[webkit-changes] [WebKit/WebKit] 3713b5: [JSC] ASSERTION FAILED: term.quantityMinCount == 1...

Michael Saboff noreply at github.com
Tue May 30 16:19:03 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 3713b5294002cff4f0149ec026265aea3a555556
      https://github.com/WebKit/WebKit/commit/3713b5294002cff4f0149ec026265aea3a555556
  Author: Michael Saboff <msaboff at apple.com>
  Date:   2023-05-30 (Tue, 30 May 2023)

  Changed paths:
    M JSTests/stress/regexp-vflag-property-of-strings.js
    M Source/JavaScriptCore/yarr/YarrErrorCode.cpp
    M Source/JavaScriptCore/yarr/YarrErrorCode.h
    M Source/JavaScriptCore/yarr/YarrParser.h
    M Source/JavaScriptCore/yarr/YarrPattern.cpp

  Log Message:
  -----------
  [JSC] ASSERTION FAILED: term.quantityMinCount == 1 && term.quantityMaxCount == 1 && term.quantityType == QuantifierType::FixedCount
https://bugs.webkit.org/show_bug.cgi?id=257432
rdar://109355826

Reviewed by Yusuke Suzuki.

This crash was due to not properly recognizing that the class set prior to the quantifier
was invalid due to inverted contents that contained strings.

Strengthened the "May Contain Strings" processing in accordance with the specification changes
for Class Sets.  Instead of trying to compute the error cases during parsing involving may
contain strings, that computation is now centralized in the new
ClassSetParserDelegate::computeMayContainStrings() method.  Now the various productions
feed their string-ness into the new method.  The error determination using the results of that
computation is done when a class set is closed, including nested sets.  Added a new Token Type,
SetDisjunctionMayContainStrings, for Set Disjunctions that contain strings.

While writing new tests, found that there was a bug with expressions like:
  /[[\q{abc|a}&&a}]/v
We were not handling the intersection where the RHS of the intersection doesn't include any
strings.

Also found and fixed spelling error in ClassStringDIsjunctionUnmatched.

Added several syntax and matching tests.

* JSTests/stress/regexp-vflag-property-of-strings.js:
* Source/JavaScriptCore/yarr/YarrErrorCode.cpp:
(JSC::Yarr::errorMessage):
(JSC::Yarr::errorToThrow):
* Source/JavaScriptCore/yarr/YarrErrorCode.h:
* Source/JavaScriptCore/yarr/YarrParser.h:
(JSC::Yarr::Parser::ClassSetParserDelegate::NestingState::NestingState):
(JSC::Yarr::Parser::ClassSetParserDelegate::ClassSetParserDelegate):
(JSC::Yarr::Parser::ClassSetParserDelegate::nestedClassBegin):
(JSC::Yarr::Parser::ClassSetParserDelegate::nestedClassEnd):
(JSC::Yarr::Parser::ClassSetParserDelegate::computeMayContainStrings):
(JSC::Yarr::Parser::ClassSetParserDelegate::atomBuiltInCharacterClass):
(JSC::Yarr::Parser::ClassSetParserDelegate::end):
(JSC::Yarr::Parser::ClassSetParserDelegate::isInverted):
(JSC::Yarr::Parser::ClassStringDisjunctionParserDelegate::ClassStringDisjunctionParserDelegate):
(JSC::Yarr::Parser::ClassStringDisjunctionParserDelegate::atomPatternCharacter):
(JSC::Yarr::Parser::ClassStringDisjunctionParserDelegate::mayContainStrings):
(JSC::Yarr::Parser::parseEscape):
(JSC::Yarr::Parser::parseClassSet):
(JSC::Yarr::Parser::parseClassStringDisjunction):
* Source/JavaScriptCore/yarr/YarrPattern.cpp:
(JSC::Yarr::CharacterClassConstructor::putCharNonUnion):

Canonical link: https://commits.webkit.org/264704@main

More information about the webkit-changes mailing list