Yarr crash with regexp replace
authormsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 2 Feb 2012 02:19:01 +0000 (02:19 +0000)
committermsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 2 Feb 2012 02:19:01 +0000 (02:19 +0000)
https://bugs.webkit.org/show_bug.cgi?id=67454

Reviewed by Gavin Barraclough.

Source/JavaScriptCore:

Properly handle the case of a back reference to an unmatched
subpattern by always matching without consuming any characters.

* yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::matchBackReference):
(JSC::Yarr::Interpreter::backtrackBackReference):

LayoutTests:

New tests to check for proper handling of back references to
unmatched subpatterns.

* fast/js/regexp-backreferences-expected.txt:
* fast/js/script-tests/regexp-backreferences.js:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@106521 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/js/regexp-backreferences-expected.txt
LayoutTests/fast/js/script-tests/regexp-backreferences.js
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/yarr/YarrInterpreter.cpp

index 388cc5a..66df37b 100644 (file)
@@ -1,3 +1,16 @@
+2012-02-01  Michael Saboff  <msaboff@apple.com>
+
+        Yarr crash with regexp replace
+        https://bugs.webkit.org/show_bug.cgi?id=67454
+
+        Reviewed by Gavin Barraclough.
+
+        New tests to check for proper handling of back references to
+        unmatched subpatterns.
+
+        * fast/js/regexp-backreferences-expected.txt:
+        * fast/js/script-tests/regexp-backreferences.js:
+
 2012-02-01  Pablo Flouret  <pablof@motorola.com>
 
         Support targetOrigin = "/" in postMessage for sending messages to same origin as source document.
index 146b66a..d07f37e 100644 (file)
@@ -13,6 +13,8 @@ PASS /\2(...)$/.test('abcabc') is false
 PASS /\2(...)$/.test('abc') is false
 PASS /\1?(...)$/.test('abc') is true
 PASS /\1?(...)$/.test('abc') is true
+PASS re.test('axabcd') is false
+PASS re.test('axabcsz') is true
 PASS successfullyParsed is true
 
 TEST COMPLETE
index 24da4dd..de3ba27 100644 (file)
@@ -10,3 +10,8 @@ shouldBeFalse("/\\2(...)$/.test('abcabc')");
 shouldBeFalse("/\\2(...)$/.test('abc')");
 shouldBeTrue("/\\1?(...)$/.test('abc')");
 shouldBeTrue("/\\1?(...)$/.test('abc')");
+
+re = new RegExp("[^b]*((..)|(\\2))+Sz", "i");
+
+shouldBeFalse("re.test('axabcd')");
+shouldBeTrue("re.test('axabcsz')");
index cd89c2f..1f53cd7 100644 (file)
@@ -1,3 +1,17 @@
+2012-02-01  Michael Saboff  <msaboff@apple.com>
+
+        Yarr crash with regexp replace
+        https://bugs.webkit.org/show_bug.cgi?id=67454
+
+        Reviewed by Gavin Barraclough.
+
+        Properly handle the case of a back reference to an unmatched
+        subpattern by always matching without consuming any characters.
+
+        * yarr/YarrInterpreter.cpp:
+        (JSC::Yarr::Interpreter::matchBackReference):
+        (JSC::Yarr::Interpreter::backtrackBackReference):
+
 2012-02-01  Gavin Barraclough  <barraclough@apple.com>
 
         calling function on catch block scope containing an eval result in wrong this value being passed
index f1c5021..a452bb7 100644 (file)
@@ -565,7 +565,10 @@ public:
         if (matchEnd == -1)
             return true;
 
-        ASSERT((matchBegin == -1) || (matchBegin <= matchEnd));
+        if (matchBegin == -1)
+            return true;
+
+        ASSERT(matchBegin <= matchEnd);
 
         if (matchBegin == matchEnd)
             return true;
@@ -607,7 +610,11 @@ public:
 
         int matchBegin = output[(term.atom.subpatternId << 1)];
         int matchEnd = output[(term.atom.subpatternId << 1) + 1];
-        ASSERT((matchBegin == -1) || (matchBegin <= matchEnd));
+
+        if (matchBegin == -1)
+            return false;
+
+        ASSERT(matchBegin <= matchEnd);
 
         if (matchBegin == matchEnd)
             return false;