Title: [222601] trunk
- Revision
- 222601
- Author
- [email protected]
- Date
- 2017-09-27 22:15:50 -0700 (Wed, 27 Sep 2017)
Log Message
REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
https://bugs.webkit.org/show_bug.cgi?id=177570
Reviewed by Filip Pizlo.
JSTests:
New regression test.
* stress/regress-177570.js: Added.
Source/_javascript_Core:
The change in r210837 neglected to change the check in Interpreter::backtrackParentheses() that
greedy parenthesis have backtracked as far as possible. Prior to r210837 when non-zero minimum greedy
parenthesis were factored into a fixed component and then a zero-based variable component. After
r210837, the variable component is not zero based and the check needs to compare the
backTrack->matchAmount with the quantity iminimum count.
* yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::backtrackParentheses):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (222600 => 222601)
--- trunk/JSTests/ChangeLog 2017-09-28 04:48:51 UTC (rev 222600)
+++ trunk/JSTests/ChangeLog 2017-09-28 05:15:50 UTC (rev 222601)
@@ -1,3 +1,14 @@
+2017-09-27 Michael Saboff <[email protected]>
+
+ REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
+ https://bugs.webkit.org/show_bug.cgi?id=177570
+
+ Reviewed by Filip Pizlo.
+
+ New regression test.
+
+ * stress/regress-177570.js: Added.
+
2017-09-28 Michael Saboff <[email protected]>
Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
Added: trunk/JSTests/stress/regress-177570.js (0 => 222601)
--- trunk/JSTests/stress/regress-177570.js (rev 0)
+++ trunk/JSTests/stress/regress-177570.js 2017-09-28 05:15:50 UTC (rev 222601)
@@ -0,0 +1,4 @@
+// Regression test for bug 177570
+
+if (/(Q)+|(\S)+Z/.test("Z "))
+ throw "/(Q)+|(\S)+Z/.test(\"Z \") should fail, but actually succeeds";
Modified: trunk/Source/_javascript_Core/ChangeLog (222600 => 222601)
--- trunk/Source/_javascript_Core/ChangeLog 2017-09-28 04:48:51 UTC (rev 222600)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-09-28 05:15:50 UTC (rev 222601)
@@ -1,3 +1,19 @@
+2017-09-27 Michael Saboff <[email protected]>
+
+ REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
+ https://bugs.webkit.org/show_bug.cgi?id=177570
+
+ Reviewed by Filip Pizlo.
+
+ The change in r210837 neglected to change the check in Interpreter::backtrackParentheses() that
+ greedy parenthesis have backtracked as far as possible. Prior to r210837 when non-zero minimum greedy
+ parenthesis were factored into a fixed component and then a zero-based variable component. After
+ r210837, the variable component is not zero based and the check needs to compare the
+ backTrack->matchAmount with the quantity iminimum count.
+
+ * yarr/YarrInterpreter.cpp:
+ (JSC::Yarr::Interpreter::backtrackParentheses):
+
2017-09-28 Michael Saboff <[email protected]>
Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
Modified: trunk/Source/_javascript_Core/yarr/YarrInterpreter.cpp (222600 => 222601)
--- trunk/Source/_javascript_Core/yarr/YarrInterpreter.cpp 2017-09-28 04:48:51 UTC (rev 222600)
+++ trunk/Source/_javascript_Core/yarr/YarrInterpreter.cpp 2017-09-28 05:15:50 UTC (rev 222601)
@@ -1032,7 +1032,7 @@
}
case QuantifierGreedy: {
- if (!backTrack->matchAmount)
+ if (backTrack->matchAmount == term.atom.quantityMinCount)
return JSRegExpNoMatch;
ParenthesesDisjunctionContext* context = backTrack->lastContext;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
