q29tcGlsZShwYXR0ZXJuLCBjaGFyU2l6ZSwgdm0sIG1fcmVnRXhwSklUQ29kZSwgWWFycjo6TWF0 Y2hPbmx5KTsKICNpZiBFTkFCTEUoWUFSUl9KSVRfREVCVUcpCiAgICAgICAgIGlmICghbV9yZWdF eHBKSVRDb2RlLmlzRmFsbEJhY2soKSkKSW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS90ZXN0 cy9zdHJlc3MvbGFyZ2UtcmVnZXhwLmpzCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9KYXZhU2NyaXB0 Q29yZS90ZXN0cy9zdHJlc3MvbGFyZ2UtcmVnZXhwLmpzCShyZXZpc2lvbiAwKQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL3Rlc3RzL3N0cmVzcy9sYXJnZS1yZWdleHAuanMJKHdvcmtpbmcgY29w eSkKQEAgLTAsMCArMSwxMSBAQAoraWYgKCcnLm1hdGNoKC8oLDkxMTExMTExMTF7MjI1NzQ4MzY0 OCx9Wzpsb3dlcjpdKXwoYWIpLykpCisgICAgdGhyb3cgbmV3IEVycm9yKCJJbmNvcnJlY3QgcmVz dWx0LCBzaG91bGQgbm90IGhhdmUgbWF0Y2hlZCIpCisKK2lmICgnJy5tYXRjaCgvKDF7MSwyMTQ3 NDgzNjQ4fSl8KGFiKS8pKQorICAgIHRocm93IG5ldyBFcnJvcigiSW5jb3JyZWN0IHJlc3VsdCwg c2hvdWxkIG5vdCBoYXZlIG1hdGNoZWQiKQorCitpZiAoJycubWF0Y2goLygxezIxNDc0ODAwMDAs fTJ7MzY0OCx9KXwoYWIpLykpCisgICAgdGhyb3cgbmV3IEVycm9yKCJJbmNvcnJlY3QgcmVzdWx0 LCBzaG91bGQgbm90IGhhdmUgbWF0Y2hlZCIpCisKK2lmICghJzEyMzQnLm1hdGNoKC8xezEsMjE0 NzQ4MzY0NX0yezEsMjE0NzQ4MzY0NX0zezEsMjE0NzQ4MzY0NX00ezEsMjE0NzQ4MzY0NX0vKSkK KyAgICB0aHJvdyBuZXcgRXJyb3IoIkluY29ycmVjdCByZXN1bHQsIHNob3VsZCBoYXZlIG1hdGNo ZWQiKQpJbmRleDogU291cmNlL0phdmFTY3JpcHRDb3JlL3lhcnIvWWFyclBhdHRlcm4uY3BwCj09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT0KLS0tIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS95YXJyL1lhcnJQYXR0ZXJuLmNwcAko cmV2aXNpb24gMTY4OTc1KQorKysgU291cmNlL0phdmFTY3JpcHRDb3JlL3lhcnIvWWFyclBhdHRl cm4uY3BwCSh3b3JraW5nIGNvcHkpCkBAIC02NjYsNiArNjY2LDggQEAgcHVibGljOgogICAgICAg ICAgICAgbWluaW11bUlucHV0U2l6ZSA9IHN0ZDo6bWluKG1pbmltdW1JbnB1dFNpemUsIGFsdGVy bmF0aXZlLT5tX21pbmltdW1TaXplKTsKICAgICAgICAgICAgIG1heGltdW1DYWxsRnJhbWVTaXpl ID0gc3RkOjptYXgobWF4aW11bUNhbGxGcmFtZVNpemUsIGN1cnJlbnRBbHRlcm5hdGl2ZUNhbGxG cmFtZVNpemUpOwogICAgICAgICAgICAgaGFzRml4ZWRTaXplICY9IGFsdGVybmF0aXZlLT5tX2hh c0ZpeGVkU2l6ZTsKKyAgICAgICAgICAgIGlmIChhbHRlcm5hdGl2ZS0+bV9taW5pbXVtU2l6ZSA+ IElOVF9NQVgpCisgICAgICAgICAgICAgICAgbV9wYXR0ZXJuLm1fY29udGFpbnNVbnNpZ25lZExl bmd0aFBhdHRlcm4gPSB0cnVlOwogICAgICAgICB9CiAgICAgICAgIAogICAgICAgICBBU1NFUlQo bWluaW11bUlucHV0U2l6ZSAhPSBVSU5UX01BWCk7CkBAIC04NjQsNiArODY2LDcgQEAgWWFyclBh dHRlcm46OllhcnJQYXR0ZXJuKGNvbnN0IFN0cmluZyYgcAogICAgICwgbV9tdWx0aWxpbmUobXVs dGlsaW5lKQogICAgICwgbV9jb250YWluc0JhY2tyZWZlcmVuY2VzKGZhbHNlKQogICAgICwgbV9j b250YWluc0JPTChmYWxzZSkKKyAgICAsIG1fY29udGFpbnNVbnNpZ25lZExlbmd0aFBhdHRlcm4o ZmFsc2UpCiAgICAgLCBtX251bVN1YnBhdHRlcm5zKDApCiAgICAgLCBtX21heEJhY2tSZWZlcmVu Y2UoMCkKICAgICAsIG5ld2xpbmVDYWNoZWQoMCkKSW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29y ZS95YXJyL1lhcnJQYXR0ZXJuLmgKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3Jl L3lhcnIvWWFyclBhdHRlcm4uaAkocmV2aXNpb24gMTY4OTc1KQorKysgU291cmNlL0phdmFTY3Jp cHRDb3JlL3lhcnIvWWFyclBhdHRlcm4uaAkod29ya2luZyBjb3B5KQpAQCAtMzEyLDYgKzMxMiw3 IEBAIHN0cnVjdCBZYXJyUGF0dGVybiB7CiAKICAgICAgICAgbV9jb250YWluc0JhY2tyZWZlcmVu Y2VzID0gZmFsc2U7CiAgICAgICAgIG1fY29udGFpbnNCT0wgPSBmYWxzZTsKKyAgICAgICAgbV9j b250YWluc1Vuc2lnbmVkTGVuZ3RoUGF0dGVybiA9IGZhbHNlOwogCiAgICAgICAgIG5ld2xpbmVD YWNoZWQgPSAwOwogICAgICAgICBkaWdpdHNDYWNoZWQgPSAwOwpAQCAtMzMwLDYgKzMzMSwxMSBA QCBzdHJ1Y3QgWWFyclBhdHRlcm4gewogICAgICAgICByZXR1cm4gbV9tYXhCYWNrUmVmZXJlbmNl ID4gbV9udW1TdWJwYXR0ZXJuczsKICAgICB9CiAKKyAgICBib29sIGNvbnRhaW5zVW5zaWduZWRM ZW5ndGhQYXR0ZXJuKCkKKyAgICB7CisgICAgICAgIHJldHVybiBtX2NvbnRhaW5zVW5zaWduZWRM ZW5ndGhQYXR0ZXJuOworICAgIH0KKwogICAgIENoYXJhY3RlckNsYXNzKiBuZXdsaW5lQ2hhcmFj dGVyQ2xhc3MoKQogICAgIHsKICAgICAgICAgaWYgKCFuZXdsaW5lQ2FjaGVkKQpAQCAtMzc3LDYg KzM4Myw3IEBAIHN0cnVjdCBZYXJyUGF0dGVybiB7CiAgICAgYm9vbCBtX211bHRpbGluZSA6IDE7 CiAgICAgYm9vbCBtX2NvbnRhaW5zQmFja3JlZmVyZW5jZXMgOiAxOwogICAgIGJvb2wgbV9jb250 YWluc0JPTCA6IDE7CisgICAgYm9vbCBtX2NvbnRhaW5zVW5zaWduZWRMZW5ndGhQYXR0ZXJuIDog MTsgCiAgICAgdW5zaWduZWQgbV9udW1TdWJwYXR0ZXJuczsKICAgICB1bnNpZ25lZCBtX21heEJh Y2tSZWZlcmVuY2U7CiAgICAgUGF0dGVybkRpc2p1bmN0aW9uKiBtX2JvZHk7Cg==