- Revision
- 221111
- Author
- [email protected]
- Date
- 2017-08-23 15:24:30 -0700 (Wed, 23 Aug 2017)
Log Message
REGRESSION (r221052): DumpRenderTree crashed in com.apple._javascript_Core: JSC::Yarr::YarrCodeBlock::execute + 137
https://bugs.webkit.org/show_bug.cgi?id=175903
Reviewed by Saam Barati.
Source/_javascript_Core:
In generateCharacterClassGreedy we were incrementing the "count" register before checking
for the end of the input string. The at-end-of-input check is the final check before
knowing that the current character matched. In this case, the end of input check
indicates that we ran out of prechecked characters and therefore should fail the match of
the current character. The backtracking code uses the value in the "count" register as
the number of character that successfully matched, which shouldn't include the current
character. Therefore we need to move the incrementing of "count" to after the
at end of input check.
Through code inspection of the expectations of other backtracking code, I determined that
the non greedy character class matching code had a similar issue. I fixed that as well
and added a new test case.
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
(JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
LayoutTests:
New regression test case.
* js/regexp-unicode-expected.txt:
* js/script-tests/regexp-unicode.js:
Modified Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (221110 => 221111)
--- trunk/LayoutTests/ChangeLog 2017-08-23 22:19:13 UTC (rev 221110)
+++ trunk/LayoutTests/ChangeLog 2017-08-23 22:24:30 UTC (rev 221111)
@@ -1,3 +1,15 @@
+2017-08-23 Michael Saboff <[email protected]>
+
+ REGRESSION (r221052): DumpRenderTree crashed in com.apple._javascript_Core: JSC::Yarr::YarrCodeBlock::execute + 137
+ https://bugs.webkit.org/show_bug.cgi?id=175903
+
+ Reviewed by Saam Barati.
+
+ New regression test case.
+
+ * js/regexp-unicode-expected.txt:
+ * js/script-tests/regexp-unicode.js:
+
2017-08-23 Matt Lewis <[email protected]>
Marked webrtc/filtering-ice-candidate-after-reload.html a flaky.
Modified: trunk/LayoutTests/js/regexp-unicode-expected.txt (221110 => 221111)
--- trunk/LayoutTests/js/regexp-unicode-expected.txt 2017-08-23 22:19:13 UTC (rev 221110)
+++ trunk/LayoutTests/js/regexp-unicode-expected.txt 2017-08-23 22:24:30 UTC (rev 221111)
@@ -119,6 +119,7 @@
PASS "123𐐀".match(/\d*/u)[0] is "123"
PASS "12X3𐐀4".match(/\d{0,1}/ug) is ["1", "2", "", "3", "", "4", ""]
PASS "𐐂𐐅𐐅𐐂𐐅𐐅𐐅".match(/𐐅{3}/u)[0] is "𐐅𐐅𐐅"
+PASS "a𐐐𐐐b".match(/a(𐐐*?)bc|a(𐐐*?)b/ui)[0] is "a𐐐𐐐b"
PASS match3[0] is "a𐐐𐐐b"
PASS match3[1] is undefined.
PASS match3[2] is "a𐐐𐐐b"
Modified: trunk/LayoutTests/js/script-tests/regexp-unicode.js (221110 => 221111)
--- trunk/LayoutTests/js/script-tests/regexp-unicode.js 2017-08-23 22:19:13 UTC (rev 221110)
+++ trunk/LayoutTests/js/script-tests/regexp-unicode.js 2017-08-23 22:24:30 UTC (rev 221111)
@@ -157,6 +157,7 @@
shouldBe('"123\u{10400}".match(/\\d*/u)[0]', '"123"');
shouldBe('"12X3\u{10400}4".match(/\\d{0,1}/ug)', '["1", "2", "", "3", "", "4", ""]');
shouldBe('"\u{10402}\u{10405}\u{10405}\u{10402}\u{10405}\u{10405}\u{10405}".match(/\u{10405}{3}/u)[0]', '"\u{10405}\u{10405}\u{10405}"');
+shouldBe('"a\u{10410}\u{10410}b".match(/a(\u{10410}*?)bc|a(\u{10410}*?)b/ui)[0]', '"a\u{10410}\u{10410}b"');
var re3 = new RegExp("(a\u{10410}*bc)|(a\u{10410}*b)", "u");
var match3 = "a\u{10410}\u{10410}b".match(re3);
Modified: trunk/Source/_javascript_Core/ChangeLog (221110 => 221111)
--- trunk/Source/_javascript_Core/ChangeLog 2017-08-23 22:19:13 UTC (rev 221110)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-08-23 22:24:30 UTC (rev 221111)
@@ -1,3 +1,27 @@
+2017-08-23 Michael Saboff <[email protected]>
+
+ REGRESSION (r221052): DumpRenderTree crashed in com.apple._javascript_Core: JSC::Yarr::YarrCodeBlock::execute + 137
+ https://bugs.webkit.org/show_bug.cgi?id=175903
+
+ Reviewed by Saam Barati.
+
+ In generateCharacterClassGreedy we were incrementing the "count" register before checking
+ for the end of the input string. The at-end-of-input check is the final check before
+ knowing that the current character matched. In this case, the end of input check
+ indicates that we ran out of prechecked characters and therefore should fail the match of
+ the current character. The backtracking code uses the value in the "count" register as
+ the number of character that successfully matched, which shouldn't include the current
+ character. Therefore we need to move the incrementing of "count" to after the
+ at end of input check.
+
+ Through code inspection of the expectations of other backtracking code, I determined that
+ the non greedy character class matching code had a similar issue. I fixed that as well
+ and added a new test case.
+
+ * yarr/YarrJIT.cpp:
+ (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
+ (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
+
2017-08-23 Yusuke Suzuki <[email protected]>
[JSC] Optimize Map iteration with intrinsic
Modified: trunk/Source/_javascript_Core/yarr/YarrJIT.cpp (221110 => 221111)
--- trunk/Source/_javascript_Core/yarr/YarrJIT.cpp 2017-08-23 22:19:13 UTC (rev 221110)
+++ trunk/Source/_javascript_Core/yarr/YarrJIT.cpp 2017-08-23 22:24:30 UTC (rev 221111)
@@ -1268,7 +1268,6 @@
matchDest.link(this);
}
- add32(TrustedImm32(1), countRegister);
add32(TrustedImm32(1), index);
#ifdef JIT_UNICODE_EXPRESSIONS
if (m_decodeSurrogatePairs) {
@@ -1278,6 +1277,7 @@
isBMPChar.link(this);
}
#endif
+ add32(TrustedImm32(1), countRegister);
if (term->quantityMaxCount != quantifyInfinite) {
branch32(NotEqual, countRegister, Imm32(term->quantityMaxCount.unsafeGet())).linkTo(loop, this);
@@ -1374,15 +1374,16 @@
matchDest.link(this);
}
- add32(TrustedImm32(1), countRegister);
add32(TrustedImm32(1), index);
#ifdef JIT_UNICODE_EXPRESSIONS
if (m_decodeSurrogatePairs) {
+ nonGreedyFailures.append(atEndOfInput());
Jump isBMPChar = branch32(LessThan, character, supplementaryPlanesBase);
add32(TrustedImm32(1), index);
isBMPChar.link(this);
}
#endif
+ add32(TrustedImm32(1), countRegister);
jump(op.m_reentry);
