WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED WORKSFORME
130448
Crash in WTF::Checked<unsigned int, WTF::CrashOnOverflow>::Checked
https://bugs.webkit.org/show_bug.cgi?id=130448
Summary
Crash in WTF::Checked<unsigned int, WTF::CrashOnOverflow>::Checked
Renata Hodovan
Reported
2014-03-19 03:00:16 PDT
Created
attachment 227170
[details]
Test case The crashing test: var open = '(?:'; var close = ')'; var pattern = ''; for (var i=0; i<100000; i++) { pattern += open; } for (i=0; i<100000; i++) { pattern += close; } var re = new RegExp(pattern); The backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7398254 in WTF::Checked<unsigned int, WTF::CrashOnOverflow>::Checked<unsigned int> (this=0x7fffff7ff040, value=0) at /home/reni2/data/REPOS/webkit_sec/Source/WTF/wtf/CheckedArithmetic.h:435 435 { (gdb) bt #0 0x00007ffff7398254 in WTF::Checked<unsigned int, WTF::CrashOnOverflow>::Checked<unsigned int> (this=0x7fffff7ff040, value=0) at /home/reni2/data/REPOS/webkit_sec/Source/WTF/wtf/CheckedArithmetic.h:435 #1 0x00007ffff73bda66 in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets (this=0x7fffffffc770, alternative=0x312bbc0, currentCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:571 #2 0x00007ffff73bde74 in JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets (this=0x7fffffffc770, disjunction=0x312b880, initialCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:665 #3 0x00007ffff73bdc36 in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets (this=0x7fffffffc770, alternative=0x312b7c0, currentCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:619 #4 0x00007ffff73bde74 in JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets (this=0x7fffffffc770, disjunction=0x312b480, initialCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:665 #5 0x00007ffff73bdc36 in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets (this=0x7fffffffc770, alternative=0x312b3c0, currentCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:619 #6 0x00007ffff73bde74 in JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets (this=0x7fffffffc770, disjunction=0x312b080, initialCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:665 #7 0x00007ffff73bdc36 in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets (this=0x7fffffffc770, alternative=0x312afc0, currentCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:619 ... the lines 619 and 665 in YarrPattern.cpp many-many times (23Mb) ... #87269 0x00007ffff73bdc36 in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets (this=0x7fffffffc770, alternative=0x68f630, currentCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:619 #87270 0x00007ffff73bde74 in JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets (this=0x7fffffffc770, disjunction=0x68d820, initialCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:665 #87271 0x00007ffff73bdc36 in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets (this=0x7fffffffc770, alternative=0x685bf0, currentCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:619 #87272 0x00007ffff73bde74 in JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets (this=0x7fffffffc770, disjunction=0x688cc0, initialCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:665 #87273 0x00007ffff73bdf99 in JSC::Yarr::YarrPatternConstructor::setupOffsets (this=0x7fffffffc770) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:682 #87274 0x00007ffff73ba995 in JSC::Yarr::YarrPattern::compile (this=0x7fffffffc830, patternString=...) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:857 #87275 0x00007ffff73baaba in JSC::Yarr::YarrPattern::YarrPattern (this=0x7fffffffc830, pattern=..., ignoreCase=false, multiline=false, error=0x7ffff7f85110) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:877 #87276 0x00007ffff7355805 in JSC::RegExp::finishCreation (this=0x7ffff7f850f0, vm=...) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/RegExp.cpp:239 #87277 0x00007ffff73558d8 in JSC::RegExp::createWithoutCaching (vm=..., patternString=..., flags=JSC::NoFlags) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/RegExp.cpp:258 #87278 0x00007ffff7356f1c in JSC::RegExpCache::lookupOrCreate (this=0x665ea0, patternString=..., flags=JSC::NoFlags) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/RegExpCache.cpp:44 #87279 0x00007ffff7355915 in JSC::RegExp::create (vm=..., patternString=..., flags=JSC::NoFlags) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/RegExp.cpp:264 #87280 0x00007ffff735af32 in JSC::constructRegExp (exec=0x7fffffffcc60, globalObject=0x7ffff7f2f970, args=..., callAsConstructor=true) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/RegExpConstructor.cpp:279 #87281 0x00007ffff735b051 in JSC::constructWithRegExpConstructor (exec=0x7fffffffcc60) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/RegExpConstructor.cpp:288 #87282 0x00007ffff719e9c7 in JSC::handleHostCall (execCallee=0x7fffffffcc60, callee=..., kind=JSC::CodeForConstruct) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITOperations.cpp:664 #87283 0x00007ffff71a5069 in JSC::linkFor (execCallee=0x7fffffffcc60, kind=JSC::CodeForConstruct, registers=JSC::RegisterPreservationNotRequired) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITOperations.cpp:686 #87284 0x00007ffff719eb49 in JSC::operationLinkConstruct (execCallee=0x7fffffffcc60) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITOperations.cpp:728 #87285 0x00007fffaa367973 in ?? () #87286 0x00007fffffffccc0 in ?? () #87287 0x00007fffaa368ac5 in ?? () #87288 0x0000000000000000 in ?? ()
Attachments
Test case
(195 bytes, application/javascript)
2014-03-19 03:00 PDT
,
Renata Hodovan
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Oliver Hunt
Comment 1
2014-03-19 09:33:57 PDT
To which i say wut?
Oliver Hunt
Comment 2
2014-03-19 09:35:59 PDT
Sending to Michael as i'm working on another bug right now, and i know he's looking at regexp code right now. I have not looked at the code at all, but we should work out what is causing us to nuke construction. My assumption is that we must be passing a killed value into the construct?
Brent Fulgham
Comment 3
2016-08-03 14:05:53 PDT
This issue no longer occurs under GuardMalloc or ASAN as of
r204037
. If you believe there is still a bug, please reopen this issue with a revised test case.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug