RESOLVED FIXED240552
WTF::CrashOnOverflow::crash() with /((a{100000000})*b{2100000000})+/.test(); 
https://bugs.webkit.org/show_bug.cgi?id=240552
Summary WTF::CrashOnOverflow::crash() with /((a{100000000})*b{2100000000})+/.test();
Michael Saboff
Reported 2022-05-17 17:04:13 PDT
Steps To Reproduce: jsc -e '/((a{100000000})*b{2100000000})+/.test();' Results: 1 0x110094b49 WTFCrash 2 0x1109e2009 WTF::CrashOnOverflow::crash() 3 0x111bf47c9 WTF::CrashOnOverflow::overflowed() 4 0x11065eade WTF::Checked<unsigned int, WTF::CrashOnOverflow>::Checked(WTF::ResultOverflowedTag) 5 0x11065ea3b WTF::Checked<unsigned int, WTF::CrashOnOverflow>::Checked(WTF::ResultOverflowedTag) 6 0x112289fb3 WTF::Checked<WTF::Result<unsigned int, unsigned int>::ResultType, WTF::CrashOnOverflow> WTF::operator+<unsigned int, unsigned int, WTF::CrashOnOverflow>(WTF::Checked<unsigned int, WTF::CrashOnOverflow>, WTF::Checked<unsigned int, WTF::CrashOnOverflow>) 7 0x11228919c JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::opCompileParenthesesSubpattern(WTF::Checked<unsigned int, WTF::CrashOnOverflow>, JSC::Yarr::PatternTerm*) 8 0x112287992 JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::opCompileAlternative(WTF::Checked<unsigned int, WTF::CrashOnOverflow>, JSC::Yarr::PatternAlternative*) 9 0x1122891ee JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::opCompileParenthesesSubpattern(WTF::Checked<unsigned int, WTF::CrashOnOverflow>, JSC::Yarr::PatternTerm*) 10 0x112287992 JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::opCompileAlternative(WTF::Checked<unsigned int, WTF::CrashOnOverflow>, JSC::Yarr::PatternAlternative*) 11 0x112281739 JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::opCompileBody(JSC::Yarr::PatternDisjunction*) 12 0x11225fb54 JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::compile(JSC::Yarr::YarrCodeBlock&) 13 0x11225f936 JSC::Yarr::jitCompile(JSC::Yarr::YarrPattern&, WTF::StringView, JSC::Yarr::CharSize, JSC::VM*, JSC::Yarr::YarrCodeBlock&, JSC::Yarr::JITCompileMode) 14 0x111e505ca JSC::RegExp::compileMatchOnly(JSC::VM*, JSC::Yarr::CharSize) 15 0x111e657ef JSC::RegExp::compileIfNecessaryMatchOnly(JSC::VM&, JSC::Yarr::CharSize) 16 0x111e507e1 JSC::MatchResult JSC::RegExp::matchInline<(JSC::Yarr::MatchFrom)0>(JSC::JSGlobalObject*, JSC::VM&, WTF::String const&, unsigned int) 17 0x111e50744 JSC::RegExp::match(JSC::JSGlobalObject*, WTF::String const&, unsigned int) 18 0x1112c1f3d JSC::RegExpGlobalData::performMatch(JSC::JSGlobalObject*, JSC::RegExp*, JSC::JSString*, WTF::String const&, int) 19 0x1112c1ac4 JSC::RegExpObject::matchInline(JSC::JSGlobalObject*, JSC::JSString*) 20 0x111e59295 JSC::RegExpObject::match(JSC::JSGlobalObject*, JSC::JSString*) 21 0x111288635 JSC::RegExpObject::test(JSC::JSGlobalObject*, JSC::JSString*) 22 0x111e5daf9 JSC::regExpProtoFuncTestFast(JSC::JSGlobalObject*, JSC::CallFrame*) 23 0x5db5c2208038 24 0x110763427 llint_entry 25 0x11073ef0e vmEntryToJavaScript 26 0x1116c2bd2 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) 27 0x1116c22b9 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) 28 0x111aec835 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 29 0x10077d1bf runWithOptions(GlobalObject*, CommandLine&, bool&) 30 0x10072d872 jscmain(int, char**)::$_9::operator()(JSC::VM&, GlobalObject*, bool&) const 31 0x1006fb1e6 int runJSC<jscmain(int, char**)::$_9>(CommandLine const&, bool, jscmain(int, char**)::$_9 const&) Regression: I am seeing this on WebKit svn rev 294218 Both Debug and Release builds crash
Attachments
Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2022-05-17 17:04:23 PDT
<rdar://93347568>
Michael Saboff
Comment 2 2022-05-18 10:18:10 PDT
Pull request: https://github.com/WebKit/WebKit/pull/733
EWS
Comment 3 2022-05-18 11:34:39 PDT
Committed r294411 (250703@main): <https://commits.webkit.org/250703@main> Reviewed commits have been landed. Closing PR #733 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.