[webkit-changes] [248214] releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore

[mcatanzaro]

Title: [248214] releases/WebKitGTK/webkit-2.24/Source/_javascript_Core

Revision

248214

Author

mcatanz...@igalia.com

Date

2019-08-03 20:22:24 -0700 (Sat, 03 Aug 2019)

Log Message

Merge r243237 - JSC test crash: stress/dont-strength-reduce-regexp-with-compile-error.js.default
https://bugs.webkit.org/show_bug.cgi?id=195906

Reviewed by Mark Lam.

The problem here as that we may successfully parsed a RegExp without running out of stack,
but later run out of stack when trying to JIT compile the same _expression_.

Added a check for available stack space when we call into one of the parenthesis compilation
functions that recurse.  When we don't have enough stack space to recurse, we fail the JIT
compilation and let the interpreter handle the _expression_.

>From code inspection of the YARR interpreter it has the same issue, but I couldn't cause a failure.
Filed a new bug and added a FIXME comment for the Interpreter to have similar checks.
Given that we can reproduce a failure, this is sufficient for now.

This change is covered by the previously added failing test,
JSTests/stress/dont-strength-reduce-regexp-with-compile-error.js.

* yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::interpret):
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
(JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
(JSC::Yarr::YarrGenerator::opCompileBody):
(JSC::Yarr::dumpCompileFailure):
* yarr/YarrJIT.h:

Modified Paths

• releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog
• releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/yarr/YarrInterpreter.cpp
• releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/yarr/YarrJIT.cpp
• releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/yarr/YarrJIT.h

Diff

Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog (248213 => 248214)

--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog	2019-08-04 03:22:22 UTC (rev 248213)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog	2019-08-04 03:22:24 UTC (rev 248214)
@@ -1,3 +1,33 @@
+2019-03-20  Michael Saboff  <msab...@apple.com>
+
+        JSC test crash: stress/dont-strength-reduce-regexp-with-compile-error.js.default
+        https://bugs.webkit.org/show_bug.cgi?id=195906
+
+        Reviewed by Mark Lam.
+
+        The problem here as that we may successfully parsed a RegExp without running out of stack,
+        but later run out of stack when trying to JIT compile the same _expression_.
+
+        Added a check for available stack space when we call into one of the parenthesis compilation
+        functions that recurse.  When we don't have enough stack space to recurse, we fail the JIT
+        compilation and let the interpreter handle the _expression_.
+
+        From code inspection of the YARR interpreter it has the same issue, but I couldn't cause a failure.
+        Filed a new bug and added a FIXME comment for the Interpreter to have similar checks.
+        Given that we can reproduce a failure, this is sufficient for now.
+
+        This change is covered by the previously added failing test,
+        JSTests/stress/dont-strength-reduce-regexp-with-compile-error.js.
+
+        * yarr/YarrInterpreter.cpp:
+        (JSC::Yarr::Interpreter::interpret):
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
+        (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
+        (JSC::Yarr::YarrGenerator::opCompileBody):
+        (JSC::Yarr::dumpCompileFailure):
+        * yarr/YarrJIT.h:
+
 2019-02-28  Mark Lam  <mark....@apple.com>
 
         cloop.rb shift mask should depend on the word size being shifted.

Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/yarr/YarrInterpreter.cpp (248213 => 248214)

--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/yarr/YarrInterpreter.cpp	2019-08-04 03:22:22 UTC (rev 248213)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/yarr/YarrInterpreter.cpp	2019-08-04 03:22:24 UTC (rev 248214)
@@ -1606,6 +1606,8 @@
 
     unsigned interpret()
     {
+        // FIXME: https://bugs.webkit.org/show_bug.cgi?id=195970
+        // [Yarr Interpreter] The interpreter doesn't have checks for stack overflow due to deep recursion
         if (!input.isAvailableInput(0))
             return offsetNoMatch;
 

Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/yarr/YarrJIT.cpp (248213 => 248214)

--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/yarr/YarrJIT.cpp	2019-08-04 03:22:22 UTC (rev 248213)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/yarr/YarrJIT.cpp	2019-08-04 03:22:24 UTC (rev 248214)
@@ -3386,6 +3386,11 @@
         YarrOpCode alternativeNextOpCode = OpSimpleNestedAlternativeNext;
         YarrOpCode alternativeEndOpCode = OpSimpleNestedAlternativeEnd;
 
+        if (UNLIKELY(!m_vm->isSafeToRecurse())) {
+            m_failureReason = JITFailureReason::ParenthesisNestedTooDeep;
+            return;
+        }
+
         // We can currently only compile quantity 1 subpatterns that are
         // not copies. We generate a copy in the case of a range quantifier,
         // e.g. /(?:x){3,9}/, or /(?:x)+/ (These are effectively expanded to
@@ -3492,6 +3497,11 @@
     // once, and will never backtrack back into the assertion.
     void opCompileParentheticalAssertion(PatternTerm* term)
     {
+        if (UNLIKELY(!m_vm->isSafeToRecurse())) {
+            m_failureReason = JITFailureReason::ParenthesisNestedTooDeep;
+            return;
+        }
+
         size_t parenBegin = m_ops.size();
         m_ops.append(OpParentheticalAssertionBegin);
 
@@ -3572,6 +3582,11 @@
     // to return the failing result.
     void opCompileBody(PatternDisjunction* disjunction)
     {
+        if (UNLIKELY(!m_vm->isSafeToRecurse())) {
+            m_failureReason = JITFailureReason::ParenthesisNestedTooDeep;
+            return;
+        }
+        
         Vector<std::unique_ptr<PatternAlternative>>& alternatives = disjunction->m_alternatives;
         size_t currentAlternativeIndex = 0;
 
@@ -4200,6 +4215,9 @@
     case JITFailureReason::FixedCountParenthesizedSubpattern:
         dataLog("Can't JIT a pattern containing fixed count parenthesized subpatterns\n");
         break;
+    case JITFailureReason::ParenthesisNestedTooDeep:
+        dataLog("Can't JIT pattern due to parentheses nested too deeply\n");
+        break;
     case JITFailureReason::ExecutableMemoryAllocationFailure:
         dataLog("Can't JIT because of failure of allocation of executable memory\n");
         break;

Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/yarr/YarrJIT.h (248213 => 248214)

--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/yarr/YarrJIT.h	2019-08-04 03:22:22 UTC (rev 248213)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/yarr/YarrJIT.h	2019-08-04 03:22:24 UTC (rev 248214)
@@ -56,6 +56,7 @@
     VariableCountedParenthesisWithNonZeroMinimum,
     ParenthesizedSubpattern,
     FixedCountParenthesizedSubpattern,
+    ParenthesisNestedTooDeep,
     ExecutableMemoryAllocationFailure,
 };
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes