[Webkit-unassigned] [Bug 273066] New: [Debug] ASSERTION FAILED: v <= 0
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Apr 22 05:54:01 PDT 2024
https://bugs.webkit.org/show_bug.cgi?id=273066
Bug ID: 273066
Summary: [Debug] ASSERTION FAILED: v <= 0
Product: WebKit
Version: WebKit Local Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: 2608053331 at qq.com
###### Webkit
9e5519436f6b4b766fe205d2adacf6668033e9bb
###### Build platform
Ubuntu 22.04.3
###### Build steps
```sh
./Tools/Scripts/build-jsc --jsc-only --debug --build-dir="0422_debug" --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang' -DCMAKE_CXX_COMPILER='/usr/bin/clang++' -DCMAKE_CXX_FLAGS='-fsanitize-coverage=trace-pc-guard -O3 -lrt'"
```
###### Test case
```sh
("py").search(("-256")[0]);
```
###### Execution steps
```sh
./jsc poc.js
```
###### Output
```sh
ASSERTION FAILED: v <= 0
WTF/Headers/wtf/MathExtras.h(787) : typename std::enable_if_t<std::is_integral_v<T> && std::is_signed_v<T>, std::make_unsigned_t<T>> WTF::negate(T) [T = int]
Thread 1 "jsc" received signal SIGABRT, Aborted.
__GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
pwndbg> bt
#0 __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff5aa3859 in __GI_abort () at abort.c:79
#2 0x00000000004277ca in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:862
#3 0x0000000002415c18 in WTF::negate<int> (v=<optimized out>) at WTF/Headers/wtf/MathExtras.h:787
#4 JSC::MacroAssemblerX86Common::sub32 (this=<optimized out>, this at entry=0xc0, src=JSC::X86Registers::esi, imm=..., imm at entry=..., dest=JSC::X86Registers::eax) at ../../../Source/JavaScriptCore/assembler/MacroAssemblerX86Common.h:908
#5 0x0000000002404d65 in JSC::MacroAssembler::sub32 (this=<optimized out>, src=<optimized out>, src at entry=JSC::X86Registers::esi, imm=..., imm at entry=..., dest=<optimized out>, dest at entry=JSC::X86Registers::eax) at ../../../Source/JavaScriptCore/assembler/MacroAssembler.h:2167
#6 0x00000000023f57da in JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::generate (this=<optimized out>, this at entry=0x7fffffff9b88) at ../../../Source/JavaScriptCore/yarr/YarrJIT.cpp:2752
#7 0x00000000023d3196 in JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::compile (this=<optimized out>, this at entry=0x7fffffff9b88, codeBlock=...) at ../../../Source/JavaScriptCore/yarr/YarrJIT.cpp:4786
#8 0x00000000023d22c2 in JSC::Yarr::jitCompile (pattern=..., patternString=..., charSize=<optimized out>, charSize at entry=JSC::Yarr::CharSize::Char8, sampleString=..., vm=<optimized out>, vm at entry=0x7fffa9000000, codeBlock=..., mode=<optimized out>) at ../../../Source/JavaScriptCore/yarr/YarrJIT.cpp:5351
#9 0x0000000001e25c9f in JSC::RegExp::compileMatchOnly (this=this at entry=0x7fffeb0575d8, vm=vm at entry=0x7fffa9000000, charSize=JSC::Yarr::CharSize::Char8, sampleString=std::optional<WTF::StringView> = {...}) at ../../../Source/JavaScriptCore/runtime/RegExp.cpp:323
#10 0x0000000001e35ab3 in JSC::RegExp::compileIfNecessaryMatchOnly (this=this at entry=0x7fffeb0575d8, vm=..., charSize=JSC::Yarr::CharSize::Char8, sampleString=std::optional<WTF::StringView> = {...}) at ../../../Source/JavaScriptCore/runtime/RegExpInlines.h:242
#11 0x0000000001e2602b in JSC::RegExp::matchInline<(JSC::Yarr::MatchFrom)0> (this=0x7fffeb0575d8, nullOrGlobalObject=0x7fffa941a088, vm=..., s=..., startOffset=0) at ../../../Source/JavaScriptCore/runtime/RegExpInlines.h:253
#12 0x0000000000c8caff in JSC::RegExpGlobalData::performMatch (this=this at entry=0x7fffa941a888, owner=owner at entry=0x7fffa941a088, regExp=regExp at entry=0x7fffeb0575d8, string=string at entry=0x7fffa9462240, input=..., startOffset=startOffset at entry=0) at ../../../Source/JavaScriptCore/runtime/RegExpGlobalDataInlines.h:80
#13 0x0000000001e42a6a in JSC::regExpProtoFuncSearchFast (globalObject=0x7fffa941a088, callFrame=<optimized out>) at ../../../Source/JavaScriptCore/runtime/RegExpPrototype.cpp:394
#14 0x00007fffaabf0038 in ?? ()
#15 0x00007fffffffd370 in ?? ()
#16 0x00000000025240fa in llint_op_call ()
#17 0x0000000000000000 in ?? ()
```
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240422/d65e9d75/attachment.htm>
More information about the webkit-unassigned
mailing list