Diff
Modified: releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog (242008 => 242009)
--- releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog 2019-02-24 01:07:20 UTC (rev 242008)
+++ releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog 2019-02-24 01:07:27 UTC (rev 242009)
@@ -1,3 +1,14 @@
+2019-02-15 Michael Saboff <msab...@apple.com>
+
+ RELEASE_ASSERT at com.apple._javascript_Core: JSC::jsSubstringOfResolved
+ https://bugs.webkit.org/show_bug.cgi?id=194558
+
+ Reviewed by Saam Barati.
+
+ New regression test.
+
+ * stress/regexp-unicode-within-string.js: Added.
+
2019-02-15 Mark Lam <mark....@apple.com>
SamplingProfiler::stackTracesAsJSON() should escape strings.
Added: releases/WebKitGTK/webkit-2.22/JSTests/stress/regexp-unicode-within-string.js (0 => 242009)
--- releases/WebKitGTK/webkit-2.22/JSTests/stress/regexp-unicode-within-string.js (rev 0)
+++ releases/WebKitGTK/webkit-2.22/JSTests/stress/regexp-unicode-within-string.js 2019-02-24 01:07:27 UTC (rev 242009)
@@ -0,0 +1,26 @@
+// This test verifies that a Unicode regular _expression_ does not read past the end of a string.
+// It should run without a crash or throwing an exception.
+
+function testRegExpInbounds(re, str, substrEnd)
+{
+ let subStr = str.substring(0, substrEnd);
+
+ let match = subStr.match(re);
+
+ if (match !== null && match[0] === str)
+ throw "Error: Read past end of a Unicode substring processing a Unicode RegExp";
+ else if (match === null || match[0] !== subStr) {
+ print("Error: match[0].length = " + match[0].length + ", match[0] = \"" + match[0] + "\"");
+ throw "Error: Didn't properly match a Unicode substring with a matching Unicode RegExp";
+ }
+}
+
+testRegExpInbounds(/ab\u{10400}c\u{10a01}d|ab\u{10400}c\u{10a01}/iu, "ab\u{10428}c\u{10a01}d", 7);
+testRegExpInbounds(/ab\u{10400}c\u{10a01}d|ab\u{10400}c\u{10a01}/iu, "ab\u{10428}c\u{10a01}d", 7);
+testRegExpInbounds(/ab[\u{10428}x]c[\u{10a01}x]defg|ab\u{10428}c\u{10a01}def/u, "ab\u{10428}c\u{10a01}defg", 10);
+testRegExpInbounds(/[\u{10428}x]abcd|\u{10428}abc/u, "\u{10428}abcdef", 5);
+testRegExpInbounds(/ab\u{10400}c\u{10a01}[^d]|ab\u{10400}c\u{10a01}/iu, "ab\u{10428}c\u{10a01}X", 7);
+testRegExpInbounds(/ab\u{10400}c\u{10a01}.|ab\u{10400}c\u{10a01}/iu, "ab\u{10428}c\u{10a01}d", 7);
+testRegExpInbounds(/ab\u{10428}c\u{10a01}\u{10000}|ab\u{10428}c\u{10a01}/iu, "ab\u{10428}c\u{10a01}\u{10000}", 7);
+testRegExpInbounds(/ab\u{10428}c\u{10a01}.|ab\u{10428}c\u{10a01}/u, "ab\u{10428}c\u{10a01}\u{10000}", 7);
+testRegExpInbounds(/ab\u{10428}c\u{10a01}[^x]|ab\u{10428}c\u{10a01}/u, "ab\u{10428}c\u{10a01}\u{10000}", 7);
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog (242008 => 242009)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog 2019-02-24 01:07:20 UTC (rev 242008)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog 2019-02-24 01:07:27 UTC (rev 242009)
@@ -1,3 +1,19 @@
+2019-02-15 Michael Saboff <msab...@apple.com>
+
+ RELEASE_ASSERT at com.apple._javascript_Core: JSC::jsSubstringOfResolved
+ https://bugs.webkit.org/show_bug.cgi?id=194558
+
+ Reviewed by Saam Barati.
+
+ Added an in bounds check before the read of the next character for Unicode regular expressions
+ for pattern generation that didn't already have such checks.
+
+ * yarr/YarrJIT.cpp:
+ (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
+ (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
+ (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
+ (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
+
2019-02-15 Mark Lam <mark....@apple.com>
SamplingProfiler::stackTracesAsJSON() should escape strings.
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/yarr/YarrJIT.cpp (242008 => 242009)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/yarr/YarrJIT.cpp 2019-02-24 01:07:20 UTC (rev 242008)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/yarr/YarrJIT.cpp 2019-02-24 01:07:27 UTC (rev 242009)
@@ -1192,6 +1192,9 @@
ignoreCaseMask |= 32ULL << shiftAmount;
}
+ if (m_decodeSurrogatePairs)
+ op.m_jumps.append(jumpIfNoAvailableInput());
+
if (m_charSize == Char8) {
auto check1 = [&] (Checked<unsigned> offset, UChar32 characters) {
op.m_jumps.append(jumpIfCharNotEquals(characters, offset, character));
@@ -1324,6 +1327,9 @@
const RegisterID character = regT0;
const RegisterID countRegister = regT1;
+ if (m_decodeSurrogatePairs)
+ op.m_jumps.append(jumpIfNoAvailableInput());
+
move(index, countRegister);
Checked<unsigned> scaledMaxCount = term->quantityMaxCount;
scaledMaxCount *= U_IS_BMP(ch) ? 1 : 2;
@@ -1477,8 +1483,10 @@
const RegisterID character = regT0;
- if (m_decodeSurrogatePairs)
+ if (m_decodeSurrogatePairs) {
+ op.m_jumps.append(jumpIfNoAvailableInput());
storeToFrame(index, term->frameLocation + BackTrackInfoCharacterClass::beginIndex());
+ }
JumpList matchDest;
readCharacter(m_checkedOffset - term->inputPosition, character);
@@ -1525,6 +1533,9 @@
const RegisterID character = regT0;
const RegisterID countRegister = regT1;
+ if (m_decodeSurrogatePairs)
+ op.m_jumps.append(jumpIfNoAvailableInput());
+
move(index, countRegister);
sub32(Imm32(term->quantityMaxCount.unsafeGet()), countRegister);