| Summary: | REGRESSION (r55772-r55834): Crash in JavaScriptCore RegExp code on PowerPC | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Kevin M. Dean <kevin> | ||||||
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> | ||||||
| Status: | RESOLVED FIXED | ||||||||
| Severity: | Critical | CC: | barraclough, delta592, invader, s_harbage | ||||||
| Priority: | P1 | Keywords: | InRadar, Regression | ||||||
| Version: | 528+ (Nightly build) | ||||||||
| Hardware: | Mac (PowerPC) | ||||||||
| OS: | OS X 10.5 | ||||||||
| URL: | http://groups.google.com/group/jquery-en/browse_thread/thread/d1548ce94759c57e | ||||||||
| Attachments: |
|
||||||||
*** Bug 36087 has been marked as a duplicate of this bug. *** *** Bug 36086 has been marked as a duplicate of this bug. *** Nothing obvious in this range, will need to test on PPC to find the exact revision causing the problem. *** Bug 36090 has been marked as a duplicate of this bug. *** *** Bug 36126 has been marked as a duplicate of this bug. *** Created attachment 50848 [details]
The patch
The problem is a bug in our port of PCRE - that a read may take place from the first character in an empty string. For the time being, revert to using a valid pointer in the data segment rather than an invalid non-null pointer into the zero-page for the empty string's data pointer. A better fix for this will be to remove PCRE.
Comment on attachment 50848 [details]
The patch
r=me
Comment on attachment 50848 [details] The patch > +// FIXME: This works around a bug in our port of pcre, that a regular expression run on the empty string > +// may still perform a read from the first element, and as such we need this to be a valid pointer. > +// No code should ever be reading from a zero length string, so this should be able to be a non-null > +// pointer into the zero-page. Replace this with 'reinterpret_cast<UChar*>(static_cast<intptr_t>(1))' > +// once PCRE goes away. We don't format our comments this way. The subsequent lines go under FIXME, not indented. Also, once space after a period. Also, call it PCRE the first time, not pcre. > +static UChar emptyUCharData = 0; This can go inside the function instead out outside at file level. Fixed in r56092. |
Created attachment 50651 [details] Crashlog I've crashed 9 times over the last 2 days on various different sites. The google site listed above is just one of them. They all show the same crash information. (Full log as attachment). Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x00609400 __ZL5matchPKtPKhiR9MatchData + 11856 1 com.apple.JavaScriptCore 0x0060a780 jsRegExpExecute(JSRegExp const*, unsigned short const*, int, int, int*, int) + 1216 2 com.apple.JavaScriptCore 0x00612e88 JSC::RegExp::match(JSC::UString const&, int, WTF::Vector<int, 32ul>*) + 568 3 com.apple.JavaScriptCore 0x006254b8 __ZN3JSCL22stringProtoFuncReplaceEPNS_9ExecStateEPNS_8JSObjectENS_7JSValueERKNS_7ArgListE + 3768 4 com.apple.JavaScriptCore 0x00570770 JSC::Interpreter::privateExecute(JSC::Interpreter::ExecutionFlag, JSC::RegisterFile*, JSC::ExecState*, JSC::JSValue*) + 52624 5 com.apple.JavaScriptCore 0x00576b94 JSC::Interpreter::execute(JSC::FunctionExecutable*, JSC::ExecState*, JSC::JSFunction*, JSC::JSObject*, JSC::ArgList const&, JSC::ScopeChainNode*, JSC::JSValue*) + 1140 6 com.apple.JavaScriptCore 0x0059153c JSC::JSFunction::call(JSC::ExecState*, JSC::JSValue, JSC::ArgList const&) + 172 7 com.apple.JavaScriptCore 0x0050f71c JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 156 8 com.apple.WebCore 0x0179b560 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 1968 9 com.apple.WebCore 0x01525390 WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 512 10 com.apple.WebCore 0x014e7008 WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::EventTarget>) + 440 11 com.apple.WebCore 0x014e7e2c WebCore::DOMWindow::dispatchLoadEvent() + 300 12 com.apple.WebCore 0x01452fdc WebCore::Document::implicitClose() + 716 13 com.apple.WebCore 0x015578e4 WebCore::FrameLoader::checkCompleted() + 180 14 com.apple.WebCore 0x01557ac4 WebCore::FrameLoader::completed() + 148 15 com.apple.WebCore 0x015578f8 WebCore::FrameLoader::checkCompleted() + 200 16 com.apple.WebCore 0x01b25968 WebCore::Loader::Host::didFinishLoading(WebCore::SubresourceLoader*) + 408 17 com.apple.WebCore 0x01d26f9c WebCore::SubresourceLoader::didFinishLoading() + 76 18 com.apple.Foundation 0x92372814 _NSURLConnectionDidFinishLoading + 120 19 com.apple.CFNetwork 0x93d0fd8c URLConnectionClient::_clientDidFinishLoading(URLConnectionClient::ClientConnectionEventQueue*) + 236 20 com.apple.CFNetwork 0x93d10a08 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 172 21 com.apple.CFNetwork 0x93d10cd8 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 892 22 com.apple.CFNetwork 0x93d0f500 URLConnectionClient::processEvents() + 132 23 com.apple.CFNetwork 0x93cb9020 MultiplexerSource::perform() + 168 24 com.apple.CoreFoundation 0x953270d0 CFRunLoopRunSpecific + 1104 25 com.apple.HIToolbox 0x90d99b14 RunCurrentEventLoopInMode + 264 26 com.apple.HIToolbox 0x90d99938 ReceiveNextEventCommon + 412 27 com.apple.HIToolbox 0x90d99778 BlockUntilNextEventMatchingListInMode + 84 28 com.apple.AppKit 0x9277d244 _DPSNextEvent + 596 29 com.apple.AppKit 0x9277cbfc -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 112 30 com.apple.Safari 0x0000dbf4 0x1000 + 52212 31 com.apple.AppKit 0x9277689c -[NSApplication run] + 744 32 com.apple.AppKit 0x92747298 NSApplicationMain + 440 33 com.apple.Safari 0x0000302c 0x1000 + 8236