Title: [107647] trunk/Source/_javascript_Core
- Revision
- 107647
- Author
- [email protected]
- Date
- 2012-02-13 17:10:09 -0800 (Mon, 13 Feb 2012)
Log Message
Executing out of bounds in JSC::Yarr::YarrCodeBlock::execute / JSC::RegExp::match
https://bugs.webkit.org/show_bug.cgi?id=76315
Reviewed by Gavin Barraclough.
Perform a 3 byte compare using two comparisons, rather than trying to perform the
operation with a four byte load.
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (107646 => 107647)
--- trunk/Source/_javascript_Core/ChangeLog 2012-02-14 01:07:59 UTC (rev 107646)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-02-14 01:10:09 UTC (rev 107647)
@@ -1,3 +1,16 @@
+2012-02-13 Oliver Hunt <[email protected]>
+
+ Executing out of bounds in JSC::Yarr::YarrCodeBlock::execute / JSC::RegExp::match
+ https://bugs.webkit.org/show_bug.cgi?id=76315
+
+ Reviewed by Gavin Barraclough.
+
+ Perform a 3 byte compare using two comparisons, rather than trying to perform the
+ operation with a four byte load.
+
+ * yarr/YarrJIT.cpp:
+ (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
+
2012-02-13 Mark Hahnenberg <[email protected]>
Windows build fix
Modified: trunk/Source/_javascript_Core/yarr/YarrJIT.cpp (107646 => 107647)
--- trunk/Source/_javascript_Core/yarr/YarrJIT.cpp 2012-02-14 01:07:59 UTC (rev 107646)
+++ trunk/Source/_javascript_Core/yarr/YarrJIT.cpp 2012-02-14 01:10:09 UTC (rev 107647)
@@ -732,10 +732,13 @@
break;
}
case 3: {
- BaseIndex address(input, index, TimesOne, (startTermPosition - m_checked) * sizeof(LChar));
- load32WithUnalignedHalfWords(address, character);
- and32(Imm32(0xffffff), character);
- break;
+ BaseIndex highAddress(input, index, TimesOne, (startTermPosition - m_checked) * sizeof(LChar));
+ load16(highAddress, character);
+ if (ignoreCaseMask)
+ or32(Imm32(ignoreCaseMask), character);
+ op.m_jumps.append(branch32(NotEqual, character, Imm32((allCharacters & 0xffff) | ignoreCaseMask)));
+ op.m_jumps.append(jumpIfCharNotEquals(allCharacters >> 16, startTermPosition + 2 - m_checked, character));
+ return;
}
case 4: {
BaseIndex address(input, index, TimesOne, (startTermPosition - m_checked) * sizeof(LChar));
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
