[webkit-changes] [WebKit/WebKit] 8802ee: SEGV YarrJIT.h:350:28 (275528)

Michael Saboff noreply at github.com
Mon Jul 1 19:14:55 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 8802eec90fd42545b18c5008dd3733cae9092499
      https://github.com/WebKit/WebKit/commit/8802eec90fd42545b18c5008dd3733cae9092499
  Author: Michael Saboff <msaboff at apple.com>
  Date:   2024-07-01 (Mon, 01 Jul 2024)

  Changed paths:
    A JSTests/stress/regexp-backreference-dangling-surrogate.js
    M Source/JavaScriptCore/yarr/YarrInterpreter.cpp
    M Source/JavaScriptCore/yarr/YarrJIT.cpp

  Log Message:
  -----------
  SEGV YarrJIT.h:350:28 (275528)
https://bugs.webkit.org/show_bug.cgi?id=275528
rdar://129910892

Reviewed by Yusuke Suzuki.

When we read a dangling surrogate, it reads as the sentinel -1.  This sentinel value should always fail to match
anything.  When processing a backreference in an ignore case RegExp compiled for 16-bit strings, we case fold by
calling out to the function areCanonicallyEquivalent(), passing a character from the referenced capture and the
corresponding character in the backreference atom.  We were not checking the case where either character was the
-1 sentinel for a dangling surrogate.  Added these checks in both the interpreter and JIT code.  Found and fixed
a bug in the JIT code where we increment the character pointers for non-BMP characters.  We were reusing the
result register from the areCanonicallyEquivalent() result to see if we read a non-BMP.  Fixed this to use the
other character argument, that is in a callee saved register.

Added a new regression test.

* JSTests/stress/regexp-backreference-dangling-surrogate.js: Added.
(arrayToString):
(objectToString):
(dumpValue):
(compareArray):
(compareGroups):
(testRegExp):
(testRegExpSyntaxError):
* Source/JavaScriptCore/yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::InputStream::reread):
(JSC::Yarr::Interpreter::tryConsumeBackReference):
* Source/JavaScriptCore/yarr/YarrJIT.cpp:
(JSC::Yarr::areCanonicallyEquivalentThunkGenerator):

Canonical link: https://commits.webkit.org/280563@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list