Title: [244023] tags/Safari-608.1.15
- Revision
- 244023
- Author
- bshaf...@apple.com
- Date
- 2019-04-08 10:09:21 -0700 (Mon, 08 Apr 2019)
Log Message
Cherry-pick r243839. rdar://problem/49589308
REGRESSION (r243642): com.apple._javascript_Core crash in JSC::RegExpObject::execInline
https://bugs.webkit.org/show_bug.cgi?id=196477
Reviewed by Keith Miller.
Source/_javascript_Core:
The problem here is that when we advance the index by 2 for a character class that only
has non-BMP characters, we might go past the end of the string. This can happen for
greedy counted character classes that are part of a alternative where there is one
character to match after the greedy non-BMP character class.
The "do we have string left to match" check at the top of the JIT loop for the counted
character class checks to see if index is not equal to the string length. For non-BMP
character classes, we need to check to see if there are at least 2 characters left.
Therefore we now temporarily add 1 to the current index before comparing. This checks
to see if there are iat least 2 characters left to match, instead of 1.
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
(JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
LayoutTests:
Updated the test with a couple more test cases to test a few variants of this bug.
Also added a couple of non-greedy counted non-BMP character class tests that don't have
the bug just to be sure.
* js/regexp-unicode-expected.txt:
* js/script-tests/regexp-unicode.js:
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243839 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: tags/Safari-608.1.15/LayoutTests/ChangeLog (244022 => 244023)
--- tags/Safari-608.1.15/LayoutTests/ChangeLog 2019-04-08 17:09:18 UTC (rev 244022)
+++ tags/Safari-608.1.15/LayoutTests/ChangeLog 2019-04-08 17:09:21 UTC (rev 244023)
@@ -1,3 +1,55 @@
+2019-04-08 Babak Shafiei <bshaf...@apple.com>
+
+ Cherry-pick r243839. rdar://problem/49589308
+
+ REGRESSION (r243642): com.apple._javascript_Core crash in JSC::RegExpObject::execInline
+ https://bugs.webkit.org/show_bug.cgi?id=196477
+
+ Reviewed by Keith Miller.
+
+ Source/_javascript_Core:
+
+ The problem here is that when we advance the index by 2 for a character class that only
+ has non-BMP characters, we might go past the end of the string. This can happen for
+ greedy counted character classes that are part of a alternative where there is one
+ character to match after the greedy non-BMP character class.
+
+ The "do we have string left to match" check at the top of the JIT loop for the counted
+ character class checks to see if index is not equal to the string length. For non-BMP
+ character classes, we need to check to see if there are at least 2 characters left.
+ Therefore we now temporarily add 1 to the current index before comparing. This checks
+ to see if there are iat least 2 characters left to match, instead of 1.
+
+ * yarr/YarrJIT.cpp:
+ (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
+ (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
+
+ LayoutTests:
+
+ Updated the test with a couple more test cases to test a few variants of this bug.
+ Also added a couple of non-greedy counted non-BMP character class tests that don't have
+ the bug just to be sure.
+
+ * js/regexp-unicode-expected.txt:
+ * js/script-tests/regexp-unicode.js:
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243839 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-04-03 Michael Saboff <msab...@apple.com>
+
+ REGRESSION (r243642): com.apple._javascript_Core crash in JSC::RegExpObject::execInline
+ https://bugs.webkit.org/show_bug.cgi?id=196477
+
+ Reviewed by Keith Miller.
+
+ Updated the test with a couple more test cases to test a few variants of this bug.
+ Also added a couple of non-greedy counted non-BMP character class tests that don't have
+ the bug just to be sure.
+
+ * js/regexp-unicode-expected.txt:
+ * js/script-tests/regexp-unicode.js:
+
2019-04-05 Kocsen Chung <kocsen_ch...@apple.com>
Revert r243839. rdar://problem/49654398
Modified: tags/Safari-608.1.15/LayoutTests/js/regexp-unicode-expected.txt (244022 => 244023)
--- tags/Safari-608.1.15/LayoutTests/js/regexp-unicode-expected.txt 2019-04-08 17:09:18 UTC (rev 244022)
+++ tags/Safari-608.1.15/LayoutTests/js/regexp-unicode-expected.txt 2019-04-08 17:09:21 UTC (rev 244023)
@@ -148,6 +148,9 @@
PASS "𐌑𐌐𐌑".match(/[𐌁𐌑]*?a|[𐌐𐌑]*?./iu)[0] is "𐌑"
PASS "𐌑𐌐𐌑".match(/[𐌁𐌑]+a|[𐌐𐌑]+./iu)[0] is "𐌑𐌐𐌑"
PASS "𐌑𐌐𐌑".match(/[𐌁𐌑]+?a|[𐌐𐌑]+?./iu)[0] is "𐌑𐌐"
+PASS "𐌑𐌐𐌑".match(/[𐌁𐌑]+?a$|[𐌐𐌑]+?.$/iu)[0] is "𐌑𐌐𐌑"
+PASS "𐌑𐌐𐌑".match(/[𐌁𐌑x]+a|[𐌐𐌑x]+./iu)[0] is "𐌑𐌐𐌑"
+PASS "𐌑𐌐𐌑".match(/[𐌁𐌑x]+?a|[𐌐𐌑x]+?./iu)[0] is "𐌑𐌐"
PASS "C83|НАЧАТЬ".match(re8)[0] is "C83|НАЧАТЬ"
PASS "This.Is.16.Chars|НАЧАТЬ".match(re8)[0] is "This.Is.16.Chars|НАЧАТЬ"
PASS "Testing\nሴ 1 2 3".match(/^[က-] 1 2 3/um)[0] is "ሴ 1 2 3"
Modified: tags/Safari-608.1.15/LayoutTests/js/script-tests/regexp-unicode.js (244022 => 244023)
--- tags/Safari-608.1.15/LayoutTests/js/script-tests/regexp-unicode.js 2019-04-08 17:09:18 UTC (rev 244022)
+++ tags/Safari-608.1.15/LayoutTests/js/script-tests/regexp-unicode.js 2019-04-08 17:09:21 UTC (rev 244023)
@@ -205,6 +205,9 @@
shouldBe('"\u{10311}\u{10310}\u{10311}".match(/[\u{10301}\u{10311}]*?a|[\u{10310}\u{10311}]*?./iu)[0]', '"\u{10311}"');
shouldBe('"\u{10311}\u{10310}\u{10311}".match(/[\u{10301}\u{10311}]+a|[\u{10310}\u{10311}]+./iu)[0]', '"\u{10311}\u{10310}\u{10311}"');
shouldBe('"\u{10311}\u{10310}\u{10311}".match(/[\u{10301}\u{10311}]+?a|[\u{10310}\u{10311}]+?./iu)[0]', '"\u{10311}\u{10310}"');
+shouldBe('"\u{10311}\u{10310}\u{10311}".match(/[\u{10301}\u{10311}]+?a$|[\u{10310}\u{10311}]+?.$/iu)[0]', '"\u{10311}\u{10310}\u{10311}"');
+shouldBe('"\u{10311}\u{10310}\u{10311}".match(/[\u{10301}\u{10311}x]+a|[\u{10310}\u{10311}x]+./iu)[0]', '"\u{10311}\u{10310}\u{10311}"');
+shouldBe('"\u{10311}\u{10310}\u{10311}".match(/[\u{10301}\u{10311}x]+?a|[\u{10310}\u{10311}x]+?./iu)[0]', '"\u{10311}\u{10310}"');
var re8 = new RegExp("^([0-9a-z\.]{3,16})\\|\u{041d}\u{0410}\u{0427}\u{0410}\u{0422}\u{042c}", "ui");
shouldBe('"C83|\u{041d}\u{0410}\u{0427}\u{0410}\u{0422}\u{042c}".match(re8)[0]', '"C83|\u{041d}\u{0410}\u{0427}\u{0410}\u{0422}\u{042c}"');
Modified: tags/Safari-608.1.15/Source/_javascript_Core/ChangeLog (244022 => 244023)
--- tags/Safari-608.1.15/Source/_javascript_Core/ChangeLog 2019-04-08 17:09:18 UTC (rev 244022)
+++ tags/Safari-608.1.15/Source/_javascript_Core/ChangeLog 2019-04-08 17:09:21 UTC (rev 244023)
@@ -1,5 +1,65 @@
2019-04-08 Babak Shafiei <bshaf...@apple.com>
+ Cherry-pick r243839. rdar://problem/49589308
+
+ REGRESSION (r243642): com.apple._javascript_Core crash in JSC::RegExpObject::execInline
+ https://bugs.webkit.org/show_bug.cgi?id=196477
+
+ Reviewed by Keith Miller.
+
+ Source/_javascript_Core:
+
+ The problem here is that when we advance the index by 2 for a character class that only
+ has non-BMP characters, we might go past the end of the string. This can happen for
+ greedy counted character classes that are part of a alternative where there is one
+ character to match after the greedy non-BMP character class.
+
+ The "do we have string left to match" check at the top of the JIT loop for the counted
+ character class checks to see if index is not equal to the string length. For non-BMP
+ character classes, we need to check to see if there are at least 2 characters left.
+ Therefore we now temporarily add 1 to the current index before comparing. This checks
+ to see if there are iat least 2 characters left to match, instead of 1.
+
+ * yarr/YarrJIT.cpp:
+ (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
+ (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
+
+ LayoutTests:
+
+ Updated the test with a couple more test cases to test a few variants of this bug.
+ Also added a couple of non-greedy counted non-BMP character class tests that don't have
+ the bug just to be sure.
+
+ * js/regexp-unicode-expected.txt:
+ * js/script-tests/regexp-unicode.js:
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243839 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-04-03 Michael Saboff <msab...@apple.com>
+
+ REGRESSION (r243642): com.apple._javascript_Core crash in JSC::RegExpObject::execInline
+ https://bugs.webkit.org/show_bug.cgi?id=196477
+
+ Reviewed by Keith Miller.
+
+ The problem here is that when we advance the index by 2 for a character class that only
+ has non-BMP characters, we might go past the end of the string. This can happen for
+ greedy counted character classes that are part of a alternative where there is one
+ character to match after the greedy non-BMP character class.
+
+ The "do we have string left to match" check at the top of the JIT loop for the counted
+ character class checks to see if index is not equal to the string length. For non-BMP
+ character classes, we need to check to see if there are at least 2 characters left.
+ Therefore we now temporarily add 1 to the current index before comparing. This checks
+ to see if there are iat least 2 characters left to match, instead of 1.
+
+ * yarr/YarrJIT.cpp:
+ (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
+ (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
+
+2019-04-08 Babak Shafiei <bshaf...@apple.com>
+
Cherry-pick r243642. rdar://problem/49589308
[YARR] Precompute BMP / non-BMP status when constructing character classes
Modified: tags/Safari-608.1.15/Source/_javascript_Core/yarr/YarrJIT.cpp (244022 => 244023)
--- tags/Safari-608.1.15/Source/_javascript_Core/yarr/YarrJIT.cpp 2019-04-08 17:09:18 UTC (rev 244022)
+++ tags/Safari-608.1.15/Source/_javascript_Core/yarr/YarrJIT.cpp 2019-04-08 17:09:21 UTC (rev 244023)
@@ -1849,7 +1849,13 @@
JumpList failures;
Label loop(this);
- failures.append(atEndOfInput());
+#ifdef JIT_UNICODE_EXPRESSIONS
+ if (term->characterClass->hasOneCharacterSize() && !term->invert() && term->characterClass->hasNonBMPCharacters()) {
+ move(TrustedImm32(1), character);
+ failures.append(checkNotEnoughInput(character));
+ } else
+#endif
+ failures.append(atEndOfInput());
if (term->invert()) {
readCharacter(m_checkedOffset - term->inputPosition, character);
@@ -1956,11 +1962,13 @@
m_backtrackingState.link(this);
+#ifdef JIT_UNICODE_EXPRESSIONS
if (m_decodeSurrogatePairs) {
if (!term->characterClass->hasOneCharacterSize() || term->invert())
loadFromFrame(term->frameLocation + BackTrackInfoCharacterClass::beginIndex(), index);
loadFromFrame(term->frameLocation + BackTrackInfoCharacterClass::matchAmountIndex(), countRegister);
}
+#endif
nonGreedyFailures.append(atEndOfInput());
nonGreedyFailures.append(branch32(Equal, countRegister, Imm32(term->quantityMaxCount.unsafeGet())));
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes