https://bugs.webkit.org/show_bug.cgi?id=61585
authorbarraclough@apple.com <barraclough@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 23 Jun 2011 21:35:50 +0000 (21:35 +0000)
committerbarraclough@apple.com <barraclough@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 23 Jun 2011 21:35:50 +0000 (21:35 +0000)
commit659bf0f8ad71b999aad776e5ded9b80078aedf65
tree1b31d16610c7b98df8b0b5e432632f5e16a74bb6
parente5a7cd97cec4b088d056b3eb80bbd3af05b0065c
https://bugs.webkit.org/show_bug.cgi?id=61585
Crash running regexp /(?:(?=g))|(?:m).{2147483648,}/

Reviewed by Oliver Hunt.

Source/JavaScriptCore:

This is due to use of int instead of unsigned, bad math around
the 2^31 boundary.

* yarr/YarrInterpreter.cpp:
(JSC::Yarr::ByteCompiler::emitDisjunction):
    - Change some uses of int to unsigned, refactor compare logic to
      restrict to the range 0..2^32-1 (rather than -2^32-1..2^32-1).
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::generate):
(JSC::Yarr::YarrGenerator::backtrack):
    - Ditto.

LayoutTests:

Add regression tests where an alterative has a size of ~2^31.

* fast/regex/overflow-expected.txt: Added.
* fast/regex/overflow.html: Added.
* fast/regex/script-tests/overflow.js: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@89614 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/regex/overflow-expected.txt [new file with mode: 0644]
LayoutTests/fast/regex/overflow.html [new file with mode: 0644]
LayoutTests/fast/regex/script-tests/overflow.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/yarr/YarrInterpreter.cpp
Source/JavaScriptCore/yarr/YarrJIT.cpp