Bug 196477 - REGRESSION (r243642): com.apple.JavaScriptCore crash in JSC::RegExpObject::execInline
Summary: REGRESSION (r243642): com.apple.JavaScriptCore crash in JSC::RegExpObject::ex...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Michael Saboff
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2019-04-01 19:46 PDT by Michael Saboff
Modified: 2019-04-03 16:51 PDT (History)
6 users (show)

See Also:

Attachments
Patch (6.20 KB, patch)
2019-04-01 20:38 PDT, Michael Saboff 		no flags Details | Formatted Diff | Diff
Updated patch (6.19 KB, patch)
2019-04-01 21:47 PDT, Michael Saboff 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Saboff 2019-04-01 19:46:02 PDT 
The following crash is seen with layout test js/regexp-unicode.html when using GuardMalloc:

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   ???                           	0x000000010b33e7f5 0 + 4482918389
1   com.apple.JavaScriptCore      	0x0000000463c56d71 JSC::RegExpObject::execInline(JSC::ExecState*, JSC::JSGlobalObject*, JSC::JSString*) + 881
2   ???                           	0x000000010b2fb16b 0 + 4482642283
3   com.apple.JavaScriptCore      	0x00000004638ab8e7 llint_entry + 62084
4   com.apple.JavaScriptCore      	0x000000046389c4b9 vmEntryToJavaScript + 200
5   com.apple.JavaScriptCore      	0x00000004635fb3a7 JSC::Interpreter::execute(JSC::EvalExecutable*, JSC::ExecState*, JSC::JSValue, JSC::JSScope*) + 2279
6   com.apple.JavaScriptCore      	0x00000004635f741c JSC::eval(JSC::ExecState*) + 764
7   com.apple.JavaScriptCore      	0x0000000463ea2fc6 operationCallEval + 102
8   ???                           	0x000000010b33a236 0 + 4482900534
9   com.apple.JavaScriptCore      	0x00000004638ab8e7 llint_entry + 62084
10  com.apple.JavaScriptCore      	0x000000046389c4b9 vmEntryToJavaScript + 200
11  com.apple.JavaScriptCore      	0x0000000463e0de10 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) + 11280
...
Comment 1 Michael Saboff 2019-04-01 19:46:16 PDT 
<rdar://problem/49482267>
Comment 2 Michael Saboff 2019-04-01 20:38:13 PDT 
Created attachment 366467 [details]
Patch
Comment 3 Alexey Proskuryakov 2019-04-01 21:04:08 PDT 
Comment on attachment 366467 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=366467&action=review

> Source/JavaScriptCore/yarr/YarrJIT.cpp:1852
> +#if 0 // def JIT_UNICODE_EXPRESSIONS

Is this intentional?
Comment 4 Michael Saboff 2019-04-01 21:43:36 PDT 
(In reply to Alexey Proskuryakov from comment #3)
> Comment on attachment 366467 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=366467&action=review
> 
> > Source/JavaScriptCore/yarr/YarrJIT.cpp:1852
> > +#if 0 // def JIT_UNICODE_EXPRESSIONS
> 
> Is this intentional?

No.  It is a hold over from testing.  I'll remove and repost.
Comment 5 Michael Saboff 2019-04-01 21:47:09 PDT 
Created attachment 366470 [details]
Updated patch
Comment 6 Keith Miller 2019-04-03 16:22:45 PDT 
Comment on attachment 366470 [details]
Updated patch

r=me.
Comment 7 WebKit Commit Bot 2019-04-03 16:51:17 PDT 
Comment on attachment 366470 [details]
Updated patch

Clearing flags on attachment: 366470

Committed r243839: <https://trac.webkit.org/changeset/243839>
Comment 8 WebKit Commit Bot 2019-04-03 16:51:19 PDT 
All reviewed patches have been landed.  Closing bug.