[webkit-changes] [WebKit/WebKit] 036d2c: [YARR] Clear captures when backtracking out of Par...

Mon, 06 Apr 2026 18:29:57 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 036d2c0c8216c36906ac3d3d2a861442f64ed0ad
      
https://github.com/WebKit/WebKit/commit/036d2c0c8216c36906ac3d3d2a861442f64ed0ad
  Author: Sosuke Suzuki <[email protected]>
  Date:   2026-04-06 (Mon, 06 Apr 2026)

  Changed paths:
    A 
JSTests/stress/regexp-jit-negative-lookahead-clear-captures-on-backtrack.js
    A 
JSTests/stress/regexp-jit-paren-context-fixedcount-clear-captures-on-no-context-backtrack.js
    M Source/JavaScriptCore/yarr/YarrJIT.cpp

  Log Message:
  -----------
  [YARR] Clear captures when backtracking out of ParenContext FixedCount and 
negative lookahead in JIT
https://bugs.webkit.org/show_bug.cgi?id=311392

Reviewed by Yusuke Suzuki.

Two backtrack paths skipped the capture-clearing step their siblings
already perform, leaving stale captures from failed inner alternatives
visible to the surrounding pattern.

ParenContext FixedCount Begin backtrack (noContext path): when no
usable context remains, control falls through to propagate failure
without clearing inner subpatterns. The Simple FixedCount sibling
already clears them; mirror the loop here.
  /(?:(a+){2}|.)/.exec("ax") -> JIT ["a","a"], correct ["a",null]

ParentheticalAssertionBegin backtrack (inverted): when the inner
fails, the negative lookahead succeeds and jumps to End.reentry,
bypassing ParentheticalAssertionEnd's capture-clearing. Per spec,
captures inside a successful negative lookahead must be undefined.
  /(?!(a){2})./.exec("ab") -> JIT ["a","a"], correct ["a",null]

Tests: 
JSTests/stress/regexp-jit-negative-lookahead-clear-captures-on-backtrack.js
       
JSTests/stress/regexp-jit-paren-context-fixedcount-clear-captures-on-no-context-backtrack.js

* JSTests/stress/regexp-jit-negative-lookahead-clear-captures-on-backtrack.js: 
Added.
(shouldBe):
(i.shouldBe):
(i.m):
* 
JSTests/stress/regexp-jit-paren-context-fixedcount-clear-captures-on-no-context-backtrack.js:
 Added.
(shouldBe):
(i.shouldBe):
(i.m):
* Source/JavaScriptCore/yarr/YarrJIT.cpp:

Canonical link: https://commits.webkit.org/310679@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to