67326 – fast/regex/overflow.html asserts in debug builds

Bug 67326 - fast/regex/overflow.html asserts in debug builds

Summary: fast/regex/overflow.html asserts in debug builds

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Oliver Hunt

URL:
Keywords:

Depends on:
Blocks:

Reported:	2011-08-31 15:00 PDT by Simon Fraser (smfr)
Modified:	2011-08-31 17:22 PDT (History)
CC List:	1 user (show)

See Also:

Attachments
Patch (2.48 KB, patch) 2011-08-31 17:00 PDT, Oliver Hunt	barraclough: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Simon Fraser (smfr) 2011-08-31 15:00:52 PDT

fast/regex/overflow.html -> unexpected DumpRenderTree crash


Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef

VM Regions Near 0xbbadbeef:
--> 
    __TEXT                 000000010ae74000-000000010aefa000 [  536K] r-x/rwx SM=COW  /Volumes/VOLUME/*

Application Specific Information:
objc[27078]: garbage collection is OFF

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x000000010b32f483 WTF::CrashOnOverflow::overflowed() + 35 (CheckedArithmetic.h:72)
1   com.apple.JavaScriptCore      	0x000000010b33d127 WTF::Checked<int, WTF::CrashOnOverflow>::Checked<unsigned int>(WTF::Checked<unsigned int, WTF::CrashOnOverflow> const&) + 55 (CheckedArithmetic.h:449)
2   com.apple.JavaScriptCore      	0x000000010b33d07d WTF::Checked<int, WTF::CrashOnOverflow>::Checked<unsigned int>(WTF::Checked<unsigned int, WTF::CrashOnOverflow> const&) + 29 (CheckedArithmetic.h:450)
3   com.apple.JavaScriptCore      	0x000000010b33b519 JSC::Yarr::YarrGenerator::generateCharacterClassFixed(unsigned long) + 233 (YarrJIT.cpp:876)
4   com.apple.JavaScriptCore      	0x000000010b339ed9 JSC::Yarr::YarrGenerator::generateTerm(unsigned long) + 377 (YarrJIT.cpp:1088)
5   com.apple.JavaScriptCore      	0x000000010b331f1d JSC::Yarr::YarrGenerator::generate() + 221 (YarrJIT.cpp:1205)
6   com.apple.JavaScriptCore      	0x000000010b330740 JSC::Yarr::YarrGenerator::compile(JSC::JSGlobalData*, JSC::Yarr::YarrCodeBlock&) + 368 (YarrJIT.cpp:2429)
7   com.apple.JavaScriptCore      	0x000000010b3301e5 JSC::Yarr::jitCompile(JSC::Yarr::YarrPattern&, JSC::JSGlobalData*, JSC::Yarr::YarrCodeBlock&) + 69 (YarrJIT.cpp:2466)
8   com.apple.JavaScriptCore      	0x000000010b2d85e0 JSC::RegExp::compile(JSC::JSGlobalData*) + 976 (RegExp.cpp:138)
9   com.apple.JavaScriptCore      	0x000000010b2d8fb5 JSC::RegExp::compileIfNecessary(JSC::JSGlobalData&) + 69 (RegExp.h:100)
10  com.apple.JavaScriptCore      	0x000000010b2d8804 JSC::RegExp::match(JSC::JSGlobalData&, JSC::UString const&, int, WTF::Vector<int, 32ul>*) + 180 (RegExp.cpp:171)
11  com.apple.JavaScriptCore      	0x000000010b2e504a JSC::RegExpConstructor::performMatch(JSC::JSGlobalData&, JSC::RegExp*, JSC::UString const&, int, int&, int&, int**) + 138 (RegExpConstructor.h:120)
12  com.apple.JavaScriptCore      	0x000000010b2e419a JSC::RegExpObject::match(JSC::ExecState*) + 298 (RegExpObject.cpp:188)
13  com.apple.JavaScriptCore      	0x000000010b2e445d JSC::RegExpObject::exec(JSC::ExecState*) + 29 (RegExpObject.cpp:174)
14  com.apple.JavaScriptCore      	0x000000010b2e6030 _ZN3JSCL19regExpProtoFuncExecEPNS_9ExecStateE + 112 (RegExpPrototype.cpp:95)
15  ???                           	0x000026c1cb4011f8 0 + 42613780517368
16  com.apple.JavaScriptCore      	0x000000010b174554 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*) + 100 (JITCode.h:80)
17  com.apple.JavaScriptCore      	0x000000010b16c898 JSC::Interpreter::execute(JSC::EvalExecutable*, JSC::ExecState*, JSC::JSValue, int, JSC::ScopeChainNode*) + 2984 (Interpreter.cpp:1296)
18  com.apple.JavaScriptCore      	0x000000010b16bc7f JSC::Interpreter::callEval(JSC::ExecState*, JSC::RegisterFile*, JSC::Register*, int, int) + 1583 (Interpreter.cpp:463)
19  com.apple.JavaScriptCore      	0x000000010b1b3623 cti_op_call_eval + 803 (JITStubs.cpp:3207)
20  com.apple.JavaScriptCore      	0x000000010b1b71a0 0x10b042000 + 1528224
21  com.apple.JavaScriptCore      	0x000000010b174554 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*) + 100 (JITCode.h:80)
22  com.apple.JavaScriptCore      	0x000000010b16fc51 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*) + 5873 (Interpreter.cpp:898)
23  com.apple.JavaScriptCore      	0x000000010b0c9016 JSC::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue) + 662 (Completion.cpp:66)
24  com.apple.WebCore             	0x000000010cd9631e WebCore::JSMainThreadExecState::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue) + 62 (JSMainThreadExecState.h:57)
25  com.apple.WebCore             	0x000000010d4c8b27 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) + 519 (ScriptController.cpp:142)
26  com.apple.WebCore             	0x000000010d4c8df4 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) + 68 (ScriptController.cpp:162)
27  com.apple.WebCore             	0x000000010d4e1590 WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 560 (ScriptElement.cpp:292)
28  com.apple.WebCore             	0x000000010c93ee9f WebCore::HTMLScriptRunner::executePendingScriptAndDispatchEvent(WebCore::PendingScript&) + 623 (HTMLScriptRunner.cpp:139)
29  com.apple.WebCore             	0x000000010c93ebc6 WebCore::HTMLScriptRunner::executeParsingBlockingScript() + 454 (HTMLScriptRunner.cpp:118)
30  com.apple.WebCore             	0x000000010c93f7ba WebCore::HTMLScriptRunner::executeParsingBlockingScripts() + 90 (HTMLScriptRunner.cpp:196)
31  com.apple.WebCore             	0x000000010c93f959 WebCore::HTMLScriptRunner::executeScriptsWaitingForLoad(WebCore::CachedResource*) + 377 (HTMLScriptRunner.cpp:206)
32  com.apple.WebCore             	0x000000010c8b2962 WebCore::HTMLDocumentParser::notifyFinished(WebCore::CachedResource*) + 530 (HTMLDocumentParser.cpp:524)
33  com.apple.WebCore             	0x000000010c8b2a2f non-virtual thunk to WebCore::HTMLDocumentParser::notifyFinished(WebCore::CachedResource*) + 47
34  com.apple.WebCore             	0x000000010c20484d WebCore::CachedResource::checkNotify() + 125 (CachedResource.cpp:151)
35  com.apple.WebCore             	0x000000010c21fef1 WebCore::CachedScript::data(WTF::PassRefPtr<WebCore::SharedBuffer>, bool) + 193 (CachedScript.cpp:105)
36  com.apple.WebCore             	0x000000010c21e146 WebCore::CachedResourceRequest::didFinishLoading(WebCore::SubresourceLoader*, double) + 614 (CachedResourceRequest.cpp:169)
37  com.apple.WebCore             	0x000000010d5cd7de WebCore::SubresourceLoader::didFinishLoading(double) + 206 (SubresourceLoader.cpp:196)
38  com.apple.WebCore             	0x000000010d489a9c WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*, double) + 188 (ResourceLoader.cpp:473)
39  com.apple.WebCore             	0x000000010d485a75 -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 261 (ResourceHandleMac.mm:891)
40  com.apple.Foundation          	0x00007fff8f634302 ___NSURLConnectionDidFinishLoading_block_invoke_1 + 122
41  com.apple.Foundation          	0x00007fff8f634282 _NSURLConnectionDidFinishLoading + 81
42  com.apple.CFNetwork           	0x00007fff90a06136 URLConnectionClient::_clientDidFinishLoading(URLConnectionClient::ClientConnectionEventQueue*) + 296
43  com.apple.CFNetwork           	0x00007fff90ab5dfe URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 862
44  com.apple.CFNetwork           	0x00007fff90ab5fea URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 1354
45  com.apple.CFNetwork           	0x00007fff909e107d URLConnectionClient::processEvents() + 185
46  com.apple.CFNetwork           	0x00007fff909e0f22 MultiplexerSource::perform() + 212
47  com.apple.CoreFoundation      	0x00007fff96181c51 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
48  com.apple.CoreFoundation      	0x00007fff961814bd __CFRunLoopDoSources0 + 253
49  com.apple.CoreFoundation      	0x00007fff961a82d9 __CFRunLoopRun + 905
50  com.apple.CoreFoundation      	0x00007fff961a7c16 CFRunLoopRunSpecific + 230
51  com.apple.Foundation          	0x00007fff8f5d7c3f -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 267
52  DumpRenderTree                	0x000000010ae8991e _ZL7runTestRKSs + 2990 (DumpRenderTree.mm:1162)
53  DumpRenderTree                	0x000000010ae88caf _ZL20runTestingServerLoopv + 223 (DumpRenderTree.mm:635)
54  DumpRenderTree                	0x000000010ae88589 dumpRenderTree(int, char const**) + 361 (DumpRenderTree.mm:688)
55  DumpRenderTree                	0x000000010ae8a0ac main + 124 (DumpRenderTree.mm:729)

Comment 1 Oliver Hunt 2011-08-31 17:00:10 PDT

Created attachment 105862 [details]
Patch

Comment 2 Oliver Hunt 2011-08-31 17:22:01 PDT

Committed r94254: <http://trac.webkit.org/changeset/94254>