[webkit-changes] [WebKit/WebKit] c928bf: Crash in JavaScriptCore: JSC::Yarr::Interpreter<un...
Michael Saboff
noreply at github.com
Mon Aug 5 16:14:44 PDT 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: c928bfc4f8173c9862197c957f66189bdc54bbf4
https://github.com/WebKit/WebKit/commit/c928bfc4f8173c9862197c957f66189bdc54bbf4
Author: Michael Saboff <msaboff at apple.com>
Date: 2024-08-05 (Mon, 05 Aug 2024)
Changed paths:
A JSTests/stress/regexp-backreference-backtrack-interpreter.js
M Source/JavaScriptCore/yarr/YarrInterpreter.cpp
Log Message:
-----------
Crash in JavaScriptCore: JSC::Yarr::Interpreter<unsigned char>::matchDisjunction()
rdar://115244009
https://bugs.webkit.org/show_bug.cgi?id=276154
Reviewed by Yusuke Suzuki.
When processing back references, if the referenced capture was empty then the back reference succeeds without comparing
the characters at the back reference atom with the captured characters. This was handled with early exits in the
function matchBackReference(), before setting match info like the start position, match size or match count. This
info is used when backtracking or when matching more in the case of a non-greedy quantified back reference.
The fix is to move the setting the initial match information before we do any checks for an empty match or a match comparing
characters. Also added code to properly handle duplicate named capture groups in the function backtrackBackReference().
Added a new regression test.
* JSTests/stress/regexp-backreference-backtrack-interpreter.js: Added.
(arrayToString):
(objectToString):
(dumpValue):
(compareArray):
(compareGroups):
(testRegExp):
(testRegExpSyntaxError):
* Source/JavaScriptCore/yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::matchBackReference):
(JSC::Yarr::Interpreter::backtrackBackReference):
Originally-landed-as: 51993233d76f. rdar://132960128
Canonical link: https://commits.webkit.org/281858@main
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list