Skip to site navigation (Press enter)

[webkit-changes] [276542] branches/safari-611.1.21.2-branch/Source/JavaScriptCore

repstein Fri, 23 Apr 2021 17:27:45 -0700

Title: [276542] branches/safari-611.1.21.2-branch/Source/_javascript_Core

Revision: 276542
Author: [email protected]
Date: 2021-04-23 17:26:51 -0700 (Fri, 23 Apr 2021)

Log Message

Cherry-pick r276527. rdar://problem/77092686


    [YARR Interpreter] Improper backtrack of parentheses with non-zero based greedy quantifiers
    https://bugs.webkit.org/show_bug.cgi?id=224983

    Reviewed by Mark Lam.

    When we backtrack a parentheses with a greedy non zero based quantifier,
    we don't properly restore for the case where we hadn't reached the minimum count.
    We now save the input position on entry and restore it when we backtrack for
    this case.  We also properly release the allocated ParenthesesDisjunctionContext's.

    * yarr/YarrInterpreter.cpp:
    (JSC::Yarr::Interpreter::matchParentheses):
    (JSC::Yarr::Interpreter::backtrackParentheses):

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@276527 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

branches/safari-611.1.21.2-branch/Source/_javascript_Core/ChangeLog
branches/safari-611.1.21.2-branch/Source/_javascript_Core/yarr/YarrInterpreter.cpp

Diff

Modified: branches/safari-611.1.21.2-branch/Source/_javascript_Core/ChangeLog (276541 => 276542)


--- branches/safari-611.1.21.2-branch/Source/_javascript_Core/ChangeLog	2021-04-24 00:26:48 UTC (rev 276541)
+++ branches/safari-611.1.21.2-branch/Source/_javascript_Core/ChangeLog	2021-04-24 00:26:51 UTC (rev 276542)
@@ -1,3 +1,40 @@
+2021-04-23  Alan Coon  <[email protected]>
+
+        Cherry-pick r276527. rdar://problem/77092686
+
+    [YARR Interpreter] Improper backtrack of parentheses with non-zero based greedy quantifiers
+    https://bugs.webkit.org/show_bug.cgi?id=224983
+    
+    Reviewed by Mark Lam.
+    
+    When we backtrack a parentheses with a greedy non zero based quantifier,
+    we don't properly restore for the case where we hadn't reached the minimum count.
+    We now save the input position on entry and restore it when we backtrack for
+    this case.  We also properly release the allocated ParenthesesDisjunctionContext's.
+    
+    * yarr/YarrInterpreter.cpp:
+    (JSC::Yarr::Interpreter::matchParentheses):
+    (JSC::Yarr::Interpreter::backtrackParentheses):
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@276527 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-04-23  Michael Saboff  <[email protected]>
+
+            [YARR Interpreter] Improper backtrack of parentheses with non-zero based greedy quantifiers
+            https://bugs.webkit.org/show_bug.cgi?id=224983
+
+            Reviewed by Mark Lam.
+
+            When we backtrack a parentheses with a greedy non zero based quantifier,
+            we don't properly restore for the case where we hadn't reached the minimum count.
+            We now save the input position on entry and restore it when we backtrack for
+            this case.  We also properly release the allocated ParenthesesDisjunctionContext's.
+
+            * yarr/YarrInterpreter.cpp:
+            (JSC::Yarr::Interpreter::matchParentheses):
+            (JSC::Yarr::Interpreter::backtrackParentheses):
+
 2021-02-17  Ruben Turcios  <[email protected]>
 
         Cherry-pick r271767. rdar://problem/74409412

Modified: branches/safari-611.1.21.2-branch/Source/_javascript_Core/yarr/YarrInterpreter.cpp (276541 => 276542)


--- branches/safari-611.1.21.2-branch/Source/_javascript_Core/yarr/YarrInterpreter.cpp	2021-04-24 00:26:48 UTC (rev 276541)
+++ branches/safari-611.1.21.2-branch/Source/_javascript_Core/yarr/YarrInterpreter.cpp	2021-04-24 00:26:51 UTC (rev 276542)
@@ -45,6 +45,7 @@
     struct ParenthesesDisjunctionContext;
 
     struct BackTrackInfoParentheses {
+        uintptr_t begin;
         uintptr_t matchAmount;
         ParenthesesDisjunctionContext* lastContext;
     };
@@ -1015,6 +1016,7 @@
         BackTrackInfoParentheses* backTrack = reinterpret_cast<BackTrackInfoParentheses*>(context->frame + term.frameLocation);
         ByteDisjunction* disjunctionBody = term.atom.parenthesesDisjunction;
 
+        backTrack->begin = input.getPos();
         backTrack->matchAmount = 0;
         backTrack->lastContext = nullptr;
 
@@ -1168,8 +1170,20 @@
                 popParenthesesDisjunctionContext(backTrack);
                 freeParenthesesDisjunctionContext(context);
 
-                if (result != JSRegExpNoMatch || backTrack->matchAmount < term.atom.quantityMinCount)
+                if (backTrack->matchAmount < term.atom.quantityMinCount) {
+                    while (backTrack->matchAmount) {
+                        context = backTrack->lastContext;
+                        resetMatches(term, context);
+                        popParenthesesDisjunctionContext(backTrack);
+                        freeParenthesesDisjunctionContext(context);
+                    }
+
+                    input.setPos(backTrack->begin);
                     return result;
+                }
+
+                if (result != JSRegExpNoMatch)
+                    return result;
             }
 
             if (backTrack->matchAmount) {

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes