Bug 196477

Summary: REGRESSION (r243642): com.apple.JavaScriptCore crash in JSC::RegExpObject::execInline
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, ews-watchlist, keith_miller, mark.lam, sbarati, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Updated patch none

Description Michael Saboff 2019-04-01 19:46:02 PDT
The following crash is seen with layout test js/regexp-unicode.html when using GuardMalloc:

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   ???                           	0x000000010b33e7f5 0 + 4482918389
1   com.apple.JavaScriptCore      	0x0000000463c56d71 JSC::RegExpObject::execInline(JSC::ExecState*, JSC::JSGlobalObject*, JSC::JSString*) + 881
2   ???                           	0x000000010b2fb16b 0 + 4482642283
3   com.apple.JavaScriptCore      	0x00000004638ab8e7 llint_entry + 62084
4   com.apple.JavaScriptCore      	0x000000046389c4b9 vmEntryToJavaScript + 200
5   com.apple.JavaScriptCore      	0x00000004635fb3a7 JSC::Interpreter::execute(JSC::EvalExecutable*, JSC::ExecState*, JSC::JSValue, JSC::JSScope*) + 2279
6   com.apple.JavaScriptCore      	0x00000004635f741c JSC::eval(JSC::ExecState*) + 764
7   com.apple.JavaScriptCore      	0x0000000463ea2fc6 operationCallEval + 102
8   ???                           	0x000000010b33a236 0 + 4482900534
9   com.apple.JavaScriptCore      	0x00000004638ab8e7 llint_entry + 62084
10  com.apple.JavaScriptCore      	0x000000046389c4b9 vmEntryToJavaScript + 200
11  com.apple.JavaScriptCore      	0x0000000463e0de10 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) + 11280
...
Comment 1 Michael Saboff 2019-04-01 19:46:16 PDT
<rdar://problem/49482267>
Comment 2 Michael Saboff 2019-04-01 20:38:13 PDT
Created attachment 366467 [details]
Patch
Comment 3 Alexey Proskuryakov 2019-04-01 21:04:08 PDT
Comment on attachment 366467 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=366467&action=review

> Source/JavaScriptCore/yarr/YarrJIT.cpp:1852
> +#if 0 // def JIT_UNICODE_EXPRESSIONS

Is this intentional?
Comment 4 Michael Saboff 2019-04-01 21:43:36 PDT
(In reply to Alexey Proskuryakov from comment #3)
> Comment on attachment 366467 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=366467&action=review
> 
> > Source/JavaScriptCore/yarr/YarrJIT.cpp:1852
> > +#if 0 // def JIT_UNICODE_EXPRESSIONS
> 
> Is this intentional?

No.  It is a hold over from testing.  I'll remove and repost.
Comment 5 Michael Saboff 2019-04-01 21:47:09 PDT
Created attachment 366470 [details]
Updated patch
Comment 6 Keith Miller 2019-04-03 16:22:45 PDT
Comment on attachment 366470 [details]
Updated patch

r=me.
Comment 7 WebKit Commit Bot 2019-04-03 16:51:17 PDT
Comment on attachment 366470 [details]
Updated patch

Clearing flags on attachment: 366470

Committed r243839: <https://trac.webkit.org/changeset/243839>
Comment 8 WebKit Commit Bot 2019-04-03 16:51:19 PDT
All reviewed patches have been landed.  Closing bug.