[Webkit-unassigned] [Bug 147023] New: RegExp::match() should set m_state to ByteCode if compilation fails.

Thu Jul 16 16:02:00 PDT 2015

https://bugs.webkit.org/show_bug.cgi?id=147023

            Bug ID: 147023
           Summary: RegExp::match() should set m_state to ByteCode if
                    compilation fails.
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mark.lam at apple.com

A RegExp has a YarrCodeBlock that has 4 MacroAssemblerCodeRefs for compiled code.  If one of these compilations succeeds, RegExp::m_state will be set to JITCode.  Subsequently, if RegExp tries to compile another one of these but fails, m_state will be left untouched i.e. it still says JITCode.  As a result, when RegExp::match() later tries to execute the non-existant compiled code, it will crash.  The fix is to downgrade m_state to ByteCode if RegExp ever fails to compile.

This failure should be rare.  We'll do the minimal work here to fix the issue and keep an eye on the perf bots.  If perf regresses, we can do some optimization work then.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150716/1f6f63a3/attachment-0001.html>