Changeset 168983 in webkit for trunk/Source/JavaScriptCore/yarr/YarrPattern.cpp

Timestamp:

May 16, 2014, 3:09:51 PM (11 years ago)

Author:

[email protected]

Message:

Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9
​https://bugs.webkit.org/show_bug.cgi?id=133009

Reviewed by Oliver Hunt.

If we determine that any alternative requires a minumum match size greater than
INT_MAX, we handle the match in the interpreter.

Check to see if the pattern has unsigned lengths before invoking YARR JIT.

• runtime/RegExp.cpp:

(JSC::RegExp::compile):
(JSC::RegExp::compileMatchOnly):

• tests/stress/large-regexp.js: New test added.

Set m_containsUnsignedLengthPattern flag if any alternative's minimum length
doesn't fit in an int.

• yarr/YarrPattern.cpp:

(JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):

Clear new m_containsUnsignedLengthPattern flag.

• yarr/YarrPattern.cpp:

(JSC::Yarr::YarrPattern::YarrPattern):

• yarr/YarrPattern.h:

(JSC::Yarr::YarrPattern::reset):
(JSC::Yarr::YarrPattern::containsUnsignedLengthPattern):

File:

• trunk/Source/JavaScriptCore/yarr/YarrPattern.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/yarr/YarrPattern.cpp

@@ -667 +667 @@
             maximumCallFrameSize = std::max(maximumCallFrameSize, currentAlternativeCallFrameSize);
             hasFixedSize &= alternative->m_hasFixedSize;
+            if (alternative->m_minimumSize > INT_MAX)
+                m_pattern.m_containsUnsignedLengthPattern = true;
         }
         
@@ -865 +867 @@
     , m_containsBackreferences(false)
     , m_containsBOL(false)
+    , m_containsUnsignedLengthPattern(false)
     , m_numSubpatterns(0)
     , m_maxBackReference(0)