Bug 196477 - REGRESSION (r243642): com.apple.JavaScriptCore crash in JSC::RegExpObject::execInline
Summary: REGRESSION (r243642): com.apple.JavaScriptCore crash in JSC::RegExpObject::ex...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Michael Saboff
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2019-04-01 19:46 PDT by Michael Saboff
Modified: 2019-04-03 16:51 PDT (History)
6 users (show)

See Also:


Attachments
Patch (6.20 KB, patch)
2019-04-01 20:38 PDT, Michael Saboff
no flags Details | Formatted Diff | Diff
Updated patch (6.19 KB, patch)
2019-04-01 21:47 PDT, Michael Saboff
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Saboff 2019-04-01 19:46:02 PDT
The following crash is seen with layout test js/regexp-unicode.html when using GuardMalloc:

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   ???                           	0x000000010b33e7f5 0 + 4482918389
1   com.apple.JavaScriptCore      	0x0000000463c56d71 JSC::RegExpObject::execInline(JSC::ExecState*, JSC::JSGlobalObject*, JSC::JSString*) + 881
2   ???                           	0x000000010b2fb16b 0 + 4482642283
3   com.apple.JavaScriptCore      	0x00000004638ab8e7 llint_entry + 62084
4   com.apple.JavaScriptCore      	0x000000046389c4b9 vmEntryToJavaScript + 200
5   com.apple.JavaScriptCore      	0x00000004635fb3a7 JSC::Interpreter::execute(JSC::EvalExecutable*, JSC::ExecState*, JSC::JSValue, JSC::JSScope*) + 2279
6   com.apple.JavaScriptCore      	0x00000004635f741c JSC::eval(JSC::ExecState*) + 764
7   com.apple.JavaScriptCore      	0x0000000463ea2fc6 operationCallEval + 102
8   ???                           	0x000000010b33a236 0 + 4482900534
9   com.apple.JavaScriptCore      	0x00000004638ab8e7 llint_entry + 62084
10  com.apple.JavaScriptCore      	0x000000046389c4b9 vmEntryToJavaScript + 200
11  com.apple.JavaScriptCore      	0x0000000463e0de10 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) + 11280
...
Comment 1 Michael Saboff 2019-04-01 19:46:16 PDT
<rdar://problem/49482267>
Comment 2 Michael Saboff 2019-04-01 20:38:13 PDT
Created attachment 366467 [details]
Patch
Comment 3 Alexey Proskuryakov 2019-04-01 21:04:08 PDT
Comment on attachment 366467 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=366467&action=review

> Source/JavaScriptCore/yarr/YarrJIT.cpp:1852
> +#if 0 // def JIT_UNICODE_EXPRESSIONS

Is this intentional?
Comment 4 Michael Saboff 2019-04-01 21:43:36 PDT
(In reply to Alexey Proskuryakov from comment #3)
> Comment on attachment 366467 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=366467&action=review
> 
> > Source/JavaScriptCore/yarr/YarrJIT.cpp:1852
> > +#if 0 // def JIT_UNICODE_EXPRESSIONS
> 
> Is this intentional?

No.  It is a hold over from testing.  I'll remove and repost.
Comment 5 Michael Saboff 2019-04-01 21:47:09 PDT
Created attachment 366470 [details]
Updated patch
Comment 6 Keith Miller 2019-04-03 16:22:45 PDT
Comment on attachment 366470 [details]
Updated patch

r=me.
Comment 7 WebKit Commit Bot 2019-04-03 16:51:17 PDT
Comment on attachment 366470 [details]
Updated patch

Clearing flags on attachment: 366470

Committed r243839: <https://trac.webkit.org/changeset/243839>
Comment 8 WebKit Commit Bot 2019-04-03 16:51:19 PDT
All reviewed patches have been landed.  Closing bug.