Skip to site navigation (Press enter)

[webkit-changes] [251411] trunk

mark . lam Mon, 21 Oct 2019 18:57:03 -0700

Title: [251411] trunk

Revision: 251411
Author: mark....@apple.com
Date: 2019-10-21 18:55:20 -0700 (Mon, 21 Oct 2019)

Log Message

Fix incorrect assertion in operationRegExpExecNonGlobalOrSticky().
https://bugs.webkit.org/show_bug.cgi?id=203230
<rdar://problem/56460749>


Reviewed by Robin Morisset.

JSTests:

* stress/incorrect-exception-assertion-in-operationRegExpExecNonGlobalOrSticky.js: Added.

Source/_javascript_Core:

operationRegExpExecNonGlobalOrSticky() was asserting no exception when
createRegExpMatchesArray() returns null.  createRegExpMatchesArray() only returns
null when RegExp::matchInline() returns -1.  The only way RegExp::matchInline()
can return -1 is via a throwError() helper which throws an exception.  The other
return path in RegExp::matchInline() explicitly ASSERT(result >= -1).  Hence, the
assertion in operationRegExpExecNonGlobalOrSticky() is wrong.

* dfg/DFGOperations.cpp:

Modified Paths

trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGOperations.cpp

Added Paths

trunk/JSTests/stress/incorrect-exception-assertion-in-operationRegExpExecNonGlobalOrSticky.js

Diff

Modified: trunk/JSTests/ChangeLog (251410 => 251411)


--- trunk/JSTests/ChangeLog	2019-10-22 01:48:40 UTC (rev 251410)
+++ trunk/JSTests/ChangeLog	2019-10-22 01:55:20 UTC (rev 251411)
@@ -1,3 +1,13 @@
+2019-10-21  Mark Lam  <mark....@apple.com>
+
+        Fix incorrect assertion in operationRegExpExecNonGlobalOrSticky().
+        https://bugs.webkit.org/show_bug.cgi?id=203230
+        <rdar://problem/56460749>
+
+        Reviewed by Robin Morisset.
+
+        * stress/incorrect-exception-assertion-in-operationRegExpExecNonGlobalOrSticky.js: Added.
+
 2019-10-21  Saam Barati  <sbar...@apple.com>
 
         ValuePow's constant folding rule differs from what the runtime does

Added: trunk/JSTests/stress/incorrect-exception-assertion-in-operationRegExpExecNonGlobalOrSticky.js (0 => 251411)


--- trunk/JSTests/stress/incorrect-exception-assertion-in-operationRegExpExecNonGlobalOrSticky.js	                        (rev 0)
+++ trunk/JSTests/stress/incorrect-exception-assertion-in-operationRegExpExecNonGlobalOrSticky.js	2019-10-22 01:55:20 UTC (rev 251411)
@@ -0,0 +1,26 @@
+//@ runDefault("--alwaysUseShadowChicken=true", "--jitPolicyScale=0", "--useRandomizingFuzzerAgent=1", "--maxPerThreadStackUsage=1572863")
+//@ slow!
+
+class C {
+    constructor(func) {
+        this.func = func;
+    }
+    runTest() {
+        this.func();
+    }
+}
+function recurseAndTest() {
+    try {
+        recurseAndTest();
+        test.runTest();
+    } catch (e) {
+    }
+}
+const howManyParentheses = 1000;
+const deepRE = new RegExp('('.repeat(howManyParentheses) + ')'.repeat(howManyParentheses));
+let test = 
+    new C(() => {
+        deepRE.exec('');
+    });
+
+recurseAndTest();

Modified: trunk/Source/_javascript_Core/ChangeLog (251410 => 251411)


--- trunk/Source/_javascript_Core/ChangeLog	2019-10-22 01:48:40 UTC (rev 251410)
+++ trunk/Source/_javascript_Core/ChangeLog	2019-10-22 01:55:20 UTC (rev 251411)
@@ -1,3 +1,20 @@
+2019-10-21  Mark Lam  <mark....@apple.com>
+
+        Fix incorrect assertion in operationRegExpExecNonGlobalOrSticky().
+        https://bugs.webkit.org/show_bug.cgi?id=203230
+        <rdar://problem/56460749>
+
+        Reviewed by Robin Morisset.
+
+        operationRegExpExecNonGlobalOrSticky() was asserting no exception when
+        createRegExpMatchesArray() returns null.  createRegExpMatchesArray() only returns
+        null when RegExp::matchInline() returns -1.  The only way RegExp::matchInline()
+        can return -1 is via a throwError() helper which throws an exception.  The other
+        return path in RegExp::matchInline() explicitly ASSERT(result >= -1).  Hence, the
+        assertion in operationRegExpExecNonGlobalOrSticky() is wrong.
+
+        * dfg/DFGOperations.cpp:
+
 2019-10-21  Saam Barati  <sbar...@apple.com>
 
         ValuePow's constant folding rule differs from what the runtime does

Modified: trunk/Source/_javascript_Core/dfg/DFGOperations.cpp (251410 => 251411)


--- trunk/Source/_javascript_Core/dfg/DFGOperations.cpp	2019-10-22 01:48:40 UTC (rev 251410)
+++ trunk/Source/_javascript_Core/dfg/DFGOperations.cpp	2019-10-22 01:55:20 UTC (rev 251411)
@@ -1245,12 +1245,9 @@
     unsigned lastIndex = 0;
     MatchResult result;
     JSArray* array = createRegExpMatchesArray(vm, globalObject, string, input, regExp, lastIndex, result);
-    if (!array) {
-        ASSERT(!scope.exception());
-        return JSValue::encode(jsNull());
-    }
+    RETURN_IF_EXCEPTION(scope, { });
+    ASSERT(array);
 
-    RETURN_IF_EXCEPTION(scope, { });
     globalObject->regExpGlobalData().recordMatch(vm, globalObject, regExp, string, result);
     return JSValue::encode(array);
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes