REGRESSION (r243642): Crash in reddit.com page
authormsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 7 Apr 2019 23:24:45 +0000 (23:24 +0000)
committermsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 7 Apr 2019 23:24:45 +0000 (23:24 +0000)
https://bugs.webkit.org/show_bug.cgi?id=196684

Reviewed by Geoffrey Garen.

JSTests:

New regression test.

* stress/regexp-nongreedy-charclass-backtracks.js: Added.

Source/JavaScriptCore:

In r243642, the code that saves and restores the count for non-greedy character classes
was inadvertently put inside an if statement.  This code should be generated for all
non-greedy character classes.

* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
(JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243967 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/regexp-nongreedy-charclass-backtracks.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/yarr/YarrJIT.cpp

index 35204b1..9f2d760 100644 (file)
@@ -1,3 +1,14 @@
+2019-04-07  Michael Saboff  <msaboff@apple.com>
+
+        REGRESSION (r243642): Crash in reddit.com page
+        https://bugs.webkit.org/show_bug.cgi?id=196684
+
+        Reviewed by Geoffrey Garen.
+
+        New regression test.
+
+        * stress/regexp-nongreedy-charclass-backtracks.js: Added.
+
 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
 
         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
diff --git a/JSTests/stress/regexp-nongreedy-charclass-backtracks.js b/JSTests/stress/regexp-nongreedy-charclass-backtracks.js
new file mode 100644 (file)
index 0000000..20da3fd
--- /dev/null
@@ -0,0 +1,15 @@
+// The regression test checks that multiple non-greedy character classes backtrack properly.
+
+let re = /[^\/]+\/xxx\/[^\/]+?\/[^\/]+?\/[^\/]+?/;
+let str;
+let match;
+
+str = "blah/xxx/blah/blah_blah_blah_blah_blah_blah_blah_blah_blah_blah/";
+match = re.exec(str);
+if (match !== null)
+    throw(re + ".exec(\"" + str + "\") Should not have matched!");
+
+str = "blah/xxx/blah/blah_blah_blah_blah/";
+match = re.exec(str);
+if (match !== null)
+    throw(re + ".exec(\"" + str + "\") Should not have matched!");
index a48b210..8cebf5f 100644 (file)
@@ -1,3 +1,18 @@
+2019-04-07  Michael Saboff  <msaboff@apple.com>
+
+        REGRESSION (r243642): Crash in reddit.com page
+        https://bugs.webkit.org/show_bug.cgi?id=196684
+
+        Reviewed by Geoffrey Garen.
+
+        In r243642, the code that saves and restores the count for non-greedy character classes
+        was inadvertently put inside an if statement.  This code should be generated for all
+        non-greedy character classes.
+
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
+        (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
+
 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
 
         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
index d2e9eec..0f51bd3 100644 (file)
@@ -1943,11 +1943,15 @@ class YarrGenerator : public YarrJITInfo, private MacroAssembler {
 
         move(TrustedImm32(0), countRegister);
         op.m_reentry = label();
+
+#ifdef JIT_UNICODE_EXPRESSIONS
         if (m_decodeSurrogatePairs) {
             if (!term->characterClass->hasOneCharacterSize() || term->invert())
                 storeToFrame(index, term->frameLocation + BackTrackInfoCharacterClass::beginIndex());
-            storeToFrame(countRegister, term->frameLocation + BackTrackInfoCharacterClass::matchAmountIndex());
         }
+#endif
+
+        storeToFrame(countRegister, term->frameLocation + BackTrackInfoCharacterClass::matchAmountIndex());
     }
 
     void backtrackCharacterClassNonGreedy(size_t opIndex)
@@ -1966,10 +1970,11 @@ class YarrGenerator : public YarrJITInfo, private MacroAssembler {
         if (m_decodeSurrogatePairs) {
             if (!term->characterClass->hasOneCharacterSize() || term->invert())
                 loadFromFrame(term->frameLocation + BackTrackInfoCharacterClass::beginIndex(), index);
-            loadFromFrame(term->frameLocation + BackTrackInfoCharacterClass::matchAmountIndex(), countRegister);
         }
 #endif
 
+        loadFromFrame(term->frameLocation + BackTrackInfoCharacterClass::matchAmountIndex(), countRegister);
+
         nonGreedyFailures.append(atEndOfInput());
         nonGreedyFailures.append(branch32(Equal, countRegister, Imm32(term->quantityMaxCount.unsafeGet())));