Summary: | ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread() | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Michael Saboff <msaboff> | ||||
Component: | JavaScriptCore | Assignee: | Michael Saboff <msaboff> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Normal | CC: | ews-watchlist, keith_miller, mark.lam, saam, webkit-bug-importer | ||||
Priority: | P2 | Keywords: | InRadar | ||||
Version: | WebKit Nightly Build | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Attachments: |
|
Description
Michael Saboff
2019-03-13 22:03:16 PDT
The two crashes are slightly different. The first one happens due to a race condition when we are compiling on a separate thread. The main thread in this recursive test can run out of memory compiling the regular expression. When that happens, the RegExp becomes invalid due to the error. We throw an exception, but we then reset the RegExp as it might compile successfully the next time we try to execute it on a shallower stack. The main thread will see the regular expression as valid when it executes the JIT'ed code and makes calls out to slow path code. Therefore this ASSERT can be eliminated. The second case happens to to incorrect logic when we go to run the regexp in the Strength Reduction phase. The current check for "do we have code to run the RegExp?" only checks that the RegExp's state is != NotCompiled. We also can't run the RegExp if there the state is ParseError. Changing hasCode() to take this into account fixes the second issue. Created attachment 364634 [details]
Patch
Comment on attachment 364634 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=364634&action=review r=me if EWS bots are happy. > Source/JavaScriptCore/ChangeLog:18 > + The second but is due to incorrect logic when we go to run the regexp in the Strength Reduction phase. /but/bug/. Committed r242955: <https://trac.webkit.org/changeset/242955> Comment on attachment 364634 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=364634&action=review > Source/JavaScriptCore/runtime/RegExp.h:111 > + return m_state == JITCode || m_state == ByteCode; Do we need any kind of StoreStoreFence on the main thread to synchronize this? |