[webkit-changes] [WebKit/WebKit] 8224c0: [JSC] Speculative fix for wrong MatchResult in Str...

Mon Aug 28 22:31:18 PDT 2023

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 8224c0710a837e80650855d39fb722bec8e5e0e8
      https://github.com/WebKit/WebKit/commit/8224c0710a837e80650855d39fb722bec8e5e0e8
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2023-08-28 (Mon, 28 Aug 2023)

  Changed paths:
    M Source/JavaScriptCore/runtime/RegExpCachedResult.h
    M Source/JavaScriptCore/runtime/RegExpGlobalData.h
    M Source/JavaScriptCore/runtime/RegExpGlobalDataInlines.h
    M Source/JavaScriptCore/runtime/StringPrototype.cpp
    M Source/JavaScriptCore/runtime/StringReplaceCache.h
    M Source/JavaScriptCore/runtime/StringReplaceCacheInlines.h

  Log Message:
  -----------
  [JSC] Speculative fix for wrong MatchResult in StringReplaceCache
https://bugs.webkit.org/show_bug.cgi?id=260839
rdar://111910989

Reviewed by Mark Lam.

StringReplaceCache needs to setup RegExpCachedResult as if we do matching actually.
But it is wrongly setting MatchResult with the last failed matching. This is fine if
ovector is not updated in the last matching, but it is wrong if it gets updated even
in the failed RegExp matching. Failed to create such a test case, but anyway, there is no
guarantee not doing this. So, let's save and restore the actual RegExpCachedResult's MatchResult.

* Source/JavaScriptCore/runtime/RegExpCachedResult.h:
(JSC::RegExpCachedResult::result const):
* Source/JavaScriptCore/runtime/RegExpGlobalData.h:
* Source/JavaScriptCore/runtime/RegExpGlobalDataInlines.h:
(JSC::RegExpGlobalData::matchResult const):
(JSC::RegExpGlobalData::resetResultFromCache):
* Source/JavaScriptCore/runtime/StringPrototype.cpp:
(JSC::replaceUsingRegExpSearchWithCache):
* Source/JavaScriptCore/runtime/StringReplaceCache.h:
* Source/JavaScriptCore/runtime/StringReplaceCacheInlines.h:
(JSC::StringReplaceCache::set):

Canonical link: https://commits.webkit.org/267393@main