REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrect...
authormsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 28 Sep 2017 05:15:50 +0000 (05:15 +0000)
committermsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 28 Sep 2017 05:15:50 +0000 (05:15 +0000)
https://bugs.webkit.org/show_bug.cgi?id=177570

Reviewed by Filip Pizlo.

JSTests:

New regression test.

* stress/regress-177570.js: Added.

Source/JavaScriptCore:

The change in r210837 neglected to change the check in Interpreter::backtrackParentheses() that
greedy parenthesis have backtracked as far as possible.  Prior to r210837 when non-zero minimum greedy
parenthesis were factored into a fixed component and then a zero-based variable component.  After
r210837, the variable component is not zero based and the check needs to compare the
backTrack->matchAmount with the quantity iminimum count.

* yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::backtrackParentheses):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@222601 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/regress-177570.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/yarr/YarrInterpreter.cpp

index acce999..ba79841 100644 (file)
@@ -1,3 +1,14 @@
+2017-09-27  Michael Saboff  <msaboff@apple.com>
+
+        REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
+        https://bugs.webkit.org/show_bug.cgi?id=177570
+
+        Reviewed by Filip Pizlo.
+
+        New regression test.
+
+        * stress/regress-177570.js: Added.
+
 2017-09-28  Michael Saboff  <msaboff@apple.com>
 
         Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
diff --git a/JSTests/stress/regress-177570.js b/JSTests/stress/regress-177570.js
new file mode 100644 (file)
index 0000000..70c8e56
--- /dev/null
@@ -0,0 +1,4 @@
+// Regression test for bug 177570
+
+if (/(Q)+|(\S)+Z/.test("Z "))
+    throw "/(Q)+|(\S)+Z/.test(\"Z \") should fail, but actually succeeds";
index 3398d0e..4ab3116 100644 (file)
@@ -1,3 +1,19 @@
+2017-09-27  Michael Saboff  <msaboff@apple.com>
+
+        REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
+        https://bugs.webkit.org/show_bug.cgi?id=177570
+
+        Reviewed by Filip Pizlo.
+
+        The change in r210837 neglected to change the check in Interpreter::backtrackParentheses() that
+        greedy parenthesis have backtracked as far as possible.  Prior to r210837 when non-zero minimum greedy
+        parenthesis were factored into a fixed component and then a zero-based variable component.  After
+        r210837, the variable component is not zero based and the check needs to compare the
+        backTrack->matchAmount with the quantity iminimum count.
+
+        * yarr/YarrInterpreter.cpp:
+        (JSC::Yarr::Interpreter::backtrackParentheses):
+
 2017-09-28  Michael Saboff  <msaboff@apple.com>
 
         Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
index edafef2..48c4a8f 100644 (file)
@@ -1032,7 +1032,7 @@ public:
         }
 
         case QuantifierGreedy: {
-            if (!backTrack->matchAmount)
+            if (backTrack->matchAmount == term.atom.quantityMinCount)
                 return JSRegExpNoMatch;
 
             ParenthesesDisjunctionContext* context = backTrack->lastContext;