[webkit-reviews] review granted: [Bug 180538] YARR: JIT RegExps with greedy parenthesized sub patterns : [Attachment 328782] Fixed test failure.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Dec 8 10:08:32 PST 2017 

JF Bastien <jfbastien at apple.com> has granted Michael Saboff
<msaboff at apple.com>'s request for review:
Bug 180538: YARR: JIT RegExps with greedy parenthesized sub patterns
https://bugs.webkit.org/show_bug.cgi?id=180538

Attachment 328782: Fixed test failure.

https://bugs.webkit.org/attachment.cgi?id=328782&action=review




--- Comment #6 from JF Bastien <jfbastien at apple.com> ---
Comment on attachment 328782
  --> https://bugs.webkit.org/attachment.cgi?id=328782
Fixed test failure.

View in context: https://bugs.webkit.org/attachment.cgi?id=328782&action=review

r=me

> Source/JavaScriptCore/testRegExp.cpp:438
> +	   const char* regexpError;

Seems less error-prone to set to nullptr here, instead of in parseRegExpLine.

> Source/JavaScriptCore/yarr/YarrJIT.cpp:187
> +	       return sizeof(ParenContext) + sizeof(Subpatterns) *
parenContextSizes.numSubpatterns() + sizeof(uintptr_t) *
parenContextSizes.frameSlots();

Do we cap these enough so that they can't overflow? We deal with 32-bit values
above, so even if this is size_t (because of sizeof) I can't convince myself we
can't overflow.

> Source/JavaScriptCore/yarr/YarrJIT.cpp:263
> +	       for (unsigned subpattern = firstSubpattern; subpattern <=
lastSubpattern; subpattern++) {

subpattern <= lastSubpattern range seems odd! I guess it's correct since it's
used below as well?

> Source/JavaScriptCore/yarr/YarrJIT.cpp:283
> +	       for (unsigned subpattern = firstSubpattern; subpattern <=
lastSubpattern; subpattern++) {

(here)

> Source/JavaScriptCore/yarr/YarrJIT.cpp:289
> +	   for (unsigned frameLocation = subpatternBaseFrameLocation;
frameLocation < m_parenContextSizes.frameSlots(); frameLocation++) {

Versus closed range here :-)

> Source/JavaScriptCore/yarr/YarrJIT.cpp:2218
> +		   ASSERT_NOT_REACHED();

RELEASE_ ?

> Source/JavaScriptCore/yarr/YarrJIT.cpp:2276
> +		   ASSERT_NOT_REACHED();

RELEASE_ ?

> Source/JavaScriptCore/yarr/YarrJIT.cpp:3421
> +	       move(TrustedImm32(1000000), remainingMatchCount);

matchLimit from Yarr.h instead?

> Source/JavaScriptCore/yarr/YarrJIT.h:43
> +const size_t patternContextBufferSize = 8192; // Space caller allocates to
save nested parenthesis context

I would make this constexpr so it clearly doesn't change, since you use it in a
variable-sized array.

More information about the webkit-reviews mailing list