[Webkit-unassigned] [Bug 47324] REGRESSION(r68204-r68242): Crash during execution of String.replace with specific regular expression

Thu Oct 7 14:24:42 PDT 2010

https://bugs.webkit.org/show_bug.cgi?id=47324

Alexey Proskuryakov <ap at webkit.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
           Keywords|                            |NeedsRadar
                 CC|                            |ap at webkit.org,
                   |                            |ggaren at apple.com,
                   |                            |msaboff at apple.com
     Ever Confirmed|0                           |1

--- Comment #2 from Alexey Proskuryakov <ap at webkit.org>  2010-10-07 14:24:42 PST ---
I've got a crash in a debug build:

#0    0x101cb9300 in WTF::VectorBufferBase<unsigned short>::allocateBuffer at Vector.h:286
#1    0x101b652e5 in WTF::Vector<unsigned short, 0ul>::reserveCapacity at Vector.h:871
#2    0x101cba9fa in WTF::Vector<unsigned short, 0ul>::expandCapacity at Vector.h:788
#3    0x101b65452 in WTF::Vector<unsigned short, 0ul>::expandCapacity at Vector.h:795
#4    0x101cbaa4c in WTF::Vector<unsigned short, 0ul>::append<unsigned short> at Vector.h:931
#5    0x101ce116b in JSC::substituteBackreferencesSlow at StringPrototype.cpp:209
#6    0x101ce127e in JSC::substituteBackreferences at StringPrototype.cpp:223
#7    0x101ce1a55 in JSC::stringProtoFuncReplace at StringPrototype.cpp:402

That's because newCapacity was 18446744072277895851 (0xffffffffaaaaaaab AKA -1431655765). An obvious question: why didn't this crash nightlies? Is CRASH macro broken, or does newCapacity just happen to be different?

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.