Title: [243237] trunk/Source/_javascript_Core
- Revision
- 243237
- Author
- msab...@apple.com
- Date
- 2019-03-20 14:04:10 -0700 (Wed, 20 Mar 2019)
Log Message
JSC test crash: stress/dont-strength-reduce-regexp-with-compile-error.js.default
https://bugs.webkit.org/show_bug.cgi?id=195906
Reviewed by Mark Lam.
The problem here as that we may successfully parsed a RegExp without running out of stack,
but later run out of stack when trying to JIT compile the same _expression_.
Added a check for available stack space when we call into one of the parenthesis compilation
functions that recurse. When we don't have enough stack space to recurse, we fail the JIT
compilation and let the interpreter handle the _expression_.
>From code inspection of the YARR interpreter it has the same issue, but I couldn't cause a failure.
Filed a new bug and added a FIXME comment for the Interpreter to have similar checks.
Given that we can reproduce a failure, this is sufficient for now.
This change is covered by the previously added failing test,
JSTests/stress/dont-strength-reduce-regexp-with-compile-error.js.
* yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::interpret):
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
(JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
(JSC::Yarr::YarrGenerator::opCompileBody):
(JSC::Yarr::dumpCompileFailure):
* yarr/YarrJIT.h:
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (243236 => 243237)
--- trunk/Source/_javascript_Core/ChangeLog 2019-03-20 20:37:01 UTC (rev 243236)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-03-20 21:04:10 UTC (rev 243237)
@@ -1,3 +1,33 @@
+2019-03-20 Michael Saboff <msab...@apple.com>
+
+ JSC test crash: stress/dont-strength-reduce-regexp-with-compile-error.js.default
+ https://bugs.webkit.org/show_bug.cgi?id=195906
+
+ Reviewed by Mark Lam.
+
+ The problem here as that we may successfully parsed a RegExp without running out of stack,
+ but later run out of stack when trying to JIT compile the same _expression_.
+
+ Added a check for available stack space when we call into one of the parenthesis compilation
+ functions that recurse. When we don't have enough stack space to recurse, we fail the JIT
+ compilation and let the interpreter handle the _expression_.
+
+ From code inspection of the YARR interpreter it has the same issue, but I couldn't cause a failure.
+ Filed a new bug and added a FIXME comment for the Interpreter to have similar checks.
+ Given that we can reproduce a failure, this is sufficient for now.
+
+ This change is covered by the previously added failing test,
+ JSTests/stress/dont-strength-reduce-regexp-with-compile-error.js.
+
+ * yarr/YarrInterpreter.cpp:
+ (JSC::Yarr::Interpreter::interpret):
+ * yarr/YarrJIT.cpp:
+ (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
+ (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
+ (JSC::Yarr::YarrGenerator::opCompileBody):
+ (JSC::Yarr::dumpCompileFailure):
+ * yarr/YarrJIT.h:
+
2019-03-20 Robin Morisset <rmoris...@apple.com>
DFGNodeAllocator.h is dead code
Modified: trunk/Source/_javascript_Core/yarr/YarrInterpreter.cpp (243236 => 243237)
--- trunk/Source/_javascript_Core/yarr/YarrInterpreter.cpp 2019-03-20 20:37:01 UTC (rev 243236)
+++ trunk/Source/_javascript_Core/yarr/YarrInterpreter.cpp 2019-03-20 21:04:10 UTC (rev 243237)
@@ -1606,6 +1606,8 @@
unsigned interpret()
{
+ // FIXME: https://bugs.webkit.org/show_bug.cgi?id=195970
+ // [Yarr Interpreter] The interpreter doesn't have checks for stack overflow due to deep recursion
if (!input.isAvailableInput(0))
return offsetNoMatch;
Modified: trunk/Source/_javascript_Core/yarr/YarrJIT.cpp (243236 => 243237)
--- trunk/Source/_javascript_Core/yarr/YarrJIT.cpp 2019-03-20 20:37:01 UTC (rev 243236)
+++ trunk/Source/_javascript_Core/yarr/YarrJIT.cpp 2019-03-20 21:04:10 UTC (rev 243237)
@@ -3386,6 +3386,11 @@
YarrOpCode alternativeNextOpCode = OpSimpleNestedAlternativeNext;
YarrOpCode alternativeEndOpCode = OpSimpleNestedAlternativeEnd;
+ if (UNLIKELY(!m_vm->isSafeToRecurse())) {
+ m_failureReason = JITFailureReason::ParenthesisNestedTooDeep;
+ return;
+ }
+
// We can currently only compile quantity 1 subpatterns that are
// not copies. We generate a copy in the case of a range quantifier,
// e.g. /(?:x){3,9}/, or /(?:x)+/ (These are effectively expanded to
@@ -3492,6 +3497,11 @@
// once, and will never backtrack back into the assertion.
void opCompileParentheticalAssertion(PatternTerm* term)
{
+ if (UNLIKELY(!m_vm->isSafeToRecurse())) {
+ m_failureReason = JITFailureReason::ParenthesisNestedTooDeep;
+ return;
+ }
+
size_t parenBegin = m_ops.size();
m_ops.append(OpParentheticalAssertionBegin);
@@ -3572,6 +3582,11 @@
// to return the failing result.
void opCompileBody(PatternDisjunction* disjunction)
{
+ if (UNLIKELY(!m_vm->isSafeToRecurse())) {
+ m_failureReason = JITFailureReason::ParenthesisNestedTooDeep;
+ return;
+ }
+
Vector<std::unique_ptr<PatternAlternative>>& alternatives = disjunction->m_alternatives;
size_t currentAlternativeIndex = 0;
@@ -4200,6 +4215,9 @@
case JITFailureReason::FixedCountParenthesizedSubpattern:
dataLog("Can't JIT a pattern containing fixed count parenthesized subpatterns\n");
break;
+ case JITFailureReason::ParenthesisNestedTooDeep:
+ dataLog("Can't JIT pattern due to parentheses nested too deeply\n");
+ break;
case JITFailureReason::ExecutableMemoryAllocationFailure:
dataLog("Can't JIT because of failure of allocation of executable memory\n");
break;
Modified: trunk/Source/_javascript_Core/yarr/YarrJIT.h (243236 => 243237)
--- trunk/Source/_javascript_Core/yarr/YarrJIT.h 2019-03-20 20:37:01 UTC (rev 243236)
+++ trunk/Source/_javascript_Core/yarr/YarrJIT.h 2019-03-20 21:04:10 UTC (rev 243237)
@@ -56,6 +56,7 @@
VariableCountedParenthesisWithNonZeroMinimum,
ParenthesizedSubpattern,
FixedCountParenthesizedSubpattern,
+ ParenthesisNestedTooDeep,
ExecutableMemoryAllocationFailure,
};
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
