RESOLVED FIXED 196477
REGRESSION (r243642): com.apple.JavaScriptCore crash in JSC::RegExpObject::execInline 
https://bugs.webkit.org/show_bug.cgi?id=196477
Summary REGRESSION (r243642): com.apple.JavaScriptCore crash in JSC::RegExpObject::ex...
Michael Saboff
Reported 2019-04-01 19:46:02 PDT
The following crash is seen with layout test js/regexp-unicode.html when using GuardMalloc: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 ??? 0x000000010b33e7f5 0 + 4482918389 1 com.apple.JavaScriptCore 0x0000000463c56d71 JSC::RegExpObject::execInline(JSC::ExecState*, JSC::JSGlobalObject*, JSC::JSString*) + 881 2 ??? 0x000000010b2fb16b 0 + 4482642283 3 com.apple.JavaScriptCore 0x00000004638ab8e7 llint_entry + 62084 4 com.apple.JavaScriptCore 0x000000046389c4b9 vmEntryToJavaScript + 200 5 com.apple.JavaScriptCore 0x00000004635fb3a7 JSC::Interpreter::execute(JSC::EvalExecutable*, JSC::ExecState*, JSC::JSValue, JSC::JSScope*) + 2279 6 com.apple.JavaScriptCore 0x00000004635f741c JSC::eval(JSC::ExecState*) + 764 7 com.apple.JavaScriptCore 0x0000000463ea2fc6 operationCallEval + 102 8 ??? 0x000000010b33a236 0 + 4482900534 9 com.apple.JavaScriptCore 0x00000004638ab8e7 llint_entry + 62084 10 com.apple.JavaScriptCore 0x000000046389c4b9 vmEntryToJavaScript + 200 11 com.apple.JavaScriptCore 0x0000000463e0de10 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) + 11280 ...
Attachments
Patch (6.20 KB, patch)
2019-04-01 20:38 PDT, Michael Saboff 		no flags
DetailsFormatted DiffDiff
Updated patch (6.19 KB, patch)
2019-04-01 21:47 PDT, Michael Saboff 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2019-04-01 19:46:16 PDT
<rdar://problem/49482267>
Michael Saboff
Comment 2 2019-04-01 20:38:13 PDT
Created attachment 366467 [details] Patch
Alexey Proskuryakov
Comment 3 2019-04-01 21:04:08 PDT
Comment on attachment 366467 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=366467&action=review > Source/JavaScriptCore/yarr/YarrJIT.cpp:1852 > +#if 0 // def JIT_UNICODE_EXPRESSIONS Is this intentional?
Michael Saboff
Comment 4 2019-04-01 21:43:36 PDT
(In reply to Alexey Proskuryakov from comment #3) > Comment on attachment 366467 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=366467&action=review > > > Source/JavaScriptCore/yarr/YarrJIT.cpp:1852 > > +#if 0 // def JIT_UNICODE_EXPRESSIONS > > Is this intentional? No. It is a hold over from testing. I'll remove and repost.
Michael Saboff
Comment 5 2019-04-01 21:47:09 PDT
Created attachment 366470 [details] Updated patch
Keith Miller
Comment 6 2019-04-03 16:22:45 PDT
Comment on attachment 366470 [details] Updated patch r=me.
WebKit Commit Bot
Comment 7 2019-04-03 16:51:17 PDT
Comment on attachment 366470 [details] Updated patch Clearing flags on attachment: 366470 Committed r243839: <https://trac.webkit.org/changeset/243839>
WebKit Commit Bot
Comment 8 2019-04-03 16:51:19 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.