Ignore:
Timestamp:
Aug 23, 2017, 3:24:30 PM (8 years ago)
Author:
[email protected]
Message:

REGRESSION (r221052): DumpRenderTree crashed in com.apple.JavaScriptCore: JSC::Yarr::YarrCodeBlock::execute + 137
https://bugs.webkit.org/show_bug.cgi?id=175903

Reviewed by Saam Barati.

Source/JavaScriptCore:

In generateCharacterClassGreedy we were incrementing the "count" register before checking
for the end of the input string. The at-end-of-input check is the final check before
knowing that the current character matched. In this case, the end of input check
indicates that we ran out of prechecked characters and therefore should fail the match of
the current character. The backtracking code uses the value in the "count" register as
the number of character that successfully matched, which shouldn't include the current
character. Therefore we need to move the incrementing of "count" to after the
at end of input check.

Through code inspection of the expectations of other backtracking code, I determined that
the non greedy character class matching code had a similar issue. I fixed that as well
and added a new test case.

  • yarr/YarrJIT.cpp:

(JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
(JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):

LayoutTests:

New regression test case.

  • js/regexp-unicode-expected.txt:
  • js/script-tests/regexp-unicode.js:
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/yarr/YarrJIT.cpp

    r221052 r221111  
    12691269        }
    12701270
    1271         add32(TrustedImm32(1), countRegister);
    12721271        add32(TrustedImm32(1), index);
    12731272#ifdef JIT_UNICODE_EXPRESSIONS
     
    12791278        }
    12801279#endif
     1280        add32(TrustedImm32(1), countRegister);
    12811281
    12821282        if (term->quantityMaxCount != quantifyInfinite) {
     
    13751375        }
    13761376
    1377         add32(TrustedImm32(1), countRegister);
    13781377        add32(TrustedImm32(1), index);
    13791378#ifdef JIT_UNICODE_EXPRESSIONS
    13801379        if (m_decodeSurrogatePairs) {
     1380            nonGreedyFailures.append(atEndOfInput());
    13811381            Jump isBMPChar = branch32(LessThan, character, supplementaryPlanesBase);
    13821382            add32(TrustedImm32(1), index);
     
    13841384        }
    13851385#endif
     1386        add32(TrustedImm32(1), countRegister);
    13861387
    13871388        jump(op.m_reentry);
Note: See TracChangeset for help on using the changeset viewer.