[Webkit-unassigned] [Bug 195906] New: JSC test crash: stress/dont-strength-reduce-regexp-with-compile-error.js.default
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Mar 18 13:26:32 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=195906
Bug ID: 195906
Summary: JSC test crash:
stress/dont-strength-reduce-regexp-with-compile-error.
js.default
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: msaboff at apple.com
After change set r242955: <https://trac.webkit.org/changeset/242955/webkit>, we are getting a crash in the test added as part of that change. The crash is due to out-of-stack when compiling the RegExp in the YARR JIT:
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_PROTECTION_FAILURE at 0x000000016eb43fa8
VM Region Info: 0x16eb43fa8 is in 0x16eb40000-0x16eb44000; bytes after start: 16296 bytes before end: 87
REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL
WebKit Malloc 0000000104000000-0000000104100000 [ 1024K] rw-/rwx SM=PRV
GAP OF 0x6aa40000 BYTES
---> STACK GUARD 000000016eb40000-000000016eb44000 [ 16K] ---/rwx SM=NUL ... for thread 0
Stack 000000016eb44000-000000016ec40000 [ 1008K] rw-/rwx SM=PRV thread 0
Termination Signal: Segmentation fault: 11
Termination Reason: Namespace SIGNAL, Code 0xb
Terminating Process: exc handler [79242]
Triggered by Thread: 0
Thread 0 name: Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0 JavaScriptCore 0x00000001021d1450 JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)1>::opCompileParenthesesSubpattern(JSC::Yarr::PatternTerm*) + 40
1 JavaScriptCore 0x00000001021d0f94 JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)1>::opCompileAlternative(JSC::Yarr::PatternAlternative*) + 128
2 JavaScriptCore 0x00000001021d0f94 JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)1>::opCompileAlternative(JSC::Yarr::PatternAlternative*) + 128
3 JavaScriptCore 0x00000001021d1724 JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)1>::opCompileParenthesesSubpattern(JSC::Yarr::PatternTerm*) + 764
4 JavaScriptCore 0x00000001021d0f94 JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)1>::opCompileAlternative(JSC::Yarr::PatternAlternative*) + 128
5 JavaScriptCore 0x00000001021d1724 JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)1>::opCompileParenthesesSubpattern(JSC::Yarr::PatternTerm*) + 764
6 JavaScriptCore 0x00000001021d0f94 JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)1>::opCompileAlternative(JSC::Yarr::PatternAlternative*) + 128
7 JavaScriptCore 0x00000001021d1724 JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)1>::opCompileParenthesesSubpattern(JSC::Yarr::PatternTerm*) + 764
8 JavaScriptCore 0x00000001021d0f94 JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)1>::opCompileAlternative(JSC::Yarr::PatternAlternative*) + 128
9 JavaScriptCore 0x00000001021d1724 JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)1>::opCompileParenthesesSubpattern(JSC::Yarr::PatternTerm*) + 764
10 JavaScriptCore 0x00000001021d0f94 JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)1>::opCompileAlternative(JSC::Yarr::PatternAlternative*) + 128
11 JavaScriptCore 0x00000001021d1724 JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)1>::opCompileParenthesesSubpattern(JSC::Yarr::PatternTerm*) + 764
...
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190318/69fa2da8/attachment-0001.html>
More information about the webkit-unassigned
mailing list