From a65dc54d30034f739827937e1424347e49df2794 Mon Sep 17 00:00:00 2001 From: "msaboff@apple.com" Date: Fri, 27 Oct 2017 00:31:50 +0000 Subject: [PATCH] REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum https://bugs.webkit.org/show_bug.cgi?id=178890 Reviewed by Keith Miller. JSTests: New regression test. * stress/regress-178890.js: Added. Source/JavaScriptCore: We need to let a contained subpattern backtrack before declaring that the containing parenthesis doesn't match. If the subpattern fails to match backtracking, then we can check to see if we trying to backtrack below the minimum match count. * yarr/YarrInterpreter.cpp: (JSC::Yarr::Interpreter::backtrackParentheses): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@224072 268f45cc-cd09-0410-ab3c-d52691b4dbfc --- JSTests/ChangeLog | 11 +++++++++++ JSTests/stress/regress-178890.js | 4 ++++ Source/JavaScriptCore/ChangeLog | 14 ++++++++++++++ Source/JavaScriptCore/yarr/YarrInterpreter.cpp | 4 ++-- 4 files changed, 31 insertions(+), 2 deletions(-) create mode 100644 JSTests/stress/regress-178890.js diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog index 352a8ef..ce6e175 100644 --- a/JSTests/ChangeLog +++ b/JSTests/ChangeLog @@ -1,3 +1,14 @@ +2017-10-26 Michael Saboff + + REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum + https://bugs.webkit.org/show_bug.cgi?id=178890 + + Reviewed by Keith Miller. + + New regression test. + + * stress/regress-178890.js: Added. + 2017-10-26 Mark Lam JSRopeString::RopeBuilder::append() should check for overflows. diff --git a/JSTests/stress/regress-178890.js b/JSTests/stress/regress-178890.js new file mode 100644 index 0000000..78b566f --- /dev/null +++ b/JSTests/stress/regress-178890.js @@ -0,0 +1,4 @@ +// Regression test for bug 178890 + +if (!/:(?:\w)+\(([']?)((?:\([^\)]+\)|[^\(\)]*){1,2})\1\)/.test(":not('.hs-processed')")) + throw "/:(?:\w)+\(([']?)((?:\([^\)]+\)|[^\(\)]*){1,2})\1\)/.test(\":not('.hs-processed')\") should succeed, but actually fails"; diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog index db7e7d7..5e550ef 100644 --- a/Source/JavaScriptCore/ChangeLog +++ b/Source/JavaScriptCore/ChangeLog @@ -1,3 +1,17 @@ +2017-10-26 Michael Saboff + + REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum + https://bugs.webkit.org/show_bug.cgi?id=178890 + + Reviewed by Keith Miller. + + We need to let a contained subpattern backtrack before declaring that the containing + parenthesis doesn't match. If the subpattern fails to match backtracking, then we + can check to see if we trying to backtrack below the minimum match count. + + * yarr/YarrInterpreter.cpp: + (JSC::Yarr::Interpreter::backtrackParentheses): + 2017-10-26 Mark Lam JSRopeString::RopeBuilder::append() should check for overflows. diff --git a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp index bbfd9bf..9345b87 100644 --- a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp +++ b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp @@ -1110,7 +1110,7 @@ public: } case QuantifierGreedy: { - if (backTrack->matchAmount == term.atom.quantityMinCount) + if (!backTrack->matchAmount) return JSRegExpNoMatch; ParenthesesDisjunctionContext* context = backTrack->lastContext; @@ -1136,7 +1136,7 @@ public: popParenthesesDisjunctionContext(backTrack); freeParenthesesDisjunctionContext(context); - if (result != JSRegExpNoMatch) + if (result != JSRegExpNoMatch || backTrack->matchAmount < term.atom.quantityMinCount) return result; } -- 1.8.3.1