Title: [295066] trunk
- Revision
- 295066
- Author
- msab...@apple.com
- Date
- 2022-05-31 14:22:49 -0700 (Tue, 31 May 2022)
Log Message
ASSERTION FAILED: regExp->isValid() LLIntSlowPaths.cpp(625)
https://bugs.webkit.org/show_bug.cgi?id=241107
<rdar://93369481>
Reviewed by Mark Lam.
We can remove this ASSERT(regExp->isValid()) and others like it that are used for NewRegExp
bytecode processing because subsequent code already must handle the invalid case. These code
paths may create a new RegExp or retrieve a cached RegExp. For the case where a RegExp is
created for the first time it is valid or we wouldn't have generated the NewRegExp bytecode.
This valid RegExp can subsequently be marked with an error if it fails YARR RegExp engine JIT
code or interpreter bytecode generation. Matching with a RegExp with one of these generation
errors properly throws a Syntax error. These ASSERTs fail when the NewRegExp processing
retrieves an already cached RegExp, with a generation error. The matching code will still
throw a Syntax Error.
* JSTests/stress/regexp-late-compilation-error.js: Added.
(testRegExp1):
(testRegExp2):
(test):
* Source/_javascript_Core/dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* Source/_javascript_Core/jit/JITOperations.cpp:
(JSC::JSC_DEFINE_JIT_OPERATION):
* Source/_javascript_Core/llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
Canonical link: https://commits.webkit.org/251161@main
Modified Paths
Added Paths
Diff
Added: trunk/JSTests/stress/regexp-late-compilation-error.js (0 => 295066)
--- trunk/JSTests/stress/regexp-late-compilation-error.js (rev 0)
+++ trunk/JSTests/stress/regexp-late-compilation-error.js 2022-05-31 21:22:49 UTC (rev 295066)
@@ -0,0 +1,21 @@
+function testRegExp1()
+{
+ /((a{100000000})*b{2100000000})+/.test("b");
+}
+
+function testRegExp2()
+{
+ /(a{1000000000}b{1000000000}|c{10009s0000}|)d{1094967295}e{1500000000}/.test("abcde");
+}
+
+function test(testRE)
+{
+ for (let i = 0; i < 5000; ++i) {
+ try {
+ testRE();
+ } catch {};
+ }
+}
+
+test(testRegExp1);
+test(testRegExp2);
Modified: trunk/Source/_javascript_Core/dfg/DFGOperations.cpp (295065 => 295066)
--- trunk/Source/_javascript_Core/dfg/DFGOperations.cpp 2022-05-31 21:18:44 UTC (rev 295065)
+++ trunk/Source/_javascript_Core/dfg/DFGOperations.cpp 2022-05-31 21:22:49 UTC (rev 295066)
@@ -2502,7 +2502,6 @@
JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
RegExp* regexp = static_cast<RegExp*>(regexpPtr);
- ASSERT(regexp->isValid());
return RegExpObject::create(vm, globalObject->regExpStructure(), regexp, JSValue::decode(encodedLastIndex));
}
Modified: trunk/Source/_javascript_Core/jit/JITOperations.cpp (295065 => 295066)
--- trunk/Source/_javascript_Core/jit/JITOperations.cpp 2022-05-31 21:18:44 UTC (rev 295065)
+++ trunk/Source/_javascript_Core/jit/JITOperations.cpp 2022-05-31 21:22:49 UTC (rev 295066)
@@ -1821,7 +1821,6 @@
JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
RegExp* regexp = static_cast<RegExp*>(regexpPtr);
- ASSERT(regexp->isValid());
static constexpr bool areLegacyFeaturesEnabled = true;
return RegExpObject::create(vm, globalObject->regExpStructure(), regexp, areLegacyFeaturesEnabled);
}
Modified: trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp (295065 => 295066)
--- trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp 2022-05-31 21:18:44 UTC (rev 295065)
+++ trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp 2022-05-31 21:22:49 UTC (rev 295066)
@@ -622,7 +622,6 @@
LLINT_BEGIN();
auto bytecode = pc->as<OpNewRegexp>();
RegExp* regExp = jsCast<RegExp*>(getOperand(callFrame, bytecode.m_regexp));
- ASSERT(regExp->isValid());
static constexpr bool areLegacyFeaturesEnabled = true;
LLINT_RETURN(RegExpObject::create(vm, globalObject->regExpStructure(), regExp, areLegacyFeaturesEnabled));
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
