[Webkit-unassigned] [Bug 182705] New: REGRESSION(225695) : com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::RegExp::match + 630 :: stack overflow

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Feb 12 12:54:37 PST 2018 

https://bugs.webkit.org/show_bug.cgi?id=182705

            Bug ID: 182705
           Summary: REGRESSION(225695) : com.apple.WebKit.WebContent at
                    com.apple.JavaScriptCore: JSC::RegExp::match + 630 ::
                    stack overflow
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: msaboff at apple.com

Looks like adding the YARR JIT 8K buffer as a stack variable in https://trac.webkit.org/changeset/225695/webkit (relanded in https://trac.webkit.org/changeset/225930/webkit) causes an out of stack crash.  This buffer should be moved to the owning VM.

Crashes look similar to:
Thread 0 Crashed ↩:: Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib              0x00007fff5c5f4afe __pthread_kill + 10
1   libsystem_pthread.dylib             0x00007fff5c7b3150 pthread_kill + 333
2   libsystem_c.dylib                   0x00007fff5c55024d __abort + 144
3   libsystem_c.dylib                   0x00007fff5c550af8 __stack_chk_fail + 205
4   com.apple.JavaScriptCore            0x00007fff370da396 JSC::RegExp::match(JSC::VM&, WTF::String const&, unsigned int) + 630
5   com.apple.JavaScriptCore            0x00007fff37b1929b JSC::RegExpObject::matchInline(JSC::ExecState*, JSC::JSGlobalObject*, JSC::JSString*) + 235
6   com.apple.JavaScriptCore            0x00007fff37b1cd6b JSC::regExpProtoFuncTestFast(JSC::ExecState*) + 267
7   ???                                 0x00005db07fa01178 0 + 103012636823928
8   ???                                 0x00005db08054fc08 0 + 103012648680456
9   ???                                 0x00005db08054e42e 0 + 103012648674350
10  ???                                 0x00005db08055139b 0 + 103012648686491
11  ???                                 0x00005db0803e53c2 0 + 103012647195586
12  ???                                 0x00005db0805271d3 0 + 103012648514003
13  ???                                 0x00005db0804f1c31 0 + 103012648295473
14  com.apple.JavaScriptCore            0x00007fff372384be llint_entry + 28860
...

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180212/d54c6491/attachment.html>

More information about the webkit-unassigned mailing list