Title: [273371] trunk
- Revision
- 273371
- Author
- msab...@apple.com
- Date
- 2021-02-23 21:00:30 -0800 (Tue, 23 Feb 2021)
Log Message
[YARR JIT] Crash on overflow when compiling /(a{1000000000}b{1000000000}|c{1000000000}|)d{1000000000}e{1000000000}/.test();
https://bugs.webkit.org/show_bug.cgi?id=220130
Reviewed by Yusuke Suzuki.
JSTests:
Modified the original fuzzer test to go 2^32-1.
* stress/regexp-backtrack-offset-overflow.js: Added.
Source/_javascript_Core:
Changed code to subtract out the offset of a current op before adding the offset
of the prior op when backtracking to avoid overflowing checked arithmetic.
It looks like the code had this wrong for some time.
* yarr/YarrJIT.cpp:
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (273370 => 273371)
--- trunk/JSTests/ChangeLog 2021-02-24 04:03:18 UTC (rev 273370)
+++ trunk/JSTests/ChangeLog 2021-02-24 05:00:30 UTC (rev 273371)
@@ -1,3 +1,14 @@
+2021-02-23 Michael Saboff <msab...@apple.com>
+
+ [YARR JIT] Crash on overflow when compiling /(a{1000000000}b{1000000000}|c{1000000000}|)d{1000000000}e{1000000000}/.test();
+ https://bugs.webkit.org/show_bug.cgi?id=220130
+
+ Reviewed by Yusuke Suzuki.
+
+ Modified the original fuzzer test to go 2^32-1.
+
+ * stress/regexp-backtrack-offset-overflow.js: Added.
+
2021-02-21 Keith Miller <keith_mil...@apple.com>
Implement the Top-level await proposal
Added: trunk/JSTests/stress/regexp-backtrack-offset-overflow.js (0 => 273371)
--- trunk/JSTests/stress/regexp-backtrack-offset-overflow.js (rev 0)
+++ trunk/JSTests/stress/regexp-backtrack-offset-overflow.js 2021-02-24 05:00:30 UTC (rev 273371)
@@ -0,0 +1,3 @@
+//@ runDefault
+
+/(a{1000000000}b{1000000000}|c{1000000000}|)d{1094967295}e{1000000000}/.test("abc");
Modified: trunk/Source/_javascript_Core/ChangeLog (273370 => 273371)
--- trunk/Source/_javascript_Core/ChangeLog 2021-02-24 04:03:18 UTC (rev 273370)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-02-24 05:00:30 UTC (rev 273371)
@@ -1,3 +1,16 @@
+2021-02-23 Michael Saboff <msab...@apple.com>
+
+ [YARR JIT] Crash on overflow when compiling /(a{1000000000}b{1000000000}|c{1000000000}|)d{1000000000}e{1000000000}/.test();
+ https://bugs.webkit.org/show_bug.cgi?id=220130
+
+ Reviewed by Yusuke Suzuki.
+
+ Changed code to subtract out the offset of a current op before adding the offset
+ of the prior op when backtracking to avoid overflowing checked arithmetic.
+ It looks like the code had this wrong for some time.
+
+ * yarr/YarrJIT.cpp:
+
2021-02-22 Don Olmstead <don.olmst...@sony.com>
Non-unified build fixes late February 2021 edition
Modified: trunk/Source/_javascript_Core/yarr/YarrJIT.cpp (273370 => 273371)
--- trunk/Source/_javascript_Core/yarr/YarrJIT.cpp 2021-02-24 04:03:18 UTC (rev 273370)
+++ trunk/Source/_javascript_Core/yarr/YarrJIT.cpp 2021-02-24 05:00:30 UTC (rev 273371)
@@ -2795,11 +2795,11 @@
case OpBodyAlternativeNext: {
PatternAlternative* alternative = op.m_alternative;
+ m_checkedOffset -= alternative->m_minimumSize;
if (op.m_op == OpBodyAlternativeNext) {
PatternAlternative* priorAlternative = m_ops[op.m_previousOp].m_alternative;
m_checkedOffset += priorAlternative->m_minimumSize;
}
- m_checkedOffset -= alternative->m_minimumSize;
// Is this the last alternative? If not, then if we backtrack to this point we just
// need to jump to try to match the next alternative.
@@ -3101,11 +3101,11 @@
m_backtrackingState.append(endOp->m_jumps);
}
+ m_checkedOffset -= op.m_checkAdjust;
if (!isBegin) {
YarrOp& lastOp = m_ops[op.m_previousOp];
m_checkedOffset += lastOp.m_checkAdjust;
}
- m_checkedOffset -= op.m_checkAdjust;
break;
}
case OpSimpleNestedAlternativeEnd:
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes