Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: d73a66dd5be2ea63a69bc48be7c7789ba358da9a
https://github.com/WebKit/WebKit/commit/d73a66dd5be2ea63a69bc48be7c7789ba358da9a
Author: Sosuke Suzuki <[email protected]>
Date: 2026-05-10 (Sun, 10 May 2026)
Changed paths:
A
JSTests/stress/regexp-dot-star-enclosure-contains-capturing-terms-out-of-stack.js
M Source/JavaScriptCore/yarr/YarrPattern.cpp
Log Message:
-----------
[YARR] `containsCapturingTerms` should guard against stack overflow
https://bugs.webkit.org/show_bug.cgi?id=314475
Reviewed by Yusuke Suzuki.
optimizeDotStarWrappedExpressions() calls containsCapturingTerms() to decide
whether the DotStarEnclosure optimization can be applied. That helper walks
the pattern tree recursively into nested ParenthesesSubpattern disjunctions,
but unlike the other recursive methods in YarrPatternConstructor (e.g.
setupDisjunctionOffsets, copyDisjunction, copyTerm) it had no isSafeToRecurse()
stack guard. A deeply nested pattern such as:
new RegExp(".*" + "(?:".repeat(200000) + "a" + ")".repeat(200000) + ".*")
therefore overflowed the stack and crashed with SIGSEGV while compiling the
regular expression.
Add the same isSafeToRecurse() check used by the other recursive helpers. When
unsafe, set ErrorCode::PatternTooLarge and conservatively return true so the
optimization is skipped; YarrPattern::compile() then reports the error as a
"regular expression too large" SyntaxError instead of crashing.
Test:
JSTests/stress/regexp-dot-star-enclosure-contains-capturing-terms-out-of-stack.js
*
JSTests/stress/regexp-dot-star-enclosure-contains-capturing-terms-out-of-stack.js:
Added.
(test):
* Source/JavaScriptCore/yarr/YarrPattern.cpp:
(JSC::Yarr::YarrPatternConstructor::containsCapturingTerms):
Canonical link: https://commits.webkit.org/312978@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
