Diff
Modified: branches/safari-601.1.46-branch/LayoutTests/ChangeLog (191461 => 191462)
--- branches/safari-601.1.46-branch/LayoutTests/ChangeLog 2015-10-22 18:36:09 UTC (rev 191461)
+++ branches/safari-601.1.46-branch/LayoutTests/ChangeLog 2015-10-22 18:36:16 UTC (rev 191462)
@@ -1,5 +1,20 @@
2015-10-20 Matthew Hanson <matthew_han...@apple.com>
+ Merge r191364. rdar://problem/22864960
+
+ 2015-10-20 Mark Lam <mark....@apple.com>
+
+ YarrPatternConstructor::containsCapturingTerms() should not assume that its terms.size() is greater than 0.
+ https://bugs.webkit.org/show_bug.cgi?id=150372
+
+ Reviewed by Geoffrey Garen.
+
+ * js/regress-150372-expected.txt: Added.
+ * js/regress-150372.html: Added.
+ * js/script-tests/regress-150372.js: Added.
+
+2015-10-20 Matthew Hanson <matthew_han...@apple.com>
+
Merge r191063. rdar://problem/22900764
2015-10-14 Alex Christensen <achristen...@webkit.org>
Added: branches/safari-601.1.46-branch/LayoutTests/js/regress-150372-expected.txt (0 => 191462)
--- branches/safari-601.1.46-branch/LayoutTests/js/regress-150372-expected.txt (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/js/regress-150372-expected.txt 2015-10-22 18:36:16 UTC (rev 191462)
@@ -0,0 +1,10 @@
+Regression test for https://bugs.webkit.org/show_bug.cgi?id=150372.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS Did not crash.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: branches/safari-601.1.46-branch/LayoutTests/js/regress-150372.html (0 => 191462)
--- branches/safari-601.1.46-branch/LayoutTests/js/regress-150372.html (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/js/regress-150372.html 2015-10-22 18:36:16 UTC (rev 191462)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>
\ No newline at end of file
Added: branches/safari-601.1.46-branch/LayoutTests/js/script-tests/regress-150372.js (0 => 191462)
--- branches/safari-601.1.46-branch/LayoutTests/js/script-tests/regress-150372.js (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/js/script-tests/regress-150372.js 2015-10-22 18:36:16 UTC (rev 191462)
@@ -0,0 +1,7 @@
+description("Regression test for https://bugs.webkit.org/show_bug.cgi?id=150372.");
+
+// This test should not crash.
+var re = /.*(?:(?:(?:(?:(?:(?:)))))).*/;
+re.exec("hello");
+
+testPassed("Did not crash.");
Modified: branches/safari-601.1.46-branch/Source/_javascript_Core/ChangeLog (191461 => 191462)
--- branches/safari-601.1.46-branch/Source/_javascript_Core/ChangeLog 2015-10-22 18:36:09 UTC (rev 191461)
+++ branches/safari-601.1.46-branch/Source/_javascript_Core/ChangeLog 2015-10-22 18:36:16 UTC (rev 191462)
@@ -1,3 +1,20 @@
+2015-10-20 Matthew Hanson <matthew_han...@apple.com>
+
+ Merge r191364. rdar://problem/22864960
+
+ 2015-10-20 Mark Lam <mark....@apple.com>
+
+ YarrPatternConstructor::containsCapturingTerms() should not assume that its terms.size() is greater than 0.
+ https://bugs.webkit.org/show_bug.cgi?id=150372
+
+ Reviewed by Geoffrey Garen.
+
+ * yarr/YarrPattern.cpp:
+ (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
+ (JSC::Yarr::YarrPatternConstructor::optimizeBOL):
+ (JSC::Yarr::YarrPatternConstructor::containsCapturingTerms):
+ (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
+
2015-10-08 Matthew Hanson <matthew_han...@apple.com>
Merge r189834. rdar://problem/22807373
Modified: branches/safari-601.1.46-branch/Source/_javascript_Core/yarr/YarrPattern.cpp (191461 => 191462)
--- branches/safari-601.1.46-branch/Source/_javascript_Core/yarr/YarrPattern.cpp 2015-10-22 18:36:09 UTC (rev 191461)
+++ branches/safari-601.1.46-branch/Source/_javascript_Core/yarr/YarrPattern.cpp 2015-10-22 18:36:16 UTC (rev 191462)
@@ -739,11 +739,12 @@
}
}
- bool containsCapturingTerms(PatternAlternative* alternative, size_t firstTermIndex, size_t lastTermIndex)
+ bool containsCapturingTerms(PatternAlternative* alternative, size_t firstTermIndex, size_t endIndex)
{
Vector<PatternTerm>& terms = alternative->m_terms;
- for (size_t termIndex = firstTermIndex; termIndex <= lastTermIndex; ++termIndex) {
+ ASSERT(endIndex <= terms.size());
+ for (size_t termIndex = firstTermIndex; termIndex < endIndex; ++termIndex) {
PatternTerm& term = terms[termIndex];
if (term.m_capture)
@@ -752,7 +753,7 @@
if (term.type == PatternTerm::TypeParenthesesSubpattern) {
PatternDisjunction* nestedDisjunction = term.parentheses.disjunction;
for (unsigned alt = 0; alt < nestedDisjunction->m_alternatives.size(); ++alt) {
- if (containsCapturingTerms(nestedDisjunction->m_alternatives[alt].get(), 0, nestedDisjunction->m_alternatives[alt]->m_terms.size() - 1))
+ if (containsCapturingTerms(nestedDisjunction->m_alternatives[alt].get(), 0, nestedDisjunction->m_alternatives[alt]->m_terms.size()))
return true;
}
}
@@ -777,7 +778,7 @@
if (terms.size() >= 3) {
bool startsWithBOL = false;
bool endsWithEOL = false;
- size_t termIndex, firstExpressionTerm, lastExpressionTerm;
+ size_t termIndex, firstExpressionTerm;
termIndex = 0;
if (terms[termIndex].type == PatternTerm::TypeAssertionBOL) {
@@ -800,14 +801,13 @@
PatternTerm& lastNonAnchorTerm = terms[termIndex];
if ((lastNonAnchorTerm.type != PatternTerm::TypeCharacterClass) || (lastNonAnchorTerm.characterClass != m_pattern.newlineCharacterClass()) || (lastNonAnchorTerm.quantityType != QuantifierGreedy))
return;
-
- lastExpressionTerm = termIndex - 1;
- if (firstExpressionTerm > lastExpressionTerm)
+ size_t endIndex = termIndex;
+ if (firstExpressionTerm >= endIndex)
return;
- if (!containsCapturingTerms(alternative, firstExpressionTerm, lastExpressionTerm)) {
- for (termIndex = terms.size() - 1; termIndex > lastExpressionTerm; --termIndex)
+ if (!containsCapturingTerms(alternative, firstExpressionTerm, endIndex)) {
+ for (termIndex = terms.size() - 1; termIndex >= endIndex; --termIndex)
terms.remove(termIndex);
for (termIndex = firstExpressionTerm; termIndex > 0; --termIndex)