[Webkit-unassigned] [Bug 130448] New: Crash in WTF::Checked<unsigned int, WTF::CrashOnOverflow>::Checked

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Mar 19 09:33:36 PDT 2014 

https://bugs.webkit.org/show_bug.cgi?id=130448

           Summary: Crash in WTF::Checked<unsigned int,
                    WTF::CrashOnOverflow>::Checked
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: rhodovan.u-szeged at partner.samsung.com
                CC: sam at webkit.org, oliver at apple.com,
                    barraclough at apple.com, pvarga at webkit.org
            Blocks: 116980


Created an attachment (id=227170)
 --> (https://bugs.webkit.org/attachment.cgi?id=227170&action=review)
Test case

The crashing test:

var open = '(?:';
var close = ')';
var pattern = '';

for (var i=0; i<100000; i++) {
      pattern += open;
}

for (i=0; i<100000; i++) {
     pattern += close;
}

var re = new RegExp(pattern);


The backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7398254 in WTF::Checked<unsigned int, WTF::CrashOnOverflow>::Checked<unsigned int> (this=0x7fffff7ff040, value=0)
    at /home/reni2/data/REPOS/webkit_sec/Source/WTF/wtf/CheckedArithmetic.h:435
435        {
(gdb) bt
#0  0x00007ffff7398254 in WTF::Checked<unsigned int, WTF::CrashOnOverflow>::Checked<unsigned int> (this=0x7fffff7ff040, value=0)
    at /home/reni2/data/REPOS/webkit_sec/Source/WTF/wtf/CheckedArithmetic.h:435
#1  0x00007ffff73bda66 in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets (this=0x7fffffffc770, alternative=0x312bbc0, 
    currentCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:571
#2  0x00007ffff73bde74 in JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets (this=0x7fffffffc770, disjunction=0x312b880, 
    initialCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:665
#3  0x00007ffff73bdc36 in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets (this=0x7fffffffc770, alternative=0x312b7c0, 
    currentCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:619
#4  0x00007ffff73bde74 in JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets (this=0x7fffffffc770, disjunction=0x312b480, 
    initialCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:665
#5  0x00007ffff73bdc36 in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets (this=0x7fffffffc770, alternative=0x312b3c0, 
    currentCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:619
#6  0x00007ffff73bde74 in JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets (this=0x7fffffffc770, disjunction=0x312b080, 
    initialCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:665
#7  0x00007ffff73bdc36 in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets (this=0x7fffffffc770, alternative=0x312afc0, 
    currentCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:619

... the lines 619 and 665 in YarrPattern.cpp many-many times (23Mb) ...

#87269 0x00007ffff73bdc36 in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets (this=0x7fffffffc770, alternative=0x68f630, currentCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:619
#87270 0x00007ffff73bde74 in JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets (this=0x7fffffffc770, disjunction=0x68d820, initialCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:665
#87271 0x00007ffff73bdc36 in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets (this=0x7fffffffc770, alternative=0x685bf0, currentCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:619
#87272 0x00007ffff73bde74 in JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets (this=0x7fffffffc770, disjunction=0x688cc0, initialCallFrameSize=0, initialInputPosition=0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:665
#87273 0x00007ffff73bdf99 in JSC::Yarr::YarrPatternConstructor::setupOffsets (this=0x7fffffffc770) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:682
#87274 0x00007ffff73ba995 in JSC::Yarr::YarrPattern::compile (this=0x7fffffffc830, patternString=...) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:857
#87275 0x00007ffff73baaba in JSC::Yarr::YarrPattern::YarrPattern (this=0x7fffffffc830, pattern=..., ignoreCase=false, multiline=false, error=0x7ffff7f85110) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/yarr/YarrPattern.cpp:877
#87276 0x00007ffff7355805 in JSC::RegExp::finishCreation (this=0x7ffff7f850f0, vm=...) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/RegExp.cpp:239
#87277 0x00007ffff73558d8 in JSC::RegExp::createWithoutCaching (vm=..., patternString=..., flags=JSC::NoFlags) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/RegExp.cpp:258
#87278 0x00007ffff7356f1c in JSC::RegExpCache::lookupOrCreate (this=0x665ea0, patternString=..., flags=JSC::NoFlags) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/RegExpCache.cpp:44
#87279 0x00007ffff7355915 in JSC::RegExp::create (vm=..., patternString=..., flags=JSC::NoFlags) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/RegExp.cpp:264
#87280 0x00007ffff735af32 in JSC::constructRegExp (exec=0x7fffffffcc60, globalObject=0x7ffff7f2f970, args=..., callAsConstructor=true) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/RegExpConstructor.cpp:279
#87281 0x00007ffff735b051 in JSC::constructWithRegExpConstructor (exec=0x7fffffffcc60) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/RegExpConstructor.cpp:288
#87282 0x00007ffff719e9c7 in JSC::handleHostCall (execCallee=0x7fffffffcc60, callee=..., kind=JSC::CodeForConstruct) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITOperations.cpp:664
#87283 0x00007ffff71a5069 in JSC::linkFor (execCallee=0x7fffffffcc60, kind=JSC::CodeForConstruct, registers=JSC::RegisterPreservationNotRequired) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITOperations.cpp:686
#87284 0x00007ffff719eb49 in JSC::operationLinkConstruct (execCallee=0x7fffffffcc60) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITOperations.cpp:728
#87285 0x00007fffaa367973 in ?? ()
#87286 0x00007fffffffccc0 in ?? ()
#87287 0x00007fffaa368ac5 in ?? ()
#87288 0x0000000000000000 in ?? ()

--- Comment #1 from Oliver Hunt <oliver at apple.com>  2014-03-19 09:33:57 PST ---
To which i say wut?

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list