Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 9a6fa47cdbf34c32d1a53e7e27d123eedbe68cbe
https://github.com/WebKit/WebKit/commit/9a6fa47cdbf34c32d1a53e7e27d123eedbe68cbe
Author: Sosuke Suzuki <[email protected]>
Date: 2026-03-03 (Tue, 03 Mar 2026)
Changed paths:
A JSTests/stress/regexp-multipattern-simd-scalar-bounds.js
M Source/JavaScriptCore/yarr/YarrJIT.cpp
Log Message:
-----------
[YARR] MultiPatternSIMD scalar loop should not fall into the body with index
past end-of-input
https://bugs.webkit.org/show_bug.cgi?id=309049
Reviewed by Yusuke Suzuki.
generateMultiPatternSIMDSearch's scalar tail loop had two issues:
1. The caller linked both the scalar-exhausted fallthrough and the
`matched` jump list to the same place, so exhaustion fell into the
regex body instead of the failure chain. BitInTableSIMD and the
scalar BM path already route exhaustion to op.m_jumps; do the same
here.
2. The scalar bounds check only covered the 4-byte prefix load, not
the full checkedOffset bytes the body reads at that index. Tighten
the upper bound to index <= length. MaskedAlternativeInfo::create
guarantees checkedOffset >= 4, so this also covers the load and
drops an add32.
Test: JSTests/stress/regexp-multipattern-simd-scalar-bounds.js
* JSTests/stress/regexp-multipattern-simd-scalar-bounds.js: Added.
(shouldBe):
(shouldBe.new.RegExp.string_appeared_here.exec):
* Source/JavaScriptCore/yarr/YarrJIT.cpp:
Canonical link: https://commits.webkit.org/308538@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
