Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: a7c349d2d10e0f30efe49be7bd531231d1781623
https://github.com/WebKit/WebKit/commit/a7c349d2d10e0f30efe49be7bd531231d1781623
Author: Yusuke Suzuki <[email protected]>
Date: 2026-02-19 (Thu, 19 Feb 2026)
Changed paths:
A JSTests/stress/yarr-jit-simd-oob-index.js
M Source/JavaScriptCore/yarr/YarrJIT.cpp
Log Message:
-----------
[YARR] index can exceed length when baseOffset is negative in
generateBitInTableSIMDSearch
https://bugs.webkit.org/show_bug.cgi?id=308246
rdar://170676343
Reviewed by Yijia Huang.
When baseOffset is negative, computed index can exceed length from
generateBitInTableSIMDSearch's SIMD searching part. This is because
we ensured that `index + baseOffset` + 16bytes (for Vector) can
be safely loaded (< length), but this does not guarantee that index +
found position is within length. When baseOffset is negative, then this
can be larger than length. Thus we need a bound check to proceed.
This is only necessary when baseOffset is negative.
Test: JSTests/stress/yarr-jit-simd-oob-index.js
* JSTests/stress/yarr-jit-simd-oob-index.js: Added.
(test):
* Source/JavaScriptCore/yarr/YarrJIT.cpp:
Canonical link: https://commits.webkit.org/307870@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
