Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: c4f242d634ec1e5d689a7a459eae2d0690ee7295
https://github.com/WebKit/WebKit/commit/c4f242d634ec1e5d689a7a459eae2d0690ee7295
Author: Sosuke Suzuki <[email protected]>
Date: 2026-04-02 (Thu, 02 Apr 2026)
Changed paths:
A
JSTests/stress/regexp-unicode-mixed-width-charclass-fixed-count-backtrack.js
M Source/JavaScriptCore/yarr/Yarr.h
M Source/JavaScriptCore/yarr/YarrJIT.cpp
Log Message:
-----------
[YARR] Fixed-count mixed-width character class should restore index on
backtrack
https://bugs.webkit.org/show_bug.cgi?id=311241
Reviewed by Yusuke Suzuki.
generateCharacterClassFixed's mixed-width path increments the index
register for each surrogate pair matched in the loop, but
backtrackCharacterClassFixed never restores it. The Once, Greedy, and
NonGreedy variants all save the index to the frame's beginIndex slot
and reload it on backtrack; do the same for Fixed.
Unlike Once, Fixed can fail mid-loop with the index already advanced,
so op.m_jumps must also be linked before the load (not just the
backtracking state). The store is placed before jumpIfNoAvailableInput
so all backtrack entry paths read a valid frame value, and we return
early since op.m_jumps is consumed (JumpList::link does not clear).
The frame slot was already reserved for FixedCount under eitherUnicode
in setupDisjunctionOffsets; the JIT just never used it.
Follows up on 309968@main, which fixed the surrogate-advancement issue
for Greedy/NonGreedy via advanceIndexAfterCharacterClassTermMatch.
Fixed has its own inlined advancement and was missed.
Test:
JSTests/stress/regexp-unicode-mixed-width-charclass-fixed-count-backtrack.js
* JSTests/stress/regexp-unicode-mixed-width-charclass-fixed-count-backtrack.js:
Added.
(shouldBeArray):
* Source/JavaScriptCore/yarr/YarrJIT.cpp:
Canonical link: https://commits.webkit.org/310477@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
