177293 2017-09-21 01:02:27 -0700 [Win64] Crashes in Yarr JIT compiled code 2017-09-27 12:21:32 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 fujii fujii buildbot commit-queue don.olmstead keith_miller mark.lam msaboff saam webkit-bug-importer ysuzuki oldest_to_newest 1351151 0 fujii 2017-09-21 01:02:27 -0700 [Win64] Crashes in Yarr JIT compiled code WinCairo port, 64bitk, Debug build, trunk@222298, MiniBrowser 1) Start MiniBrowser 2) Load http://google.com/ 3) Crash Callstack: > 000001c500001b61() Unknown > 0000003c51cfc6b0() Unknown > JavaScriptCore.dll!JSC::Yarr::YarrCodeBlock::execute(const unsigned char * input, unsigned int start, unsigned int length, int * output) Line 87 C++ > JavaScriptCore.dll!JSC::RegExp::matchInline<WTF::Vector<int,32,WTF::CrashOnOverflow,16,WTF::FastMalloc> >(JSC::VM & vm, const WTF::String & s, unsigned int startOffset, WTF::Vector<int,32,WTF::CrashOnOverflow,16,WTF::FastMalloc> & ovector) Line 115 C++ > JavaScriptCore.dll!JSC::createRegExpMatchesArray(JSC::VM & vm, JSC::JSGlobalObject * globalObject, JSC::JSString * input, const WTF::String & inputValue, JSC::RegExp * regExp, unsigned int startOffset, JSC::MatchResult & result) Line 66 C++ > JavaScriptCore.dll!JSC::RegExpObject::execInline(JSC::ExecState * exec, JSC::JSGlobalObject * globalObject, JSC::JSString * string) Line 86 C++ > JavaScriptCore.dll!JSC::RegExpObject::exec(JSC::ExecState * exec, JSC::JSGlobalObject * globalObject, JSC::JSString * string) Line 170 C++ > JavaScriptCore.dll!JSC::regExpProtoFuncExec(JSC::ExecState * exec) Line 130 C++ > [External Code] code: > 000002293D8B1A22 xor ecx,ecx > 000002293D8B1A24 cmp r8d,r9d > 000002293D8B1A27 je 000002293D8B1A51 > 000002293D8B1A2D movzx eax,byte ptr [rdx+r8] > 000002293D8B1A32 mov r11,7FFB5E1BAF00h > 000002293D8B1A3C cmp byte ptr [r11+rax],0 > 000002293D8B1A41 jne 000002293D8B1A51 > 000002293D8B1A47 inc r8d > 000002293D8B1A4A inc ecx > 000002293D8B1A4C jmp 000002293D8B1A24 > 000002293D8B1A51 mov qword ptr [rsp+8],rcx > 000002293D8B1A56 mov dword ptr [r10+0Ch],r8d > 000002293D8B1A5A add rsp,40h > 000002293D8B1A5E mov eax,dword ptr [r10] > 000002293D8B1A61 mov dword ptr [r10+4],r8d > 000002293D8B1A65 mov rdx,r8 > 000002293D8B1A68 mov r11,2297D942110h > 000002293D8B1A72 mov byte ptr [r11],0 > 000002293D8B1A76 mov qword ptr [rcx],rax <==rip > 000002293D8B1A79 mov qword ptr [rcx+8],rdx > 000002293D8B1A7D mov rax,rcx > 000002293D8B1A80 pop rbp > 000002293D8B1A81 ret registers: > RAX = 000000000000002E RBX = 0000000000000001 RCX = 0000000000000004 RDX = 000000000000003A > RSI = 0000004559FEC490 RDI = 0000004559FEBF58 R8  = 000000000000003A R9  = 000000000000004E > R10 = 0000004559FEC060 R11 = 000002297D942110 R12 = 00000000003405FA R13 = 000002290223E4A8 > R14 = FFFF000000000000 R15 = FFFF000000000002 > RIP = 000002293D8B1A76 RSP = 0000004559FEBEE0 RBP = 0000004559FEBEE0 EFL = 00010202 This is the code generated by generateReturn(). rcx was 0x4. But, it should be the address where the return values are stored. 1351152 1 fujii 2017-09-21 01:06:53 -0700 I can avoid this annoying crash by setting a env var. > set JSC_useRegExpJIT=0 1351153 2 321415 fujii 2017-09-21 01:45:36 -0700 Created attachment 321415 WIP patch I don't know how to fix correctly. This WIP patch just saves rcx. 1351550 3 321415 ysuzuki 2017-09-21 23:08:22 -0700 Comment on attachment 321415 WIP patch View in context: https://bugs.webkit.org/attachment.cgi?id=321415&action=review Looks good to me. Could you upload the patch with ChangeLog and test? > Source/JavaScriptCore/yarr/YarrJIT.cpp:2855 > + push(X86Registers::ecx); It would be good to add comment here that it is the pointer to the result in x64 Windows. 1351559 4 fujii 2017-09-22 00:39:04 -0700 (In reply to Yusuke Suzuki from comment #3) > Looks good to me. > Could you upload the patch with ChangeLog and test? Thank you for your feedback. I don't think a new test is needed because existing LayoutTests (ex. js/string_replace_regexp.html) can reproduce the crash. I will create a patch. > > Source/JavaScriptCore/yarr/YarrJIT.cpp:2855 > > + push(X86Registers::ecx); > > It would be good to add comment here that it is the pointer to the result in > x64 Windows. Agreed. 1351565 5 321525 fujii 2017-09-22 00:59:01 -0700 Created attachment 321525 Patch 1351571 6 321525 ysuzuki 2017-09-22 01:26:11 -0700 Comment on attachment 321525 Patch r=me 1351572 7 ysuzuki 2017-09-22 01:28:33 -0700 BTW, I'm not sure why MatchResult needs 128 bytes in 64bit environments. Do we really need size_t? I guess we can use `unsigned` pair for this since the length of StringImpl is unsigned. But this is just my guess. Anyway, the above refactoring is separated from this patch. I'm ok to land it. 1351584 8 321525 commit-queue 2017-09-22 02:26:41 -0700 Comment on attachment 321525 Patch Rejecting attachment 321525 from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-03', 'land-attachment', '--force-clean', '--non-interactive', '--parent-command=commit-queue', 321525, '--port=mac']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit Last 500 characters of output: d/mechanize/_urllib2_fork.py", line 332, in _call_chain result = func(*args) File "/Volumes/Data/EWS/WebKit/Tools/Scripts/webkitpy/thirdparty/autoinstalled/mechanize/_urllib2_fork.py", line 1170, in https_open return self.do_open(conn_factory, req) File "/Volumes/Data/EWS/WebKit/Tools/Scripts/webkitpy/thirdparty/autoinstalled/mechanize/_urllib2_fork.py", line 1118, in do_open raise URLError(err) urllib2.URLError: <urlopen error ('_ssl.c:574: The handshake operation timed out',)> Full output: http://webkit-queues.webkit.org/results/4625938 1351896 9 321525 commit-queue 2017-09-22 17:27:55 -0700 Comment on attachment 321525 Patch Clearing flags on attachment: 321525 Committed r222417: <http://trac.webkit.org/changeset/222417> 1351897 10 commit-queue 2017-09-22 17:27:56 -0700 All reviewed patches have been landed. Closing bug. 1353327 11 webkit-bug-importer 2017-09-27 12:21:32 -0700 <rdar://problem/34693120> 321415 2017-09-21 01:45:36 -0700 2017-09-22 00:58:56 -0700 WIP patch bug177293-save-rcx.patch text/plain 924 fujii ZGlmZiAtLWdpdCBhL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS95YXJyL1lhcnJKSVQuY3BwIGIvU291 cmNlL0phdmFTY3JpcHRDb3JlL3lhcnIvWWFyckpJVC5jcHAKaW5kZXggYzBkMTZiMDFmNzUuLjU4 MmRmYjdlMTZlIDEwMDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENvcmUveWFyci9ZYXJySklU LmNwcAorKysgYi9Tb3VyY2UvSmF2YVNjcmlwdENvcmUveWFyci9ZYXJySklULmNwcApAQCAtMjg1 Miw2ICsyODUyLDcgQEAgY2xhc3MgWWFyckdlbmVyYXRvciA6IHByaXZhdGUgTWFjcm9Bc3NlbWJs ZXIgewogI2lmIE9TKFdJTkRPV1MpCiAgICAgICAgIGlmIChjb21waWxlTW9kZSA9PSBJbmNsdWRl U3VicGF0dGVybnMpCiAgICAgICAgICAgICBsb2FkUHRyKEFkZHJlc3MoWDg2UmVnaXN0ZXJzOjpl YnAsIDYgKiBzaXplb2Yodm9pZCopKSwgb3V0cHV0KTsKKyAgICAgICAgcHVzaChYODZSZWdpc3Rl cnM6OmVjeCk7CiAjZW5kaWYKICNlbGlmIENQVShYODYpCiAgICAgICAgIHB1c2goWDg2UmVnaXN0 ZXJzOjplYnApOwpAQCAtMjkwMSw2ICsyOTAyLDcgQEAgY2xhc3MgWWFyckdlbmVyYXRvciA6IHBy aXZhdGUgTWFjcm9Bc3NlbWJsZXIgewogI2lmIENQVShYODZfNjQpCiAjaWYgT1MoV0lORE9XUykK ICAgICAgICAgLy8gU3RvcmUgdGhlIHJldHVybiB2YWx1ZSBpbiB0aGUgYWxsb2NhdGVkIHNwYWNl IHBvaW50ZWQgYnkgcmN4LgorICAgICAgICBwb3AoWDg2UmVnaXN0ZXJzOjplY3gpOwogICAgICAg ICBzdG9yZTY0KHJldHVyblJlZ2lzdGVyLCBBZGRyZXNzKFg4NlJlZ2lzdGVyczo6ZWN4KSk7CiAg ICAgICAgIHN0b3JlNjQocmV0dXJuUmVnaXN0ZXIyLCBBZGRyZXNzKFg4NlJlZ2lzdGVyczo6ZWN4 LCBzaXplb2Yodm9pZCopKSk7CiAgICAgICAgIG1vdmUoWDg2UmVnaXN0ZXJzOjplY3gsIHJldHVy blJlZ2lzdGVyKTsK 321525 2017-09-22 00:59:01 -0700 2017-09-22 17:27:55 -0700 Patch bug-177293-20170922165859.patch text/plain 2015 fujii U3VidmVyc2lvbiBSZXZpc2lvbjogMjIyMzc2CmRpZmYgLS1naXQgYS9Tb3VyY2UvSmF2YVNjcmlw dENvcmUvQ2hhbmdlTG9nIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwppbmRleCBh NTcyYzVkZTAzZTI1ZjFlMDBjMmZjMDlhYWViZWZiMTY1ZTk2ZjUzLi4yODQ0NDU4ZDgxYTc4ZTky NzJkYjZiNTNiY2Y3OTg4ZjdlMjUwMGI0IDEwMDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENv cmUvQ2hhbmdlTG9nCisrKyBiL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKQEAgLTEs MyArMSwxOCBAQAorMjAxNy0wOS0yMiAgRnVqaWkgSGlyb25vcmkgIDxIaXJvbm9yaS5GdWppaUBz b255LmNvbT4KKworICAgICAgICBbV2luNjRdIENyYXNoZXMgaW4gWWFyciBKSVQgY29tcGlsZWQg Y29kZQorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTc3 MjkzCisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgSW4g eDY0IFdpbmRvd3MsIHJjeCByZWdpc3RlciBpcyB1c2VkIGZvciB0aGUgYWRkcmVzcyBvZiBhbGxv Y2F0ZWQKKyAgICAgICAgc3BhY2UgZm9yIHRoZSByZXR1cm4gdmFsdWUuIEJ1dCwgcmN4IGlzIHVz ZWQgZm9yIHJlZ1QxIHNpbmNlCisgICAgICAgIHIyMjEwNTIuIFNhdmUgcmN4IGluIHRoZSBzdGFj ay4KKworICAgICAgICAqIHlhcnIvWWFyckpJVC5jcHA6CisgICAgICAgIChKU0M6OllhcnI6Ollh cnJHZW5lcmF0b3I6OmdlbmVyYXRlRW50ZXIpOiBQdXNoIGVjeC4KKyAgICAgICAgKEpTQzo6WWFy cjo6WWFyckdlbmVyYXRvcjo6Z2VuZXJhdGVSZXR1cm4pOiBQb3AgZWN4LgorCiAyMDE3LTA5LTIx ICBKb3NlcGggUGVjb3Jhcm8gIDxwZWNvcmFyb0BhcHBsZS5jb20+CiAKICAgICAgICAgV2ViIElu c3BlY3RvcjogUmVtb3ZlIHN1cHBvcnQgZm9yIENTUyBSZWdpb25zCmRpZmYgLS1naXQgYS9Tb3Vy Y2UvSmF2YVNjcmlwdENvcmUveWFyci9ZYXJySklULmNwcCBiL1NvdXJjZS9KYXZhU2NyaXB0Q29y ZS95YXJyL1lhcnJKSVQuY3BwCmluZGV4IGMwZDE2YjAxZjc1MDE2Mjg2NzFjNjk5MmIwNzk4M2I0 MDFlOWQ4ZGYuLjExMDIxZGU0YWUyOGYwYTRiNDIzNTM4NzkzNWRjYmI2MWFjZTg5NDggMTAwNjQ0 Ci0tLSBhL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS95YXJyL1lhcnJKSVQuY3BwCisrKyBiL1NvdXJj ZS9KYXZhU2NyaXB0Q29yZS95YXJyL1lhcnJKSVQuY3BwCkBAIC0yODUyLDYgKzI4NTIsOCBAQCBj bGFzcyBZYXJyR2VuZXJhdG9yIDogcHJpdmF0ZSBNYWNyb0Fzc2VtYmxlciB7CiAjaWYgT1MoV0lO RE9XUykKICAgICAgICAgaWYgKGNvbXBpbGVNb2RlID09IEluY2x1ZGVTdWJwYXR0ZXJucykKICAg ICAgICAgICAgIGxvYWRQdHIoQWRkcmVzcyhYODZSZWdpc3RlcnM6OmVicCwgNiAqIHNpemVvZih2 b2lkKikpLCBvdXRwdXQpOworICAgICAgICAvLyByY3ggaXMgdGhlIHBvaW50ZXIgdG8gdGhlIGFs bG9jYXRlZCBzcGFjZSBmb3IgcmVzdWx0IGluIHg2NCBXaW5kb3dzLgorICAgICAgICBwdXNoKFg4 NlJlZ2lzdGVyczo6ZWN4KTsKICNlbmRpZgogI2VsaWYgQ1BVKFg4NikKICAgICAgICAgcHVzaChY ODZSZWdpc3RlcnM6OmVicCk7CkBAIC0yOTAxLDYgKzI5MDMsNyBAQCBjbGFzcyBZYXJyR2VuZXJh dG9yIDogcHJpdmF0ZSBNYWNyb0Fzc2VtYmxlciB7CiAjaWYgQ1BVKFg4Nl82NCkKICNpZiBPUyhX SU5ET1dTKQogICAgICAgICAvLyBTdG9yZSB0aGUgcmV0dXJuIHZhbHVlIGluIHRoZSBhbGxvY2F0 ZWQgc3BhY2UgcG9pbnRlZCBieSByY3guCisgICAgICAgIHBvcChYODZSZWdpc3RlcnM6OmVjeCk7 CiAgICAgICAgIHN0b3JlNjQocmV0dXJuUmVnaXN0ZXIsIEFkZHJlc3MoWDg2UmVnaXN0ZXJzOjpl Y3gpKTsKICAgICAgICAgc3RvcmU2NChyZXR1cm5SZWdpc3RlcjIsIEFkZHJlc3MoWDg2UmVnaXN0 ZXJzOjplY3gsIHNpemVvZih2b2lkKikpKTsKICAgICAgICAgbW92ZShYODZSZWdpc3RlcnM6OmVj eCwgcmV0dXJuUmVnaXN0ZXIpOwo=