Skip to site navigation (Press enter)

[webkit-changes] [106521] trunk

msaboff Wed, 01 Feb 2012 18:19:09 -0800

Title: [106521] trunk

Revision: 106521
Author: [email protected]
Date: 2012-02-01 18:19:01 -0800 (Wed, 01 Feb 2012)

Log Message

Yarr crash with regexp replace
https://bugs.webkit.org/show_bug.cgi?id=67454


Reviewed by Gavin Barraclough.

Source/_javascript_Core: 

Properly handle the case of a back reference to an unmatched
subpattern by always matching without consuming any characters.

* yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::matchBackReference):
(JSC::Yarr::Interpreter::backtrackBackReference):

LayoutTests: 

New tests to check for proper handling of back references to
unmatched subpatterns.

* fast/js/regexp-backreferences-expected.txt:
* fast/js/script-tests/regexp-backreferences.js:

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/LayoutTests/fast/js/regexp-backreferences-expected.txt
trunk/LayoutTests/fast/js/script-tests/regexp-backreferences.js
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/yarr/YarrInterpreter.cpp

Diff

Modified: trunk/LayoutTests/ChangeLog (106520 => 106521)


--- trunk/LayoutTests/ChangeLog	2012-02-02 02:11:52 UTC (rev 106520)
+++ trunk/LayoutTests/ChangeLog	2012-02-02 02:19:01 UTC (rev 106521)
@@ -1,3 +1,16 @@
+2012-02-01  Michael Saboff  <[email protected]>
+
+        Yarr crash with regexp replace
+        https://bugs.webkit.org/show_bug.cgi?id=67454
+
+        Reviewed by Gavin Barraclough.
+
+        New tests to check for proper handling of back references to
+        unmatched subpatterns.
+
+        * fast/js/regexp-backreferences-expected.txt:
+        * fast/js/script-tests/regexp-backreferences.js:
+
 2012-02-01  Pablo Flouret  <[email protected]>
 
         Support targetOrigin = "/" in postMessage for sending messages to same origin as source document.

Modified: trunk/LayoutTests/fast/js/regexp-backreferences-expected.txt (106520 => 106521)


--- trunk/LayoutTests/fast/js/regexp-backreferences-expected.txt	2012-02-02 02:11:52 UTC (rev 106520)
+++ trunk/LayoutTests/fast/js/regexp-backreferences-expected.txt	2012-02-02 02:19:01 UTC (rev 106521)
@@ -13,6 +13,8 @@
 PASS /\2(...)$/.test('abc') is false
 PASS /\1?(...)$/.test('abc') is true
 PASS /\1?(...)$/.test('abc') is true
+PASS re.test('axabcd') is false
+PASS re.test('axabcsz') is true
 PASS successfullyParsed is true
 
 TEST COMPLETE

Modified: trunk/LayoutTests/fast/js/script-tests/regexp-backreferences.js (106520 => 106521)


--- trunk/LayoutTests/fast/js/script-tests/regexp-backreferences.js	2012-02-02 02:11:52 UTC (rev 106520)
+++ trunk/LayoutTests/fast/js/script-tests/regexp-backreferences.js	2012-02-02 02:19:01 UTC (rev 106521)
@@ -10,3 +10,8 @@
 shouldBeFalse("/\\2(...)$/.test('abc')");
 shouldBeTrue("/\\1?(...)$/.test('abc')");
 shouldBeTrue("/\\1?(...)$/.test('abc')");
+
+re = new RegExp("[^b]*((..)|(\\2))+Sz", "i");
+
+shouldBeFalse("re.test('axabcd')");
+shouldBeTrue("re.test('axabcsz')");

Modified: trunk/Source/_javascript_Core/ChangeLog (106520 => 106521)


--- trunk/Source/_javascript_Core/ChangeLog	2012-02-02 02:11:52 UTC (rev 106520)
+++ trunk/Source/_javascript_Core/ChangeLog	2012-02-02 02:19:01 UTC (rev 106521)
@@ -1,3 +1,17 @@
+2012-02-01  Michael Saboff  <[email protected]>
+
+        Yarr crash with regexp replace
+        https://bugs.webkit.org/show_bug.cgi?id=67454
+
+        Reviewed by Gavin Barraclough.
+
+        Properly handle the case of a back reference to an unmatched
+        subpattern by always matching without consuming any characters.
+
+        * yarr/YarrInterpreter.cpp:
+        (JSC::Yarr::Interpreter::matchBackReference):
+        (JSC::Yarr::Interpreter::backtrackBackReference):
+
 2012-02-01  Gavin Barraclough  <[email protected]>
 
         calling function on catch block scope containing an eval result in wrong this value being passed

Modified: trunk/Source/_javascript_Core/yarr/YarrInterpreter.cpp (106520 => 106521)


--- trunk/Source/_javascript_Core/yarr/YarrInterpreter.cpp	2012-02-02 02:11:52 UTC (rev 106520)
+++ trunk/Source/_javascript_Core/yarr/YarrInterpreter.cpp	2012-02-02 02:19:01 UTC (rev 106521)
@@ -565,8 +565,11 @@
         if (matchEnd == -1)
             return true;
 
-        ASSERT((matchBegin == -1) || (matchBegin <= matchEnd));
+        if (matchBegin == -1)
+            return true;
 
+        ASSERT(matchBegin <= matchEnd);
+
         if (matchBegin == matchEnd)
             return true;
 
@@ -607,8 +610,12 @@
 
         int matchBegin = output[(term.atom.subpatternId << 1)];
         int matchEnd = output[(term.atom.subpatternId << 1) + 1];
-        ASSERT((matchBegin == -1) || (matchBegin <= matchEnd));
 
+        if (matchBegin == -1)
+            return false;
+
+        ASSERT(matchBegin <= matchEnd);
+
         if (matchBegin == matchEnd)
             return false;

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes