Changeset 295066 in webkit

Timestamp:

May 31, 2022 2:22:49 PM (2 years ago)

Author:

msaboff@apple.com

Message:

ASSERTION FAILED: regExp->isValid() LLIntSlowPaths.cpp(625)
​https://bugs.webkit.org/show_bug.cgi?id=241107
<rdar://93369481>

Reviewed by Mark Lam.

We can remove this ASSERT(regExp->isValid()) and others like it that are used for NewRegExp
bytecode processing because subsequent code already must handle the invalid case. These code
paths may create a new RegExp or retrieve a cached RegExp. For the case where a RegExp is
created for the first time it is valid or we wouldn't have generated the NewRegExp bytecode.
This valid RegExp can subsequently be marked with an error if it fails YARR RegExp engine JIT
code or interpreter bytecode generation. Matching with a RegExp with one of these generation
errors properly throws a Syntax error. These ASSERTs fail when the NewRegExp processing
retrieves an already cached RegExp, with a generation error. The matching code will still
throw a Syntax Error.

• JSTests/stress/regexp-late-compilation-error.js: Added.

(testRegExp1):
(testRegExp2):
(test):

• Source/JavaScriptCore/dfg/DFGOperations.cpp:

(JSC::DFG::JSC_DEFINE_JIT_OPERATION):

• Source/JavaScriptCore/jit/JITOperations.cpp:

(JSC::JSC_DEFINE_JIT_OPERATION):

• Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):

Canonical link: ​https://commits.webkit.org/251161@main

Location:

trunk

Files:

• JSTests/stress/regexp-late-compilation-error.js (added)
• Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (1 diff)
• Source/JavaScriptCore/jit/JITOperations.cpp (modified) (1 diff)
• Source/JavaScriptCore/llint/LLIntSlowPaths.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -2503 +2503 @@
 
     RegExp* regexp = static_cast<RegExp*>(regexpPtr);
-    ASSERT(regexp->isValid());
     return RegExpObject::create(vm, globalObject->regExpStructure(), regexp, JSValue::decode(encodedLastIndex));
 }

trunk/Source/JavaScriptCore/jit/JITOperations.cpp

@@ -1822 +1822 @@
 
     RegExp* regexp = static_cast<RegExp*>(regexpPtr);
-    ASSERT(regexp->isValid());
     static constexpr bool areLegacyFeaturesEnabled = true;
     return RegExpObject::create(vm, globalObject->regExpStructure(), regexp, areLegacyFeaturesEnabled);

trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

@@ -623 +623 @@
     auto bytecode = pc->as<OpNewRegexp>();
     RegExp* regExp = jsCast<RegExp*>(getOperand(callFrame, bytecode.m_regexp));
-    ASSERT(regExp->isValid());
     static constexpr bool areLegacyFeaturesEnabled = true;
     LLINT_RETURN(RegExpObject::create(vm, globalObject->regExpStructure(), regExp, areLegacyFeaturesEnabled));