Bug 133009 - Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9
Summary: Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generate...
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Michael Saboff
Keywords: InRadar
Depends on:
Reported: 2014-05-16 14:20 PDT by Michael Saboff
Modified: 2014-05-16 15:10 PDT (History)
0 users

See Also:

Patch (5.33 KB, patch)
2014-05-16 15:04 PDT, Michael Saboff
oliver: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Saboff 2014-05-16 14:20:53 PDT
Crashing in failed check in the Checked arithmetic class.

$ jsc
>>> ''.match(/(,9111111111{2257483648,}[:lower:])|(ab)/)
1   0x10aa048c0 WTFCrash
2   0x10a241d29 WTF::CrashOnOverflow::overflowed()
3   0x10a9e4771 WTF::Checked<int, WTF::CrashOnOverflow>::Checked<long long>(WTF::Checked<long long, WTF::CrashOnOverflow> const&)
4   0x10a9e436d WTF::Checked<int, WTF::CrashOnOverflow>::Checked<long long>(WTF::Checked<long long, WTF::CrashOnOverflow> const&)
5   0x10a9ee042 JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed(unsigned long)
6   0x10a9ed1f2 JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generateTerm(unsigned long)
7   0x10a9e73e7 JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generate()
8   0x10a9d8c58 JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::compile(JSC::VM*, JSC::Yarr::YarrCodeBlock&)
9   0x10a9d8742 JSC::Yarr::jitCompile(JSC::Yarr::YarrPattern&, JSC::Yarr::YarrCharSize, JSC::VM*, JSC::Yarr::YarrCodeBlock&, JSC::Yarr::YarrJITCompileMode)
10  0x10a9439b1 JSC::RegExp::compileMatchOnly(JSC::VM*, JSC::Yarr::YarrCharSize)
11  0x10a943b4d JSC::RegExp::compileIfNecessaryMatchOnly(JSC::VM&, JSC::Yarr::YarrCharSize)
12  0x10a943bf3 JSC::RegExp::match(JSC::VM&, WTF::String const&, unsigned int)
13  0x10a94d817 JSC::RegExpConstructor::performMatch(JSC::VM&, JSC::RegExp*, JSC::JSString*, WTF::String const&, int)
14  0x10a97a172 JSC::stringProtoFuncMatch(JSC::ExecState*)
15  0x32ff95c01034
16  0x10a810bc7 llint_entry
17  0x10a80a3a4 callToJavaScript
18  0x10a6a64ed JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
19  0x10a68abd8 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*)
20  0x10a3306a0 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*)
21  0x10a1ce3b3 runInteractive(GlobalObject*)
22  0x10a1cd3d3 jscmain(int, char**)
23  0x10a1cd181 main
24  0x7fff8afa55fd start
25  0x1
Segmentation fault: 11

Looks like a mix of int and unsigned in a checked integer expression to create an offset for an BaseIndex address.  The YARR JIT has an unhealthy mix of int and unsigned values to reference characters offset from its working pointer.  This will require some refactoring to get right.  A near term fix is to notice that a regular expression's offsets cannot be represented as a 32 bit integer and relegate them to the interpreter which can handle unsigned offsets.

Comment 1 Michael Saboff 2014-05-16 15:04:35 PDT
Created attachment 231596 [details]
Comment 2 Michael Saboff 2014-05-16 15:10:27 PDT
Committed r168983: <http://trac.webkit.org/changeset/168983>