Changeset 38929 in webkit for trunk/JavaScriptCore

Timestamp:

Dec 2, 2008, 8:53:02 PM (16 years ago)

Author:

[email protected]

Message:

JavaScriptCore:

2008-12-02 Geoffrey Garen <​[email protected]>

Reviewed by Cameron Zwarich.

Fixed ​https://bugs.webkit.org/show_bug.cgi?id=22537
REGRESSION (r38745): Assertion failure in jsSubstring() at ge.com

The bug was that index would become greater than length, so our
"end of input" checks, which all check "index == length", would fail.

The solution is to check for end of input before incrementing index,
to ensure that index is always <= length.

As a side benefit, generateJumpIfEndOfInput can now use je instead of
jg, which should be slightly faster.

• wrec/WREC.cpp: (JSC::WREC::Generator::compileRegExp):
• wrec/WRECGenerator.cpp: (JSC::WREC::Generator::generateJumpIfEndOfInput):

LayoutTests:

2008-12-02 Geoffrey Garen <​[email protected]>

Reviewed by Cameron Zwarich.

Test for ​https://bugs.webkit.org/show_bug.cgi?id=22537
REGRESSION (r38745): Assertion failure in jsSubstring() at ge.com

• fast/regex/alternative-length-miscalculation-expected.txt: Added.
• fast/regex/alternative-length-miscalculation.html: Added.

Location:

trunk/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• wrec/WREC.cpp (modified) (1 diff)
• wrec/WRECGenerator.cpp (modified) (1 diff)

trunk/JavaScriptCore/ChangeLog

@@ +1 @@
+2008-12-02  Geoffrey Garen  <[email protected]>
+
+        Reviewed by Cameron Zwarich.
+        
+        Fixed https://bugs.webkit.org/show_bug.cgi?id=22537
+        REGRESSION (r38745): Assertion failure in jsSubstring() at ge.com
+
+        The bug was that index would become greater than length, so our
+        "end of input" checks, which all check "index == length", would fail.
+        
+        The solution is to check for end of input before incrementing index,
+        to ensure that index is always <= length.
+        
+        As a side benefit, generateJumpIfEndOfInput can now use je instead of
+        jg, which should be slightly faster.
+
+        * wrec/WREC.cpp:
+        (JSC::WREC::Generator::compileRegExp):
+        * wrec/WRECGenerator.cpp:
+        (JSC::WREC::Generator::generateJumpIfEndOfInput):
+
 2008-12-02  Gavin Barraclough  <[email protected]>
 

trunk/JavaScriptCore/wrec/WREC.cpp

@@ -61 +61 @@
 
     failures.link();
+    generator.generateJumpIfEndOfInput(failures);
     generator.generateIncrementIndex();
-    generator.generateJumpIfEndOfInput(failures);
     parser.parsePattern(failures);
     generator.generateReturnSuccess();

trunk/JavaScriptCore/wrec/WRECGenerator.cpp

@@ -114 +114 @@
 void Generator::generateJumpIfEndOfInput(JumpList& failures)
 {
-    failures.append(jg32(index, length));
+    failures.append(je32(length, index));
 }