[Webkit-unassigned] [Bug 177293] New: [Win64] Crashes in Yarr JIT compiled code
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Sep 21 01:02:27 PDT 2017
https://bugs.webkit.org/show_bug.cgi?id=177293
Bug ID: 177293
Summary: [Win64] Crashes in Yarr JIT compiled code
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: Hironori.Fujii at sony.com
CC: msaboff at apple.com
[Win64] Crashes in Yarr JIT compiled code
WinCairo port, 64bitk, Debug build, trunk at 222298, MiniBrowser
1) Start MiniBrowser
2) Load http://google.com/
3) Crash
Callstack:
> 000001c500001b61() Unknown
> 0000003c51cfc6b0() Unknown
> JavaScriptCore.dll!JSC::Yarr::YarrCodeBlock::execute(const unsigned char * input, unsigned int start, unsigned int length, int * output) Line 87 C++
> JavaScriptCore.dll!JSC::RegExp::matchInline<WTF::Vector<int,32,WTF::CrashOnOverflow,16,WTF::FastMalloc> >(JSC::VM & vm, const WTF::String & s, unsigned int startOffset, WTF::Vector<int,32,WTF::CrashOnOverflow,16,WTF::FastMalloc> & ovector) Line 115 C++
> JavaScriptCore.dll!JSC::createRegExpMatchesArray(JSC::VM & vm, JSC::JSGlobalObject * globalObject, JSC::JSString * input, const WTF::String & inputValue, JSC::RegExp * regExp, unsigned int startOffset, JSC::MatchResult & result) Line 66 C++
> JavaScriptCore.dll!JSC::RegExpObject::execInline(JSC::ExecState * exec, JSC::JSGlobalObject * globalObject, JSC::JSString * string) Line 86 C++
> JavaScriptCore.dll!JSC::RegExpObject::exec(JSC::ExecState * exec, JSC::JSGlobalObject * globalObject, JSC::JSString * string) Line 170 C++
> JavaScriptCore.dll!JSC::regExpProtoFuncExec(JSC::ExecState * exec) Line 130 C++
> [External Code]
code:
> 000002293D8B1A22 xor ecx,ecx
> 000002293D8B1A24 cmp r8d,r9d
> 000002293D8B1A27 je 000002293D8B1A51
> 000002293D8B1A2D movzx eax,byte ptr [rdx+r8]
> 000002293D8B1A32 mov r11,7FFB5E1BAF00h
> 000002293D8B1A3C cmp byte ptr [r11+rax],0
> 000002293D8B1A41 jne 000002293D8B1A51
> 000002293D8B1A47 inc r8d
> 000002293D8B1A4A inc ecx
> 000002293D8B1A4C jmp 000002293D8B1A24
> 000002293D8B1A51 mov qword ptr [rsp+8],rcx
> 000002293D8B1A56 mov dword ptr [r10+0Ch],r8d
> 000002293D8B1A5A add rsp,40h
> 000002293D8B1A5E mov eax,dword ptr [r10]
> 000002293D8B1A61 mov dword ptr [r10+4],r8d
> 000002293D8B1A65 mov rdx,r8
> 000002293D8B1A68 mov r11,2297D942110h
> 000002293D8B1A72 mov byte ptr [r11],0
> 000002293D8B1A76 mov qword ptr [rcx],rax <==rip
> 000002293D8B1A79 mov qword ptr [rcx+8],rdx
> 000002293D8B1A7D mov rax,rcx
> 000002293D8B1A80 pop rbp
> 000002293D8B1A81 ret
registers:
> RAX = 000000000000002E RBX = 0000000000000001 RCX = 0000000000000004 RDX = 000000000000003A
> RSI = 0000004559FEC490 RDI = 0000004559FEBF58 R8 = 000000000000003A R9 = 000000000000004E
> R10 = 0000004559FEC060 R11 = 000002297D942110 R12 = 00000000003405FA R13 = 000002290223E4A8
> R14 = FFFF000000000000 R15 = FFFF000000000002
> RIP = 000002293D8B1A76 RSP = 0000004559FEBEE0 RBP = 0000004559FEBEE0 EFL = 00010202
This is the code generated by generateReturn().
rcx was 0x4. But, it should be the address where the return values are stored.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170921/7fdf3090/attachment-0001.html>
More information about the webkit-unassigned
mailing list