Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 6219e9ebc052202ebec9b0edf8dea908752d2c44
https://github.com/WebKit/WebKit/commit/6219e9ebc052202ebec9b0edf8dea908752d2c44
Author: Sosuke Suzuki <[email protected]>
Date: 2026-02-15 (Sun, 15 Feb 2026)
Changed paths:
A JSTests/stress/yarr-jit-optimize-alternative-inverted-char-class.js
M Source/JavaScriptCore/yarr/YarrJIT.cpp
Log Message:
-----------
[YARR] Fix false negative matching Unicode regexp with inverted character
class
https://bugs.webkit.org/show_bug.cgi?id=307964
Reviewed by Yusuke Suzuki.
optimizeAlternative() swaps a CharacterClass term with a following
PatternCharacter term in Char8 mode even when the class is inverted. An
inverted class like [^a] has BMP-only class data so hasNonBMPCharacters()
returns false, but being inverted it can match any non-BMP character. If
JIT allocation then fails, the swapped pattern is passed to
byteCodeCompilePattern(). Executing that bytecode against a Char16 string
causes the interpreter to misread surrogate pairs, producing a false
negative.
This patch fixes by restricting the swap to non-inverted CharacterClasses.
Test: JSTests/stress/yarr-jit-optimize-alternative-inverted-char-class.js
* JSTests/stress/yarr-jit-optimize-alternative-inverted-char-class.js: Added.
(shouldBe):
* Source/JavaScriptCore/yarr/YarrJIT.cpp:
Canonical link: https://commits.webkit.org/307639@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
