[webkit-changes] [WebKit/WebKit] 424c8d: Prevent Yarr::Interpreter's evaluation stack from ...

Commit Queue noreply at github.com
Mon Feb 10 21:08:09 PST 2025 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 424c8d8832690078419ba0586eb81416d7f16f9d
      https://github.com/WebKit/WebKit/commit/424c8d8832690078419ba0586eb81416d7f16f9d
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2025-02-10 (Mon, 10 Feb 2025)

  Changed paths:
    M JSTests/stress/regexp-huge-oom.js
    M Source/JavaScriptCore/runtime/OptionsList.h
    M Source/JavaScriptCore/yarr/YarrErrorCode.cpp
    M Source/JavaScriptCore/yarr/YarrErrorCode.h
    M Source/JavaScriptCore/yarr/YarrInterpreter.cpp
    M Source/JavaScriptCore/yarr/YarrInterpreter.h
    M Source/WTF/wtf/BumpPointerAllocator.h
    M Tools/TestWebKitAPI/Tests/WTF/BumpPointerAllocator.cpp

  Log Message:
  -----------
  Prevent Yarr::Interpreter's evaluation stack from growing unboundedly.
https://bugs.webkit.org/show_bug.cgi?id=287074
rdar://143786123

Reviewed by Keith Miller and Michael Saboff.

Currently, Yarr::Interpreter's evaluation stack (see BytecodePattern::m_allocator) is allowed
to grow unboundedly until we exhaust all memory.  We should bound it instead to a max capacity
limit.

1. The evaluation stack uses the BumpPointerAllocator class.  We enhanced BumpPointerAllocator's
   startAllocator() to take a maxCapacity value.  This maxCapacity value is used internally
   to compute a remainingCapacity value.

   The BumpPointerAllocator works by creating a link list of BumpPointerPools.  Each BumpPointerPool
   will now track the remainingCapacity should it needs to allocate the next BumpPointerPool in
   the link.  The size of the current BumpPointerPool will be deducted from remainingCapacity.
   When requested growth exceeds the remainingCapacity, BumpPointerPool::create() will fail to
   create another pool.

2. Introduced JSC::Options::maxRegExpStackSize() to define the max capacity.  The current default
   for this option value is 4M.

3. Yarr::interpret() has always returned offsetNoMatch if any errors occur during evaluation.
   When we encounter this new error condition where we've exhausted the evaluation stack, we'll
   do the same thing.

4. Fixed a potential memory leak in freeParenthesesDisjunctionContext().  It was freeing the
   ParenthesesDisjunctionContext memory without calling its destructor.  This used to be fine
   because ParenthesesDisjunctionContext used to be trivially destructible.  That is no longer
   the case since a BitVector field got added into it.  Hence, we fixed
   freeParenthesesDisjunctionContext() to also call ~ParenthesesDisjunctionContext() before
   we dealloc its memory.

5. Also removed 2 unused variants of the Yarr::interpret() method.

* JSTests/stress/regexp-huge-oom.js:
* Source/JavaScriptCore/runtime/OptionsList.h:
* Source/JavaScriptCore/yarr/YarrErrorCode.cpp:
(JSC::Yarr::errorMessage):
* Source/JavaScriptCore/yarr/YarrErrorCode.h:
* Source/JavaScriptCore/yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::allocDisjunctionContext):
(JSC::Yarr::Interpreter::freeDisjunctionContext):
(JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext):
(JSC::Yarr::Interpreter::freeParenthesesDisjunctionContext):
(JSC::Yarr::Interpreter::matchParentheses):
(JSC::Yarr::Interpreter::backtrackParentheses):
(JSC::Yarr::interpret):
* Source/JavaScriptCore/yarr/YarrInterpreter.h:
* Source/WTF/wtf/BumpPointerAllocator.h:
(WTF::BumpPointerPool::BumpPointerPool):
(WTF::BumpPointerPool::create):
(WTF::BumpPointerPool::ensureCapacityCrossPool):
(WTF::BumpPointerAllocator::startAllocator):
* Tools/TestWebKitAPI/Tests/WTF/BumpPointerAllocator.cpp:
(TestWebKitAPI::TEST(WTF_BumpPointerAllocator, AllocationWithOnlySmallerPoolsAvailable)):

Canonical link: https://commits.webkit.org/290198@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list