[webkit-changes] [WebKit/WebKit] f458b1: [YARR] Fix tryConsumeBackReference pos corruption ...

Wed, 18 Feb 2026 15:47:53 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: f458b13465b19c8260b7336037bc776f0b25ae1b
      
https://github.com/WebKit/WebKit/commit/f458b13465b19c8260b7336037bc776f0b25ae1b
  Author: Sosuke Suzuki <[email protected]>
  Date:   2026-02-18 (Wed, 18 Feb 2026)

  Changed paths:
    A JSTests/stress/regexp-backreference-surrogate-pos-corruption.js
    M Source/JavaScriptCore/yarr/YarrInterpreter.cpp

  Log Message:
  -----------
  [YARR] Fix tryConsumeBackReference pos corruption with surrogate pairs in 
interpreter
https://bugs.webkit.org/show_bug.cgi?id=308047

Reviewed by Yusuke Suzuki.

When a backreference captures a BMP character (e.g. 'a') and the input at
the comparison position is a surrogate pair (e.g. U+10000), two bugs in the
Yarr bytecode interpreter cause pos corruption:

1. readChecked() in tryConsumeBackReference has a side effect of advancing
   pos via next() when it decodes a surrogate pair. When the comparison
   fails, uncheckInput(matchSize) only restores the checkInput amount,
   leaving the extra +1 from next(). Fix: use readCheckedDontAdvance().

2. readCheckedDontAdvance() itself has a spurious atEnd() check copied from
   readChecked(). Since readCheckedDontAdvance() never calls next(), the
   atEnd() check is unnecessary. When pos happens to be at the end of input,
   this causes errorCodePoint to be returned for a valid surrogate pair,
   which triggers an early return in tryConsumeBackReference without calling
   uncheckInput, corrupting pos. Fix: remove the atEnd() check and add
   the missing lone trail surrogate check for consistency with readChecked().

Test: JSTests/stress/regexp-backreference-surrogate-pos-corruption.js

* JSTests/stress/regexp-backreference-surrogate-pos-corruption.js: Added.
* Source/JavaScriptCore/yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::InputStream::readCheckedDontAdvance):
(JSC::Yarr::Interpreter::tryConsumeBackReference):

Canonical link: https://commits.webkit.org/307792@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to