Title: [219001] trunk
- Revision
- 219001
- Author
- [email protected]
- Date
- 2017-06-30 09:37:29 -0700 (Fri, 30 Jun 2017)
Log Message
RegExpCachedResult::setInput should reify left and right contexts
https://bugs.webkit.org/show_bug.cgi?id=173818
Reviewed by Keith Miller.
JSTests:
* stress/right-left-context-invalidated-by-input.js: Added.
(test.validateContexts):
(test):
Source/_javascript_Core:
If you don't reify them in setInput, then when you later try to reify them, you'll end up
using indices into an old input string to create a substring of a new input string. That
never goes well.
* runtime/RegExpCachedResult.cpp:
(JSC::RegExpCachedResult::setInput):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (219000 => 219001)
--- trunk/JSTests/ChangeLog 2017-06-30 16:22:42 UTC (rev 219000)
+++ trunk/JSTests/ChangeLog 2017-06-30 16:37:29 UTC (rev 219001)
@@ -1,3 +1,14 @@
+2017-06-30 Filip Pizlo <[email protected]>
+
+ RegExpCachedResult::setInput should reify left and right contexts
+ https://bugs.webkit.org/show_bug.cgi?id=173818
+
+ Reviewed by Keith Miller.
+
+ * stress/right-left-context-invalidated-by-input.js: Added.
+ (test.validateContexts):
+ (test):
+
2017-06-29 Saam Barati <[email protected]>
Calculating postCapacity in unshiftCountSlowCase is wrong
Added: trunk/JSTests/stress/right-left-context-invalidated-by-input.js (0 => 219001)
--- trunk/JSTests/stress/right-left-context-invalidated-by-input.js (rev 0)
+++ trunk/JSTests/stress/right-left-context-invalidated-by-input.js 2017-06-30 16:37:29 UTC (rev 219001)
@@ -0,0 +1,25 @@
+//@ runDefault
+
+function test(when)
+{
+ /bar/.exec("foo bar baz");
+
+ function validateContexts(when)
+ {
+ if (RegExp.leftContext !== "foo ")
+ throw "Error: " + when + ": bad leftContext: " + RegExp.leftContext;
+ if (RegExp.rightContext !== " baz")
+ throw "Error: " + when + ": bad rightContext: " + RegExp.rightContext;
+ }
+
+ if (when === "before")
+ validateContexts("before");
+
+ RegExp.input = "";
+
+ if (when === "after")
+ validateContexts("after");
+}
+
+test("before");
+test("after");
Modified: trunk/Source/_javascript_Core/ChangeLog (219000 => 219001)
--- trunk/Source/_javascript_Core/ChangeLog 2017-06-30 16:22:42 UTC (rev 219000)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-06-30 16:37:29 UTC (rev 219001)
@@ -1,3 +1,17 @@
+2017-06-30 Filip Pizlo <[email protected]>
+
+ RegExpCachedResult::setInput should reify left and right contexts
+ https://bugs.webkit.org/show_bug.cgi?id=173818
+
+ Reviewed by Keith Miller.
+
+ If you don't reify them in setInput, then when you later try to reify them, you'll end up
+ using indices into an old input string to create a substring of a new input string. That
+ never goes well.
+
+ * runtime/RegExpCachedResult.cpp:
+ (JSC::RegExpCachedResult::setInput):
+
2017-06-30 Keith Miller <[email protected]>
DFG_ASSERT should allow stuffing registers before trapping.
Modified: trunk/Source/_javascript_Core/runtime/RegExpCachedResult.cpp (219000 => 219001)
--- trunk/Source/_javascript_Core/runtime/RegExpCachedResult.cpp 2017-06-30 16:22:42 UTC (rev 219000)
+++ trunk/Source/_javascript_Core/runtime/RegExpCachedResult.cpp 2017-06-30 16:37:29 UTC (rev 219001)
@@ -83,6 +83,8 @@
{
// Make sure we're reified, otherwise m_reifiedInput will be ignored.
lastResult(exec, owner);
+ leftContext(exec, owner);
+ rightContext(exec, owner);
ASSERT(m_reified);
m_reifiedInput.set(exec->vm(), owner, input);
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
