[webkit-changes] [WebKit/WebKit] 8802ee: SEGV YarrJIT.h:350:28 (275528)

Mon, 01 Jul 2024 19:15:02 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 8802eec90fd42545b18c5008dd3733cae9092499
      
https://github.com/WebKit/WebKit/commit/8802eec90fd42545b18c5008dd3733cae9092499
  Author: Michael Saboff <msab...@apple.com>
  Date:   2024-07-01 (Mon, 01 Jul 2024)

  Changed paths:
    A JSTests/stress/regexp-backreference-dangling-surrogate.js
    M Source/JavaScriptCore/yarr/YarrInterpreter.cpp
    M Source/JavaScriptCore/yarr/YarrJIT.cpp

  Log Message:
  -----------
  SEGV YarrJIT.h:350:28 (275528)
https://bugs.webkit.org/show_bug.cgi?id=275528
rdar://129910892

Reviewed by Yusuke Suzuki.

When we read a dangling surrogate, it reads as the sentinel -1.  This sentinel 
value should always fail to match
anything.  When processing a backreference in an ignore case RegExp compiled 
for 16-bit strings, we case fold by
calling out to the function areCanonicallyEquivalent(), passing a character 
from the referenced capture and the
corresponding character in the backreference atom.  We were not checking the 
case where either character was the
-1 sentinel for a dangling surrogate.  Added these checks in both the 
interpreter and JIT code.  Found and fixed
a bug in the JIT code where we increment the character pointers for non-BMP 
characters.  We were reusing the
result register from the areCanonicallyEquivalent() result to see if we read a 
non-BMP.  Fixed this to use the
other character argument, that is in a callee saved register.

Added a new regression test.

* JSTests/stress/regexp-backreference-dangling-surrogate.js: Added.
(arrayToString):
(objectToString):
(dumpValue):
(compareArray):
(compareGroups):
(testRegExp):
(testRegExpSyntaxError):
* Source/JavaScriptCore/yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::InputStream::reread):
(JSC::Yarr::Interpreter::tryConsumeBackReference):
* Source/JavaScriptCore/yarr/YarrJIT.cpp:
(JSC::Yarr::areCanonicallyEquivalentThunkGenerator):

Canonical link: https://commits.webkit.org/280563@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to