240552 – WTF::CrashOnOverflow::crash() with /((a{100000000})*b{2100000000})+/.test();

Bug 240552 - WTF::CrashOnOverflow::crash() with /((a{100000000})*b{2100000000})+/.test();

Summary: WTF::CrashOnOverflow::crash() with /((a{100000000})*b{2100000000})+/.test();

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Michael Saboff

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2022-05-17 17:04 PDT by Michael Saboff
Modified:	2022-11-29 11:06 PST (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Saboff 2022-05-17 17:04:13 PDT

Steps To Reproduce:

jsc -e '/((a{100000000})*b{2100000000})+/.test();'


Results:

1   0x110094b49 WTFCrash
2   0x1109e2009 WTF::CrashOnOverflow::crash()
3   0x111bf47c9 WTF::CrashOnOverflow::overflowed()
4   0x11065eade WTF::Checked<unsigned int, WTF::CrashOnOverflow>::Checked(WTF::ResultOverflowedTag)
5   0x11065ea3b WTF::Checked<unsigned int, WTF::CrashOnOverflow>::Checked(WTF::ResultOverflowedTag)
6   0x112289fb3 WTF::Checked<WTF::Result<unsigned int, unsigned int>::ResultType, WTF::CrashOnOverflow> WTF::operator+<unsigned int, unsigned int, WTF::CrashOnOverflow>(WTF::Checked<unsigned int, WTF::CrashOnOverflow>, WTF::Checked<unsigned int, WTF::CrashOnOverflow>)
7   0x11228919c JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::opCompileParenthesesSubpattern(WTF::Checked<unsigned int, WTF::CrashOnOverflow>, JSC::Yarr::PatternTerm*)
8   0x112287992 JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::opCompileAlternative(WTF::Checked<unsigned int, WTF::CrashOnOverflow>, JSC::Yarr::PatternAlternative*)
9   0x1122891ee JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::opCompileParenthesesSubpattern(WTF::Checked<unsigned int, WTF::CrashOnOverflow>, JSC::Yarr::PatternTerm*)
10  0x112287992 JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::opCompileAlternative(WTF::Checked<unsigned int, WTF::CrashOnOverflow>, JSC::Yarr::PatternAlternative*)
11  0x112281739 JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::opCompileBody(JSC::Yarr::PatternDisjunction*)
12  0x11225fb54 JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::compile(JSC::Yarr::YarrCodeBlock&)
13  0x11225f936 JSC::Yarr::jitCompile(JSC::Yarr::YarrPattern&, WTF::StringView, JSC::Yarr::CharSize, JSC::VM*, JSC::Yarr::YarrCodeBlock&, JSC::Yarr::JITCompileMode)
14  0x111e505ca JSC::RegExp::compileMatchOnly(JSC::VM*, JSC::Yarr::CharSize)
15  0x111e657ef JSC::RegExp::compileIfNecessaryMatchOnly(JSC::VM&, JSC::Yarr::CharSize)
16  0x111e507e1 JSC::MatchResult JSC::RegExp::matchInline<(JSC::Yarr::MatchFrom)0>(JSC::JSGlobalObject*, JSC::VM&, WTF::String const&, unsigned int)
17  0x111e50744 JSC::RegExp::match(JSC::JSGlobalObject*, WTF::String const&, unsigned int)
18  0x1112c1f3d JSC::RegExpGlobalData::performMatch(JSC::JSGlobalObject*, JSC::RegExp*, JSC::JSString*, WTF::String const&, int)
19  0x1112c1ac4 JSC::RegExpObject::matchInline(JSC::JSGlobalObject*, JSC::JSString*)
20  0x111e59295 JSC::RegExpObject::match(JSC::JSGlobalObject*, JSC::JSString*)
21  0x111288635 JSC::RegExpObject::test(JSC::JSGlobalObject*, JSC::JSString*)
22  0x111e5daf9 JSC::regExpProtoFuncTestFast(JSC::JSGlobalObject*, JSC::CallFrame*)
23  0x5db5c2208038
24  0x110763427 llint_entry
25  0x11073ef0e vmEntryToJavaScript
26  0x1116c2bd2 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
27  0x1116c22b9 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*)
28  0x111aec835 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
29  0x10077d1bf runWithOptions(GlobalObject*, CommandLine&, bool&)
30  0x10072d872 jscmain(int, char**)::$_9::operator()(JSC::VM&, GlobalObject*, bool&) const
31  0x1006fb1e6 int runJSC<jscmain(int, char**)::$_9>(CommandLine const&, bool, jscmain(int, char**)::$_9 const&)

Regression:

I am seeing this on WebKit svn rev 294218
Both Debug and Release builds crash

Comment 1 Michael Saboff 2022-05-17 17:04:23 PDT

<rdar://93347568>

Comment 2 Michael Saboff 2022-05-18 10:18:10 PDT

Pull request: https://github.com/WebKit/WebKit/pull/733

Comment 3 EWS 2022-05-18 11:34:39 PDT

Committed r294411 (250703@main): <https://commits.webkit.org/250703@main>

Reviewed commits have been landed. Closing PR #733 and removing active labels.