Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: dea6808af40e843bf36320a12bd09be169960268
https://github.com/WebKit/WebKit/commit/dea6808af40e843bf36320a12bd09be169960268
Author: Sosuke Suzuki <[email protected]>
Date: 2026-02-05 (Thu, 05 Feb 2026)
Changed paths:
A JSTests/stress/regexp-fixedcount-matchonly-stale-capture.js
M Source/JavaScriptCore/yarr/YarrJIT.cpp
Log Message:
-----------
[YARR] Fix stale captures in FixedCount groups in MatchOnly mode
https://bugs.webkit.org/show_bug.cgi?id=307127
Reviewed by Yusuke Suzuki.
When backreferences are used in MatchOnly mode (.test()), the JIT uses
internal frame storage for subpattern data (m_needsInternalSubpatternOutput).
However, the capture-clearing code at the start of each FixedCount iteration
checked m_compileMode == IncludeSubpatterns instead of
shouldRecordSubpatterns(),
so captures were not cleared between iterations in MatchOnly mode.
This caused stale capture values from a previous iteration to be visible to
backreferences. For example, /(?:(a)|(b)){2}\2/.test("ba") returned false
instead of true, because capture[2] retained "b" from iteration 1 into
iteration 2 where it should have been undefined.
Test: JSTests/stress/regexp-fixedcount-matchonly-stale-capture.js
* JSTests/stress/regexp-fixedcount-matchonly-stale-capture.js: Added.
(shouldBe):
(re.a):
(re2.a):
* Source/JavaScriptCore/yarr/YarrJIT.cpp:
Canonical link: https://commits.webkit.org/306920@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
