Bug 133009

Summary: Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal Keywords: InRadar
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch oliver: review+

Description Michael Saboff 2014-05-16 14:20:53 PDT 
Crashing in failed check in the Checked arithmetic class.

$ jsc
>>> ''.match(/(,9111111111{2257483648,}[:lower:])|(ab)/)
1   0x10aa048c0 WTFCrash
2   0x10a241d29 WTF::CrashOnOverflow::overflowed()
3   0x10a9e4771 WTF::Checked<int, WTF::CrashOnOverflow>::Checked<long long>(WTF::Checked<long long, WTF::CrashOnOverflow> const&)
4   0x10a9e436d WTF::Checked<int, WTF::CrashOnOverflow>::Checked<long long>(WTF::Checked<long long, WTF::CrashOnOverflow> const&)
5   0x10a9ee042 JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed(unsigned long)
6   0x10a9ed1f2 JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generateTerm(unsigned long)
7   0x10a9e73e7 JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generate()
8   0x10a9d8c58 JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::compile(JSC::VM*, JSC::Yarr::YarrCodeBlock&)
9   0x10a9d8742 JSC::Yarr::jitCompile(JSC::Yarr::YarrPattern&, JSC::Yarr::YarrCharSize, JSC::VM*, JSC::Yarr::YarrCodeBlock&, JSC::Yarr::YarrJITCompileMode)
10  0x10a9439b1 JSC::RegExp::compileMatchOnly(JSC::VM*, JSC::Yarr::YarrCharSize)
11  0x10a943b4d JSC::RegExp::compileIfNecessaryMatchOnly(JSC::VM&, JSC::Yarr::YarrCharSize)
12  0x10a943bf3 JSC::RegExp::match(JSC::VM&, WTF::String const&, unsigned int)
13  0x10a94d817 JSC::RegExpConstructor::performMatch(JSC::VM&, JSC::RegExp*, JSC::JSString*, WTF::String const&, int)
14  0x10a97a172 JSC::stringProtoFuncMatch(JSC::ExecState*)
15  0x32ff95c01034
16  0x10a810bc7 llint_entry
17  0x10a80a3a4 callToJavaScript
18  0x10a6a64ed JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
19  0x10a68abd8 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*)
20  0x10a3306a0 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*)
21  0x10a1ce3b3 runInteractive(GlobalObject*)
22  0x10a1cd3d3 jscmain(int, char**)
23  0x10a1cd181 main
24  0x7fff8afa55fd start
25  0x1
Segmentation fault: 11

Looks like a mix of int and unsigned in a checked integer expression to create an offset for an BaseIndex address.  The YARR JIT has an unhealthy mix of int and unsigned values to reference characters offset from its working pointer.  This will require some refactoring to get right.  A near term fix is to notice that a regular expression's offsets cannot be represented as a 32 bit integer and relegate them to the interpreter which can handle unsigned offsets.

<rdar://problem/14326503>
Comment 1 Michael Saboff 2014-05-16 15:04:35 PDT 
Created attachment 231596 [details]
Patch
Comment 2 Michael Saboff 2014-05-16 15:10:27 PDT 
Committed r168983: <http://trac.webkit.org/changeset/168983>