Title: [280224] releases/WebKitGTK/webkit-2.32/Source/_javascript_Core
- Revision
- 280224
- Author
- [email protected]
- Date
- 2021-07-23 01:17:28 -0700 (Fri, 23 Jul 2021)
Log Message
Merge r276527 - [YARR Interpreter] Improper backtrack of parentheses with non-zero based greedy quantifiers
https://bugs.webkit.org/show_bug.cgi?id=224983
Reviewed by Mark Lam.
When we backtrack a parentheses with a greedy non zero based quantifier,
we don't properly restore for the case where we hadn't reached the minimum count.
We now save the input position on entry and restore it when we backtrack for
this case. We also properly release the allocated ParenthesesDisjunctionContext's.
* yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::matchParentheses):
(JSC::Yarr::Interpreter::backtrackParentheses):
Modified Paths
Diff
Modified: releases/WebKitGTK/webkit-2.32/Source/_javascript_Core/ChangeLog (280223 => 280224)
--- releases/WebKitGTK/webkit-2.32/Source/_javascript_Core/ChangeLog 2021-07-23 08:14:29 UTC (rev 280223)
+++ releases/WebKitGTK/webkit-2.32/Source/_javascript_Core/ChangeLog 2021-07-23 08:17:28 UTC (rev 280224)
@@ -1,3 +1,19 @@
+2021-04-23 Michael Saboff <[email protected]>
+
+ [YARR Interpreter] Improper backtrack of parentheses with non-zero based greedy quantifiers
+ https://bugs.webkit.org/show_bug.cgi?id=224983
+
+ Reviewed by Mark Lam.
+
+ When we backtrack a parentheses with a greedy non zero based quantifier,
+ we don't properly restore for the case where we hadn't reached the minimum count.
+ We now save the input position on entry and restore it when we backtrack for
+ this case. We also properly release the allocated ParenthesesDisjunctionContext's.
+
+ * yarr/YarrInterpreter.cpp:
+ (JSC::Yarr::Interpreter::matchParentheses):
+ (JSC::Yarr::Interpreter::backtrackParentheses):
+
2021-04-23 Mark Lam <[email protected]>
Fix B3 strength reduction for shl.
Modified: releases/WebKitGTK/webkit-2.32/Source/_javascript_Core/yarr/YarrInterpreter.cpp (280223 => 280224)
--- releases/WebKitGTK/webkit-2.32/Source/_javascript_Core/yarr/YarrInterpreter.cpp 2021-07-23 08:14:29 UTC (rev 280223)
+++ releases/WebKitGTK/webkit-2.32/Source/_javascript_Core/yarr/YarrInterpreter.cpp 2021-07-23 08:17:28 UTC (rev 280224)
@@ -45,6 +45,7 @@
struct ParenthesesDisjunctionContext;
struct BackTrackInfoParentheses {
+ uintptr_t begin;
uintptr_t matchAmount;
ParenthesesDisjunctionContext* lastContext;
};
@@ -1015,6 +1016,7 @@
BackTrackInfoParentheses* backTrack = reinterpret_cast<BackTrackInfoParentheses*>(context->frame + term.frameLocation);
ByteDisjunction* disjunctionBody = term.atom.parenthesesDisjunction;
+ backTrack->begin = input.getPos();
backTrack->matchAmount = 0;
backTrack->lastContext = nullptr;
@@ -1168,8 +1170,20 @@
popParenthesesDisjunctionContext(backTrack);
freeParenthesesDisjunctionContext(context);
- if (result != JSRegExpNoMatch || backTrack->matchAmount < term.atom.quantityMinCount)
+ if (backTrack->matchAmount < term.atom.quantityMinCount) {
+ while (backTrack->matchAmount) {
+ context = backTrack->lastContext;
+ resetMatches(term, context);
+ popParenthesesDisjunctionContext(backTrack);
+ freeParenthesesDisjunctionContext(context);
+ }
+
+ input.setPos(backTrack->begin);
return result;
+ }
+
+ if (result != JSRegExpNoMatch)
+ return result;
}
if (backTrack->matchAmount) {
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
