Changeset 243967 in webkit

Timestamp:

Apr 7, 2019 4:24:45 PM (5 years ago)

Author:

msaboff@apple.com

Message:

REGRESSION (r243642): Crash in reddit.com page
​https://bugs.webkit.org/show_bug.cgi?id=196684

Reviewed by Geoffrey Garen.

JSTests:

New regression test.

• stress/regexp-nongreedy-charclass-backtracks.js: Added.

Source/JavaScriptCore:

In r243642, the code that saves and restores the count for non-greedy character classes
was inadvertently put inside an if statement. This code should be generated for all
non-greedy character classes.

• yarr/YarrJIT.cpp:

(JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
(JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/regexp-nongreedy-charclass-backtracks.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/yarr/YarrJIT.cpp (modified) (2 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2019-04-07  Michael Saboff  <msaboff@apple.com>
+
+        REGRESSION (r243642): Crash in reddit.com page
+        https://bugs.webkit.org/show_bug.cgi?id=196684
+
+        Reviewed by Geoffrey Garen.
+
+        New regression test.
+
+        * stress/regexp-nongreedy-charclass-backtracks.js: Added.
+
 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-04-07  Michael Saboff  <msaboff@apple.com>
+
+        REGRESSION (r243642): Crash in reddit.com page
+        https://bugs.webkit.org/show_bug.cgi?id=196684
+
+        Reviewed by Geoffrey Garen.
+
+        In r243642, the code that saves and restores the count for non-greedy character classes
+        was inadvertently put inside an if statement.  This code should be generated for all
+        non-greedy character classes.
+
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
+        (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
+
 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/Source/JavaScriptCore/yarr/YarrJIT.cpp

@@ -1944 +1944 @@
         move(TrustedImm32(0), countRegister);
         op.m_reentry = label();
+
+#ifdef JIT_UNICODE_EXPRESSIONS
         if (m_decodeSurrogatePairs) {
             if (!term->characterClass->hasOneCharacterSize() || term->invert())
                 storeToFrame(index, term->frameLocation + BackTrackInfoCharacterClass::beginIndex());
-            storeToFrame(countRegister, term->frameLocation + BackTrackInfoCharacterClass::matchAmountIndex());
-        }
+        }
+#endif
+
+        storeToFrame(countRegister, term->frameLocation + BackTrackInfoCharacterClass::matchAmountIndex());
     }
 
@@ -1967 +1971 @@
             if (!term->characterClass->hasOneCharacterSize() || term->invert())
                 loadFromFrame(term->frameLocation + BackTrackInfoCharacterClass::beginIndex(), index);
-            loadFromFrame(term->frameLocation + BackTrackInfoCharacterClass::matchAmountIndex(), countRegister);
-        }
-#endif
+        }
+#endif
+
+        loadFromFrame(term->frameLocation + BackTrackInfoCharacterClass::matchAmountIndex(), countRegister);
 
         nonGreedyFailures.append(atEndOfInput());