Changeset 107647 in webkit for trunk/Source/JavaScriptCore/yarr

Timestamp:

Feb 13, 2012, 5:10:09 PM (13 years ago)

Author:

[email protected]

Message:

Executing out of bounds in JSC::Yarr::YarrCodeBlock::execute / JSC::RegExp::match
​https://bugs.webkit.org/show_bug.cgi?id=76315

Reviewed by Gavin Barraclough.

Perform a 3 byte compare using two comparisons, rather than trying to perform the
operation with a four byte load.

• yarr/YarrJIT.cpp:

(JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):

File:

• trunk/Source/JavaScriptCore/yarr/YarrJIT.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/yarr/YarrJIT.cpp

@@ -733 +733 @@
             }
             case 3: {
-                BaseIndex address(input, index, TimesOne, (startTermPosition - m_checked) * sizeof(LChar));
-                load32WithUnalignedHalfWords(address, character);
-                and32(Imm32(0xffffff), character);
-                break;
+                BaseIndex highAddress(input, index, TimesOne, (startTermPosition - m_checked) * sizeof(LChar));
+                load16(highAddress, character);
+                if (ignoreCaseMask)
+                    or32(Imm32(ignoreCaseMask), character);
+                op.m_jumps.append(branch32(NotEqual, character, Imm32((allCharacters & 0xffff) | ignoreCaseMask)));
+                op.m_jumps.append(jumpIfCharNotEquals(allCharacters >> 16, startTermPosition + 2 - m_checked, character));
+                return;
             }
             case 4: {