RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
authormsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 16 Feb 2019 01:13:57 +0000 (01:13 +0000)
committermsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 16 Feb 2019 01:13:57 +0000 (01:13 +0000)
commita20588f8d687724f265c220526b2ae11a50f89f0
tree35541c174448e6f640ca013288ec3c7755d373ac
parent92ab40e21a37fa113de1a22ae9cb5079d321b1ae
RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
https://bugs.webkit.org/show_bug.cgi?id=194558

Reviewed by Saam Barati.

JSTests:

New regression test.

* stress/regexp-unicode-within-string.js: Added.

Source/JavaScriptCore:

Added an in bounds check before the read of the next character for Unicode regular expressions
for pattern generation that didn't already have such checks.

* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
(JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
(JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
(JSC::Yarr::YarrGenerator::generateCharacterClassFixed):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@241634 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/regexp-unicode-within-string.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/yarr/YarrJIT.cpp