WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
133009
Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9
https://bugs.webkit.org/show_bug.cgi?id=133009
Summary
Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generate...
Michael Saboff
Reported
2014-05-16 14:20:53 PDT
Crashing in failed check in the Checked arithmetic class. $ jsc
>>> ''.match(/(,9111111111{2257483648,}[:lower:])|(ab)/)
1 0x10aa048c0 WTFCrash 2 0x10a241d29 WTF::CrashOnOverflow::overflowed() 3 0x10a9e4771 WTF::Checked<int, WTF::CrashOnOverflow>::Checked<long long>(WTF::Checked<long long, WTF::CrashOnOverflow> const&) 4 0x10a9e436d WTF::Checked<int, WTF::CrashOnOverflow>::Checked<long long>(WTF::Checked<long long, WTF::CrashOnOverflow> const&) 5 0x10a9ee042 JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed(unsigned long) 6 0x10a9ed1f2 JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generateTerm(unsigned long) 7 0x10a9e73e7 JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generate() 8 0x10a9d8c58 JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::compile(JSC::VM*, JSC::Yarr::YarrCodeBlock&) 9 0x10a9d8742 JSC::Yarr::jitCompile(JSC::Yarr::YarrPattern&, JSC::Yarr::YarrCharSize, JSC::VM*, JSC::Yarr::YarrCodeBlock&, JSC::Yarr::YarrJITCompileMode) 10 0x10a9439b1 JSC::RegExp::compileMatchOnly(JSC::VM*, JSC::Yarr::YarrCharSize) 11 0x10a943b4d JSC::RegExp::compileIfNecessaryMatchOnly(JSC::VM&, JSC::Yarr::YarrCharSize) 12 0x10a943bf3 JSC::RegExp::match(JSC::VM&, WTF::String const&, unsigned int) 13 0x10a94d817 JSC::RegExpConstructor::performMatch(JSC::VM&, JSC::RegExp*, JSC::JSString*, WTF::String const&, int) 14 0x10a97a172 JSC::stringProtoFuncMatch(JSC::ExecState*) 15 0x32ff95c01034 16 0x10a810bc7 llint_entry 17 0x10a80a3a4 callToJavaScript 18 0x10a6a64ed JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) 19 0x10a68abd8 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) 20 0x10a3306a0 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) 21 0x10a1ce3b3 runInteractive(GlobalObject*) 22 0x10a1cd3d3 jscmain(int, char**) 23 0x10a1cd181 main 24 0x7fff8afa55fd start 25 0x1 Segmentation fault: 11 Looks like a mix of int and unsigned in a checked integer expression to create an offset for an BaseIndex address. The YARR JIT has an unhealthy mix of int and unsigned values to reference characters offset from its working pointer. This will require some refactoring to get right. A near term fix is to notice that a regular expression's offsets cannot be represented as a 32 bit integer and relegate them to the interpreter which can handle unsigned offsets. <
rdar://problem/14326503
>
Attachments
Patch
(5.33 KB, patch)
2014-05-16 15:04 PDT
,
Michael Saboff
oliver
: review+
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Michael Saboff
Comment 1
2014-05-16 15:04:35 PDT
Created
attachment 231596
[details]
Patch
Michael Saboff
Comment 2
2014-05-16 15:10:27 PDT
Committed
r168983
: <
http://trac.webkit.org/changeset/168983
>
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug