Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: fbd2a11004f46e9ace6f44ba52ab7863d547e8db
https://github.com/WebKit/WebKit/commit/fbd2a11004f46e9ace6f44ba52ab7863d547e8db
Author: Sosuke Suzuki <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
A JSTests/stress/regexp-fixedcount-simple-backtrack-index-restore.js
M Source/JavaScriptCore/yarr/YarrJIT.cpp
Log Message:
-----------
[YARR] JIT FixedCount parentheses should restore index on backtrack
https://bugs.webkit.org/show_bug.cgi?id=308825
Reviewed by Yusuke Suzuki.
The simple FixedCount path (ParenthesesSubpatternFixedCountBegin/End) did
not restore the input index when backtracking out of the group. Each
successful iteration advances index by checkAdjust (the alternative's
minimum size), but on failure only the last iteration's checkAdjust was
subtracted, leaving the index ahead of where the group was entered. This
caused outer alternatives to match from the wrong position.
This is a regression from 306402@main which introduced this path.
The fix saves the initial index into the unused returnAddressIndex frame
slot before the loop, and restores it on backtrack. Nested captures are
also cleared to avoid leaking into subsequent alternatives.
Test: JSTests/stress/regexp-fixedcount-simple-backtrack-index-restore.js
* JSTests/stress/regexp-fixedcount-simple-backtrack-index-restore.js: Added.
(shouldBe):
(i.shouldBe.string_appeared_here.match):
(shouldBe.string_appeared_here.match):
* Source/JavaScriptCore/yarr/YarrJIT.cpp:
Canonical link: https://commits.webkit.org/308509@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
