[webkit-changes] [276601] branches/safari-607-branch/Source/JavaScriptCore

[repstein]

Title: [276601] branches/safari-607-branch/Source/_javascript_Core

Revision

276601

Author

repst...@apple.com

Date

2021-04-26 10:38:58 -0700 (Mon, 26 Apr 2021)

Log Message

Cherry-pick r276527. rdar://problem/77160646

    [YARR Interpreter] Improper backtrack of parentheses with non-zero based greedy quantifiers
    https://bugs.webkit.org/show_bug.cgi?id=224983

    Reviewed by Mark Lam.

    When we backtrack a parentheses with a greedy non zero based quantifier,
    we don't properly restore for the case where we hadn't reached the minimum count.
    We now save the input position on entry and restore it when we backtrack for
    this case.  We also properly release the allocated ParenthesesDisjunctionContext's.

    * yarr/YarrInterpreter.cpp:
    (JSC::Yarr::Interpreter::matchParentheses):
    (JSC::Yarr::Interpreter::backtrackParentheses):

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@276527 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

• branches/safari-607-branch/Source/_javascript_Core/ChangeLog
• branches/safari-607-branch/Source/_javascript_Core/yarr/YarrInterpreter.cpp

Diff

Modified: branches/safari-607-branch/Source/_javascript_Core/ChangeLog (276600 => 276601)

--- branches/safari-607-branch/Source/_javascript_Core/ChangeLog	2021-04-26 17:38:54 UTC (rev 276600)
+++ branches/safari-607-branch/Source/_javascript_Core/ChangeLog	2021-04-26 17:38:58 UTC (rev 276601)
@@ -1,5 +1,42 @@
 2021-04-26  Russell Epstein  <repst...@apple.com>
 
+        Cherry-pick r276527. rdar://problem/77160646
+
+    [YARR Interpreter] Improper backtrack of parentheses with non-zero based greedy quantifiers
+    https://bugs.webkit.org/show_bug.cgi?id=224983
+    
+    Reviewed by Mark Lam.
+    
+    When we backtrack a parentheses with a greedy non zero based quantifier,
+    we don't properly restore for the case where we hadn't reached the minimum count.
+    We now save the input position on entry and restore it when we backtrack for
+    this case.  We also properly release the allocated ParenthesesDisjunctionContext's.
+    
+    * yarr/YarrInterpreter.cpp:
+    (JSC::Yarr::Interpreter::matchParentheses):
+    (JSC::Yarr::Interpreter::backtrackParentheses):
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@276527 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-04-23  Michael Saboff  <msab...@apple.com>
+
+            [YARR Interpreter] Improper backtrack of parentheses with non-zero based greedy quantifiers
+            https://bugs.webkit.org/show_bug.cgi?id=224983
+
+            Reviewed by Mark Lam.
+
+            When we backtrack a parentheses with a greedy non zero based quantifier,
+            we don't properly restore for the case where we hadn't reached the minimum count.
+            We now save the input position on entry and restore it when we backtrack for
+            this case.  We also properly release the allocated ParenthesesDisjunctionContext's.
+
+            * yarr/YarrInterpreter.cpp:
+            (JSC::Yarr::Interpreter::matchParentheses):
+            (JSC::Yarr::Interpreter::backtrackParentheses):
+
+2021-04-26  Russell Epstein  <repst...@apple.com>
+
         Cherry-pick r276524. rdar://problem/77160578
 
     Fix B3 strength reduction for shl.

Modified: branches/safari-607-branch/Source/_javascript_Core/yarr/YarrInterpreter.cpp (276600 => 276601)

--- branches/safari-607-branch/Source/_javascript_Core/yarr/YarrInterpreter.cpp	2021-04-26 17:38:54 UTC (rev 276600)
+++ branches/safari-607-branch/Source/_javascript_Core/yarr/YarrInterpreter.cpp	2021-04-26 17:38:58 UTC (rev 276601)
@@ -47,6 +47,7 @@
     struct ParenthesesDisjunctionContext;
 
     struct BackTrackInfoParentheses {
+        uintptr_t begin;
         uintptr_t matchAmount;
         ParenthesesDisjunctionContext* lastContext;
     };
@@ -1002,6 +1003,7 @@
         BackTrackInfoParentheses* backTrack = reinterpret_cast<BackTrackInfoParentheses*>(context->frame + term.frameLocation);
         ByteDisjunction* disjunctionBody = term.atom.parenthesesDisjunction;
 
+        backTrack->begin = input.getPos();
         backTrack->matchAmount = 0;
         backTrack->lastContext = 0;
 
@@ -1155,8 +1157,20 @@
                 popParenthesesDisjunctionContext(backTrack);
                 freeParenthesesDisjunctionContext(context);
 
-                if (result != JSRegExpNoMatch || backTrack->matchAmount < term.atom.quantityMinCount)
+                if (backTrack->matchAmount < term.atom.quantityMinCount) {
+                    while (backTrack->matchAmount) {
+                        context = backTrack->lastContext;
+                        resetMatches(term, context);
+                        popParenthesesDisjunctionContext(backTrack);
+                        freeParenthesesDisjunctionContext(context);
+                    }
+
+                    input.setPos(backTrack->begin);
                     return result;
+                }
+
+                if (result != JSRegExpNoMatch)
+                    return result;
             }
 
             if (backTrack->matchAmount) {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes