[webkit-reviews] review granted: [Bug 195613] REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes : [Attachment 364481] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Mar 12 17:52:45 PDT 2019
Mark Lam <mark.lam at apple.com> has granted Michael Saboff <msaboff at apple.com>'s
request for review:
Bug 195613: REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
https://bugs.webkit.org/show_bug.cgi?id=195613
Attachment 364481: Patch
https://bugs.webkit.org/attachment.cgi?id=364481&action=review
--- Comment #5 from Mark Lam <mark.lam at apple.com> ---
Comment on attachment 364481
--> https://bugs.webkit.org/attachment.cgi?id=364481
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=364481&action=review
r=me.
> Source/JavaScriptCore/ChangeLog:11
> + The bug here is in Yarr JIT backreference matching code. We are
incorrectly
> + using a checkedOffset correction when checking for length left in a
string.
> + In some cases, this allows us to go past the subject string's
length.
> + Removed these adjustments.
This could be misread as the use of checkedOffset being the issue. The actual
issue here is that we're adjusting patternTemp at all (which incidentally
involves checkedOffset in the adjustment computation). Can you reword this to
be a bit clearer? Thanks.
More information about the webkit-reviews
mailing list