Bug 130448 - Crash in WTF::Checked<unsigned int, WTF::CrashOnOverflow>::Checked
Summary: Crash in WTF::Checked<unsigned int, WTF::CrashOnOverflow>::Checked
Status: RESOLVED WORKSFORME
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Michael Saboff
URL:
Keywords:
Depends on:
Blocks: 116980
  Show dependency treegraph
 
Reported: 2014-03-19 03:00 PDT by Renata Hodovan
Modified: 2016-08-03 14:05 PDT (History)
6 users (show)

See Also:

Attachments
Test case (195 bytes, application/javascript)
2014-03-19 03:00 PDT, Renata Hodovan 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Renata Hodovan 2014-03-19 03:00:16 PDT 
Created attachment 227170 [details]
Test case

The crashing test:

var open = '(?:';
var close = ')';
var pattern = '';
  
for (var i=0; i<100000; i++) {
  	pattern += open;
}
  
for (i=0; i<100000; i++) {
 	pattern += close;
}
  
var re = new RegExp(pattern);


The backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7398254 in WTF::Checked<unsigned int, WTF::CrashOnOverflow>::Checked<unsigned int> (this=0x7fffff7ff040, value=0)
    at /home/reni2/data/REPOS/webkit_sec/Source/WTF/wtf/CheckedArithmetic.h:435
435	    {
(gdb) bt
#0  0x00007ffff7398254 in WTF::Checked<unsigned int, WTF::CrashOnOverflow>::Checked<unsigned int> (this=0x7fffff7ff040, value=0)
    at /home/reni2/data/REPOS/webkit_sec/Source/WTF/wtf/CheckedArithmetic.h:435
#1  0x00007ffff73bda66 in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets (this=0x7fffffffc770, alternative=0x312bbc0, 
    currentCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:571
#2  0x00007ffff73bde74 in JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets (this=0x7fffffffc770, disjunction=0x312b880, 
    initialCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:665
#3  0x00007ffff73bdc36 in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets (this=0x7fffffffc770, alternative=0x312b7c0, 
    currentCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:619
#4  0x00007ffff73bde74 in JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets (this=0x7fffffffc770, disjunction=0x312b480, 
    initialCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:665
#5  0x00007ffff73bdc36 in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets (this=0x7fffffffc770, alternative=0x312b3c0, 
    currentCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:619
#6  0x00007ffff73bde74 in JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets (this=0x7fffffffc770, disjunction=0x312b080, 
    initialCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:665
#7  0x00007ffff73bdc36 in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets (this=0x7fffffffc770, alternative=0x312afc0, 
    currentCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:619

... the lines 619 and 665 in YarrPattern.cpp many-many times (23Mb) ...

#87269 0x00007ffff73bdc36 in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets (this=0x7fffffffc770, alternative=0x68f630, currentCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:619
#87270 0x00007ffff73bde74 in JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets (this=0x7fffffffc770, disjunction=0x68d820, initialCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:665
#87271 0x00007ffff73bdc36 in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets (this=0x7fffffffc770, alternative=0x685bf0, currentCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:619
#87272 0x00007ffff73bde74 in JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets (this=0x7fffffffc770, disjunction=0x688cc0, initialCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:665
#87273 0x00007ffff73bdf99 in JSC::Yarr::YarrPatternConstructor::setupOffsets (this=0x7fffffffc770) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:682
#87274 0x00007ffff73ba995 in JSC::Yarr::YarrPattern::compile (this=0x7fffffffc830, patternString=...) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:857
#87275 0x00007ffff73baaba in JSC::Yarr::YarrPattern::YarrPattern (this=0x7fffffffc830, pattern=..., ignoreCase=false, multiline=false, error=0x7ffff7f85110) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:877
#87276 0x00007ffff7355805 in JSC::RegExp::finishCreation (this=0x7ffff7f850f0, vm=...) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/RegExp.cpp:239
#87277 0x00007ffff73558d8 in JSC::RegExp::createWithoutCaching (vm=..., patternString=..., flags=JSC::NoFlags) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/RegExp.cpp:258
#87278 0x00007ffff7356f1c in JSC::RegExpCache::lookupOrCreate (this=0x665ea0, patternString=..., flags=JSC::NoFlags) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/RegExpCache.cpp:44
#87279 0x00007ffff7355915 in JSC::RegExp::create (vm=..., patternString=..., flags=JSC::NoFlags) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/RegExp.cpp:264
#87280 0x00007ffff735af32 in JSC::constructRegExp (exec=0x7fffffffcc60, globalObject=0x7ffff7f2f970, args=..., callAsConstructor=true) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/RegExpConstructor.cpp:279
#87281 0x00007ffff735b051 in JSC::constructWithRegExpConstructor (exec=0x7fffffffcc60) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/RegExpConstructor.cpp:288
#87282 0x00007ffff719e9c7 in JSC::handleHostCall (execCallee=0x7fffffffcc60, callee=..., kind=JSC::CodeForConstruct) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITOperations.cpp:664
#87283 0x00007ffff71a5069 in JSC::linkFor (execCallee=0x7fffffffcc60, kind=JSC::CodeForConstruct, registers=JSC::RegisterPreservationNotRequired) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITOperations.cpp:686
#87284 0x00007ffff719eb49 in JSC::operationLinkConstruct (execCallee=0x7fffffffcc60) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITOperations.cpp:728
#87285 0x00007fffaa367973 in ?? ()
#87286 0x00007fffffffccc0 in ?? ()
#87287 0x00007fffaa368ac5 in ?? ()
#87288 0x0000000000000000 in ?? ()
Comment 1 Oliver Hunt 2014-03-19 09:33:57 PDT 
To which i say wut?
Comment 2 Oliver Hunt 2014-03-19 09:35:59 PDT 
Sending to Michael as i'm working on another bug right now, and i know he's looking at regexp code right now.

I have not looked at the code at all, but we should work out what is causing us to nuke construction.  My assumption is that we must be passing a killed value into the construct?
Comment 3 Brent Fulgham 2016-08-03 14:05:53 PDT 
This issue no longer occurs under GuardMalloc or ASAN as of r204037. If you believe there is still a bug, please reopen this issue with a revised test case.