<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_ASSIGNED "

   title="ASSIGNED - YARR uses mixture of int and unsigned values to index into subject string"

   href="https://bugs.webkit.org/show_bug.cgi?id=159744">159744</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>YARR uses mixture of int and unsigned values to index into subject string

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>Other

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>Unspecified

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Unspecified

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>ASSIGNED

          </td>

        </tr>

        <tr>

          <th>Keywords</th>

          <td>InRadar

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P2

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>JavaScriptCore

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>msaboff&#64;apple.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Both the YARR interpreter and the JIT use a mixture of unsigned and int offsets when referencing or generating code to reference subject strings.  Usually this works out due to 2's complement math, however there have been bugs reported where we underflow / overflow counts, reference out of bounds memory, or trying to generate code to do the same.

Instead we should make the YARR code &quot;unsigned&quot; clean for all references to subject strings.

This bug is in response to two radars:

    &lt;rdar://problem/27084358&gt; ASSERTION FAILED: (&amp;term - term.atom.parenthesesWidth)-&gt;inputPosition == term.inputPosition

    &lt;rdar://problem/27171689&gt; REGRESSION (r197869): CrashOnOverflow in JSC::Yarr::YarrGenerator&lt;(JSC::Yarr::YarrJITCompileMode)1&gt;::generateCharacterClassFixed

The first is an issue in the YARR interpreter and the second in the YARR JIT.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>