[webkit-changes] [WebKit/WebKit] 763a3e: [JSC] Record RegExp legacy properties on limit abo...

Mon, 09 Mar 2026 23:08:29 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 763a3ed2aee05606091572bdb525f83c49783050
      
https://github.com/WebKit/WebKit/commit/763a3ed2aee05606091572bdb525f83c49783050
  Author: Sosuke Suzuki <[email protected]>
  Date:   2026-03-09 (Mon, 09 Mar 2026)

  Changed paths:
    A JSTests/stress/regexp-split-empty-string-record-match.js
    A JSTests/stress/regexp-split-newlines-fastpath-record-match.js
    M Source/JavaScriptCore/runtime/RegExpPrototype.cpp

  Log Message:
  -----------
  [JSC] Record RegExp legacy properties on limit abort in Newlines split fast 
paths
https://bugs.webkit.org/show_bug.cgi?id=309206

Reviewed by Yusuke Suzuki.

Two fast paths in regExpProtoFuncSplitFast skipped updating the legacy
RegExp statics (RegExp.lastMatch/leftContext/rightContext/input from
Annex B), leaving them stale from the previous match. genericSplit
records via performMatch on every iteration, and V8 also reports the
last executed match.

(1) Empty string input path

    /seed/.exec("hello seed world");
    "".split(/(?:)/);
    RegExp.lastMatch;   // was "seed", should be ""
    RegExp.input;       // was "hello seed world", should be ""

This path called regexp->match() directly instead of performMatch().
This was the only such call site in JSC. Replace with performMatch().

(2) SpecificPattern::Newlines fast path at limit abort

    /ZZZ/.exec("xxxZZZyyy");
    "a\nb\nc".split(/\r\n?|\n/, 1);
    RegExp.lastMatch;   // was "ZZZ", should be "\n"
    RegExp.input;       // was "xxxZZZyyy", should be "a\nb\nc"

This path uses WTF::findNextNewline directly so it must call recordMatch
manually. When the result length reaches `limit`, the existing code
broke out before updating lastMatchResult and returned before reaching
recordMatch.

Move lastMatchResult assignment before the push and the limit check,
and move recordMatch before the early return.

* JSTests/stress/regexp-split-newlines-fastpath-record-match.js: Added.
(shouldBe):
(test):
* Source/JavaScriptCore/runtime/RegExpPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):

Canonical link: https://commits.webkit.org/308958@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to