[webkit-changes] [WebKit/WebKit] 9068c0: [Yarr] Clear start and end for subpattern

Thu, 05 Feb 2026 00:37:17 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 9068c0916cf912475266066b148857ed2739fdc2
      
https://github.com/WebKit/WebKit/commit/9068c0916cf912475266066b148857ed2739fdc2
  Author: Yusuke Suzuki <[email protected]>
  Date:   2026-02-05 (Thu, 05 Feb 2026)

  Changed paths:
    A JSTests/stress/regexp-fixedcount-stale-endindex.js
    M Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp
    M Source/JavaScriptCore/inspector/ContentSearchUtilities.cpp
    M Source/JavaScriptCore/runtime/RegExp.cpp
    M Source/JavaScriptCore/runtime/RegExpMatchesArray.h
    M Source/JavaScriptCore/runtime/RegExpPrototype.cpp
    M Source/JavaScriptCore/runtime/StringPrototype.cpp
    M Source/JavaScriptCore/runtime/StringPrototypeInlines.h
    M Source/JavaScriptCore/yarr/YarrInterpreter.cpp
    M Source/JavaScriptCore/yarr/YarrJIT.cpp

  Log Message:
  -----------
  [Yarr] Clear start and end for subpattern
https://bugs.webkit.org/show_bug.cgi?id=307041
rdar://169681715

Reviewed by Sosuke Suzuki.

When FixedCount parentheses iteration failed, we leave the end index -1
while we already set the begin index with the starting value. Also we
are not clearing end index before the iteration. As a result, we end up
having previous garbage value for the end index and we have broken
range, while this begin/end pair is a failed one.

This patch clears both begin/end to -1 when clearing. Also we check both
begin/end to determine whether this capture is having an actual value.

Test: JSTests/stress/regexp-fixedcount-stale-endindex.js

* JSTests/stress/regexp-fixedcount-stale-endindex.js: Added.
(testNegativeLookaheadBackref):
(testNegativeLookaheadBackref2):
(testFixedCountNestedGroups):
(testManyIterations):
(testGreedyWithBackref):
(testEmptyBackref):
* Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
* Source/JavaScriptCore/inspector/ContentSearchUtilities.cpp:
(Inspector::ContentSearchUtilities::findMagicComment):
* Source/JavaScriptCore/runtime/RegExp.cpp:
(JSC::RegExpFunctionalTestCollector::outputOneTest):
* Source/JavaScriptCore/runtime/RegExpMatchesArray.h:
(JSC::createRegExpMatchesArray):
* Source/JavaScriptCore/runtime/RegExpPrototype.cpp:
(JSC::genericSplit):
* Source/JavaScriptCore/runtime/StringPrototype.cpp:
(JSC::substituteBackreferencesSlow):
* Source/JavaScriptCore/runtime/StringPrototypeInlines.h:
(JSC::addToRegExpSearchCache):
(JSC::replaceUsingRegExpSearch):
* Source/JavaScriptCore/yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::backtrackBackReference):
(JSC::Yarr::Interpreter::matchParentheticalAssertionEnd):
(JSC::Yarr::Interpreter::backtrackParentheticalAssertionEnd):
* Source/JavaScriptCore/yarr/YarrJIT.cpp:

Canonical link: https://commits.webkit.org/306841@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to