Context Navigation

← Previous Changeset
Next Changeset →

Changeset 76275 in webkit

Timestamp:

Jan 20, 2011 1:31:21 PM (13 years ago)

Author:

msaboff@apple.com

Message:

2011-01-20 Michael Saboff <msaboff@apple.com>

Reviewed by Oliver Hunt.

<rdar://problem/8890203> [RegexFuzz] Crash in generated code (52773)
https://bugs.webkit.org/show_bug.cgi?id=52773

Fixed case where an existing DataLabelPtr is overwritten. The
replacing DataLabelPtr is now resolved immediately in
linkDataLabelToBacktrackIfExists(). Cleanup - eliminated bool
return value for the routine as it was never used.

yarr/YarrJIT.cpp: (JSC::Yarr::YarrGenerator::TermGenerationState::linkDataLabelToBacktrackIfExists):

2011-01-20 Michael Saboff <msaboff@apple.com>

Reviewed by Oliver Hunt.

<rdar://problem/8890203> [RegexFuzz] Crash in generated code (52773)
https://bugs.webkit.org/show_bug.cgi?id=52773

New test to validate fix.

fast/regex/parentheses-expected.txt:
fast/regex/script-tests/parentheses.js:

Location:

trunk

Files:

: 5 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/fast/regex/parentheses-expected.txt (modified) (1 diff)
LayoutTests/fast/regex/script-tests/parentheses.js (modified) (1 diff)
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
Source/JavaScriptCore/yarr/YarrJIT.cpp (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r76274
+                      r76275
+-01-20  Michael Saboff  <msaboff@apple.com>
+        Reviewed by Oliver Hunt.
+        <rdar://problem/8890203> [RegexFuzz] Crash in generated code (52773)
+        https://bugs.webkit.org/show_bug.cgi?id=52773
+        New test to validate fix.
+        * fast/regex/parentheses-expected.txt:
+        * fast/regex/script-tests/parentheses.js:
 -01-20  Dirk Schulze  <krit@webkit.org>

trunk/LayoutTests/fast/regex/parentheses-expected.txt

r76133	r76275
75	75	PASS regexp43.exec('SSS') is ['']
76	76	PASS regexp44.exec('SSS') is ['',undefined]
	77	PASS regexp45.exec('vt') is null
77	78	PASS 'Hi Bob'.match(/(Rob)\|(Bob)\|(Robert)\|(Bobby)/) is ['Bob',undefined,'Bob',undefined,undefined]
78	79	PASS successfullyParsed is true

trunk/LayoutTests/fast/regex/script-tests/parentheses.js

-                      r76133
+                      r76275
 shouldBe("regexp44.exec('SSS')", "['',undefined]");
+var regexp45 = /((?!(?:|)v{2,}|))/;
+shouldBeNull("regexp45.exec('vt')");
 shouldBe("'Hi Bob'.match(/(Rob)|(Bob)|(Robert)|(Bobby)/)", "['Bob',undefined,'Bob',undefined,undefined]");

trunk/Source/JavaScriptCore/ChangeLog

-                      r76263
+                      r76275
+-01-20  Michael Saboff  <msaboff@apple.com>
+        Reviewed by Oliver Hunt.
+        <rdar://problem/8890203> [RegexFuzz] Crash in generated code (52773)
+        https://bugs.webkit.org/show_bug.cgi?id=52773
+        Fixed case where an existing DataLabelPtr is overwritten.  The
+        replacing DataLabelPtr is now resolved immediately in
+        linkDataLabelToBacktrackIfExists().  Cleanup - eliminated bool
+        return value for the routine as it was never used.
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::TermGenerationState::linkDataLabelToBacktrackIfExists):
 -01-20  Andras Becsi  <abecsi@webkit.org>

trunk/Source/JavaScriptCore/yarr/YarrJIT.cpp

-                      r76133
+                      r76275
                 *m_subDataLabelPtr = dp;
                 m_subDataLabelPtr = 0;
+            } else
+            } else {
+                ASSERT(!hasDataLabel());
                 m_dataLabelPtr = dp;
+            }
+        }
 …
+        }
         bool linkDataLabelToBacktrackIfExists(YarrGenerator* generator, DataLabelPtr dataLabel)
+        void linkDataLabelToBacktrackIfExists(YarrGenerator* generator, DataLabelPtr dataLabel)
+        {
             // If we have a stack offset backtrack destination, use it directly
 …
                 m_backtrack.clearSubDataLabelPtr();
             } else {
+                // Otherwise set the data label (which may be linked)
+                setBacktrackDataLabel(dataLabel);
+                if ((m_backtrack.isLabel()) && (m_backtrack.hasDataLabel())) {
+                    generator->m_expressionState.m_backtrackRecords.append(AlternativeBacktrackRecord(m_backtrack.getDataLabel(), m_backtrack.getLabel()));
+                    m_backtrack.clearDataLabel();
+                    return true;
+                }
+            }
+            return false;
+                // If we have a backtrack label, connect the datalabel to it directly.
+                if (m_backtrack.isLabel())
+                    generator->m_expressionState.m_backtrackRecords.append(AlternativeBacktrackRecord(dataLabel, m_backtrack.getLabel()));
+                else
+                    setBacktrackDataLabel(dataLabel);
+            }
+        }

Note: See TracChangeset for help on using the changeset viewer.