Title: [186949] branches/safari-601.1-branch/Source/_javascript_Core
- Revision
- 186949
- Author
- matthew_han...@apple.com
- Date
- 2015-07-16 23:15:38 -0700 (Thu, 16 Jul 2015)
Log Message
Merge r186920. rdar://problem/21764196
Modified Paths
Diff
Modified: branches/safari-601.1-branch/Source/_javascript_Core/ChangeLog (186948 => 186949)
--- branches/safari-601.1-branch/Source/_javascript_Core/ChangeLog 2015-07-17 06:15:36 UTC (rev 186948)
+++ branches/safari-601.1-branch/Source/_javascript_Core/ChangeLog 2015-07-17 06:15:38 UTC (rev 186949)
@@ -1,3 +1,35 @@
+2015-07-16 Matthew Hanson <matthew_han...@apple.com>
+
+ Merge r186920. rdar://problem/21764196
+
+ 2015-07-16 Mark Lam <mark....@apple.com>
+
+ RegExp::match() should set m_state to ByteCode if compilation fails.
+ https://bugs.webkit.org/show_bug.cgi?id=147023
+
+ Reviewed by Michael Saboff.
+
+ A RegExp has a YarrCodeBlock that has 4 MacroAssemblerCodeRefs for compiled code.
+ If one of these compilations succeeds, RegExp::m_state will be set to JITCode.
+ Subsequently, if RegExp tries to compile another one of these but fails, m_state
+ will be left untouched i.e. it still says JITCode. As a result, when
+ RegExp::match() later tries to execute the non-existant compiled code, it will
+ crash.
+
+ The fix is to downgrade m_state to ByteCode if RegExp ever fails to compile.
+ This failure should be rare. We'll do the minimal work here to fix the issue and
+ keep an eye on the perf bots. If perf regresses, we can do some optimization work then.
+
+ This issue is difficult to test for since it either requires a low memory condition
+ to trigger a failed RegExp compilation at the right moment, or for the RegExp to
+ succeed compilation in the MatchedOnly mode but fail in IncludeSubpatterns mode.
+ Instead, I manually tested it by instrumenting RegExp::compile() to fail once in every
+ 10 compilation attempts.
+
+ * runtime/RegExp.cpp:
+ (JSC::RegExp::compile):
+ (JSC::RegExp::compileMatchOnly):
+
2015-07-15 Lucas Forschler <lforsch...@apple.com>
Merge r186826
Modified: branches/safari-601.1-branch/Source/_javascript_Core/runtime/RegExp.cpp (186948 => 186949)
--- branches/safari-601.1-branch/Source/_javascript_Core/runtime/RegExp.cpp 2015-07-17 06:15:36 UTC (rev 186948)
+++ branches/safari-601.1-branch/Source/_javascript_Core/runtime/RegExp.cpp 2015-07-17 06:15:38 UTC (rev 186949)
@@ -289,22 +289,16 @@
#if ENABLE(YARR_JIT)
if (!pattern.m_containsBackreferences && !pattern.containsUnsignedLengthPattern() && vm->canUseRegExpJIT()) {
Yarr::jitCompile(pattern, charSize, vm, m_regExpJITCode);
-#if ENABLE(YARR_JIT_DEBUG)
- if (!m_regExpJITCode.isFallBack())
- m_state = JITCode;
- else
- m_state = ByteCode;
-#else
if (!m_regExpJITCode.isFallBack()) {
m_state = JITCode;
return;
}
-#endif
}
#else
UNUSED_PARAM(charSize);
#endif
+ m_state = ByteCode;
m_regExpBytecode = Yarr::byteCompile(pattern, &vm->m_regExpAllocator);
}
@@ -414,22 +408,16 @@
#if ENABLE(YARR_JIT)
if (!pattern.m_containsBackreferences && !pattern.containsUnsignedLengthPattern() && vm->canUseRegExpJIT()) {
Yarr::jitCompile(pattern, charSize, vm, m_regExpJITCode, Yarr::MatchOnly);
-#if ENABLE(YARR_JIT_DEBUG)
- if (!m_regExpJITCode.isFallBack())
- m_state = JITCode;
- else
- m_state = ByteCode;
-#else
if (!m_regExpJITCode.isFallBack()) {
m_state = JITCode;
return;
}
-#endif
}
#else
UNUSED_PARAM(charSize);
#endif
+ m_state = ByteCode;
m_regExpBytecode = Yarr::byteCompile(pattern, &vm->m_regExpAllocator);
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
