Ignore:
Timestamp:
Apr 23, 2021, 4:06:12 PM (4 years ago)
Author:
[email protected]
Message:

[YARR Interpreter] Improper backtrack of parentheses with non-zero based greedy quantifiers
https://bugs.webkit.org/show_bug.cgi?id=224983

Reviewed by Mark Lam.

When we backtrack a parentheses with a greedy non zero based quantifier,
we don't properly restore for the case where we hadn't reached the minimum count.
We now save the input position on entry and restore it when we backtrack for
this case. We also properly release the allocated ParenthesesDisjunctionContext's.

  • yarr/YarrInterpreter.cpp:

(JSC::Yarr::Interpreter::matchParentheses):
(JSC::Yarr::Interpreter::backtrackParentheses):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/yarr/YarrInterpreter.cpp

    r274945 r276527  
    4646
    4747    struct BackTrackInfoParentheses {
     48        uintptr_t begin;
    4849        uintptr_t matchAmount;
    4950        ParenthesesDisjunctionContext* lastContext;
     
    10231024        ByteDisjunction* disjunctionBody = term.atom.parenthesesDisjunction;
    10241025
     1026        backTrack->begin = input.getPos();
    10251027        backTrack->matchAmount = 0;
    10261028        backTrack->lastContext = nullptr;
     
    11761178                freeParenthesesDisjunctionContext(context);
    11771179
    1178                 if (result != JSRegExpNoMatch || backTrack->matchAmount < term.atom.quantityMinCount)
     1180                if (backTrack->matchAmount < term.atom.quantityMinCount) {
     1181                    while (backTrack->matchAmount) {
     1182                        context = backTrack->lastContext;
     1183                        resetMatches(term, context);
     1184                        popParenthesesDisjunctionContext(backTrack);
     1185                        freeParenthesesDisjunctionContext(context);
     1186                    }
     1187
     1188                    input.setPos(backTrack->begin);
     1189                    return result;
     1190                }
     1191
     1192                if (result != JSRegExpNoMatch)
    11791193                    return result;
    11801194            }
Note: See TracChangeset for help on using the changeset viewer.