[Webkit-unassigned] [Bug 273066] New: [Debug] ASSERTION FAILED: v <= 0

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Apr 22 05:54:01 PDT 2024


https://bugs.webkit.org/show_bug.cgi?id=273066

            Bug ID: 273066
           Summary: [Debug] ASSERTION FAILED: v <= 0
           Product: WebKit
           Version: WebKit Local Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: 2608053331 at qq.com

###### Webkit
9e5519436f6b4b766fe205d2adacf6668033e9bb

###### Build platform
Ubuntu 22.04.3

###### Build steps
```sh
./Tools/Scripts/build-jsc --jsc-only --debug --build-dir="0422_debug" --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang' -DCMAKE_CXX_COMPILER='/usr/bin/clang++' -DCMAKE_CXX_FLAGS='-fsanitize-coverage=trace-pc-guard -O3 -lrt'"
```

###### Test case
```sh
("py").search(("-256")[0]);
```

###### Execution steps
```sh
./jsc poc.js
```

###### Output
```sh
ASSERTION FAILED: v <= 0
WTF/Headers/wtf/MathExtras.h(787) : typename std::enable_if_t<std::is_integral_v<T> && std::is_signed_v<T>, std::make_unsigned_t<T>> WTF::negate(T) [T = int]

Thread 1 "jsc" received signal SIGABRT, Aborted.
__GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.

pwndbg> bt
#0  __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff5aa3859 in __GI_abort () at abort.c:79
#2  0x00000000004277ca in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:862
#3  0x0000000002415c18 in WTF::negate<int> (v=<optimized out>) at WTF/Headers/wtf/MathExtras.h:787
#4  JSC::MacroAssemblerX86Common::sub32 (this=<optimized out>, this at entry=0xc0, src=JSC::X86Registers::esi, imm=..., imm at entry=..., dest=JSC::X86Registers::eax) at ../../../Source/JavaScriptCore/assembler/MacroAssemblerX86Common.h:908
#5  0x0000000002404d65 in JSC::MacroAssembler::sub32 (this=<optimized out>, src=<optimized out>, src at entry=JSC::X86Registers::esi, imm=..., imm at entry=..., dest=<optimized out>, dest at entry=JSC::X86Registers::eax) at ../../../Source/JavaScriptCore/assembler/MacroAssembler.h:2167
#6  0x00000000023f57da in JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::generate (this=<optimized out>, this at entry=0x7fffffff9b88) at ../../../Source/JavaScriptCore/yarr/YarrJIT.cpp:2752
#7  0x00000000023d3196 in JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::compile (this=<optimized out>, this at entry=0x7fffffff9b88, codeBlock=...) at ../../../Source/JavaScriptCore/yarr/YarrJIT.cpp:4786
#8  0x00000000023d22c2 in JSC::Yarr::jitCompile (pattern=..., patternString=..., charSize=<optimized out>, charSize at entry=JSC::Yarr::CharSize::Char8, sampleString=..., vm=<optimized out>, vm at entry=0x7fffa9000000, codeBlock=..., mode=<optimized out>) at ../../../Source/JavaScriptCore/yarr/YarrJIT.cpp:5351
#9  0x0000000001e25c9f in JSC::RegExp::compileMatchOnly (this=this at entry=0x7fffeb0575d8, vm=vm at entry=0x7fffa9000000, charSize=JSC::Yarr::CharSize::Char8, sampleString=std::optional<WTF::StringView> = {...}) at ../../../Source/JavaScriptCore/runtime/RegExp.cpp:323
#10 0x0000000001e35ab3 in JSC::RegExp::compileIfNecessaryMatchOnly (this=this at entry=0x7fffeb0575d8, vm=..., charSize=JSC::Yarr::CharSize::Char8, sampleString=std::optional<WTF::StringView> = {...}) at ../../../Source/JavaScriptCore/runtime/RegExpInlines.h:242
#11 0x0000000001e2602b in JSC::RegExp::matchInline<(JSC::Yarr::MatchFrom)0> (this=0x7fffeb0575d8, nullOrGlobalObject=0x7fffa941a088, vm=..., s=..., startOffset=0) at ../../../Source/JavaScriptCore/runtime/RegExpInlines.h:253
#12 0x0000000000c8caff in JSC::RegExpGlobalData::performMatch (this=this at entry=0x7fffa941a888, owner=owner at entry=0x7fffa941a088, regExp=regExp at entry=0x7fffeb0575d8, string=string at entry=0x7fffa9462240, input=..., startOffset=startOffset at entry=0) at ../../../Source/JavaScriptCore/runtime/RegExpGlobalDataInlines.h:80
#13 0x0000000001e42a6a in JSC::regExpProtoFuncSearchFast (globalObject=0x7fffa941a088, callFrame=<optimized out>) at ../../../Source/JavaScriptCore/runtime/RegExpPrototype.cpp:394
#14 0x00007fffaabf0038 in ?? ()
#15 0x00007fffffffd370 in ?? ()
#16 0x00000000025240fa in llint_op_call ()
#17 0x0000000000000000 in ?? ()

```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240422/d65e9d75/attachment.htm>


More information about the webkit-unassigned mailing list