Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternC...
authormsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 16 May 2014 22:09:51 +0000 (22:09 +0000)
committermsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 16 May 2014 22:09:51 +0000 (22:09 +0000)
commitbe5c60d4a23871c0f61458b527ba7196054128a6
tree2cf6e4f4c42202d4217a6da7c88b157efb1ed38c
parent1f89bffae6b04403122e3888617ec0ff44c696f3
Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9
https://bugs.webkit.org/show_bug.cgi?id=133009

Reviewed by Oliver Hunt.

If we determine that any alternative requires a minumum match size greater than
INT_MAX, we handle the match in the interpreter.

Check to see if the pattern has unsigned lengths before invoking YARR JIT.
* runtime/RegExp.cpp:
(JSC::RegExp::compile):
(JSC::RegExp::compileMatchOnly):

* tests/stress/large-regexp.js: New test added.

Set m_containsUnsignedLengthPattern flag if any alternative's minimum length
doesn't fit in an int.
* yarr/YarrPattern.cpp:
(JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):

Clear new m_containsUnsignedLengthPattern flag.
* yarr/YarrPattern.cpp:
(JSC::Yarr::YarrPattern::YarrPattern):
* yarr/YarrPattern.h:
(JSC::Yarr::YarrPattern::reset):
(JSC::Yarr::YarrPattern::containsUnsignedLengthPattern):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@168983 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/RegExp.cpp
Source/JavaScriptCore/tests/stress/large-regexp.js [new file with mode: 0644]
Source/JavaScriptCore/yarr/YarrPattern.cpp
Source/JavaScriptCore/yarr/YarrPattern.h