Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 7663d811d06c32554470828470d3c1764144c397
https://github.com/WebKit/WebKit/commit/7663d811d06c32554470828470d3c1764144c397
Author: Yusuke Suzuki <[email protected]>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
A JSTests/stress/regexp-alternative-heavy.js
M JSTests/stress/regexp-bol-optimize-out-of-stack.js
A JSTests/stress/regexp-combined-large.js
A JSTests/stress/regexp-deep-nested.js
A JSTests/stress/regexp-heavy-mixed.js
A JSTests/stress/regexp-lookahead-heavy.js
M JSTests/stress/stack-overflow-regexp.js
A LayoutTests/js/script-tests/stack-overflow-regexp.js
A LayoutTests/js/stack-overflow-regexp-expected.txt
M Source/JavaScriptCore/assembler/AssemblerBuffer.h
M Source/JavaScriptCore/yarr/YarrErrorCode.cpp
M Source/JavaScriptCore/yarr/YarrErrorCode.h
M Source/JavaScriptCore/yarr/YarrParser.h
M Source/JavaScriptCore/yarr/YarrPattern.cpp
M Source/JavaScriptCore/yarr/YarrSyntaxChecker.cpp
Log Message:
-----------
[JSC] Make RegExp tolerant against excessive stress
https://bugs.webkit.org/show_bug.cgi?id=309601
rdar://171448096
Reviewed by Yijia Huang.
We fixed three issues. But only one is actually critical security issue.
Remaining two are making RegExp tolerant against excessive patterns.
1. We have no guard against too large JIT code generation (4GB~). We fix
AssemblerBuffer to detect and crash safely.
2. We add RegExp capture limit which is aligned to V8's number.
3. We add RegExp frame size limit, which makes RegExp parsing failed
when frame size exceeds `unsigned` entries.
Tests: JSTests/stress/regexp-alternative-heavy.js
JSTests/stress/regexp-combined-large.js
JSTests/stress/regexp-deep-nested.js
JSTests/stress/regexp-heavy-mixed.js
JSTests/stress/regexp-lookahead-heavy.js
* JSTests/stress/regexp-alternative-heavy.js: Added.
(tryCompileAndRun):
* JSTests/stress/regexp-bol-optimize-out-of-stack.js:
* JSTests/stress/regexp-combined-large.js: Added.
(tryCompileAndRun):
* JSTests/stress/regexp-deep-nested.js: Added.
(tryCompileAndRun):
* JSTests/stress/regexp-heavy-mixed.js: Added.
(tryCompileAndRun):
* JSTests/stress/regexp-lookahead-heavy.js: Added.
(tryCompileAndRun):
* LayoutTests/js/script-tests/stack-overflow-regexp.js:
(shouldThrow.recursiveCall):
(shouldThrow):
(recursiveCall):
* LayoutTests/js/stack-overflow-regexp-expected.txt:
* Source/JavaScriptCore/assembler/AssemblerBuffer.h:
(JSC::AssemblerDataImpl::grow):
(JSC::AssemblerBuffer::AssemblerBuffer):
(JSC::AssemblerBuffer::isAvailable):
(JSC::AssemblerBuffer::LocalWriter::putIntegralUnchecked):
(JSC::AssemblerBuffer::putIntegral):
* Source/JavaScriptCore/yarr/YarrErrorCode.cpp:
(JSC::Yarr::errorMessage):
(JSC::Yarr::errorToThrow):
* Source/JavaScriptCore/yarr/YarrErrorCode.h:
* Source/JavaScriptCore/yarr/YarrParser.h:
(JSC::Yarr::requires):
(JSC::Yarr::Parser::parse):
(JSC::Yarr::Parser::parseParenthesesBegin):
(JSC::Yarr::Parser::countCaptures):
* Source/JavaScriptCore/yarr/YarrPattern.cpp:
(JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin):
(JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets):
(JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
(JSC::Yarr::YarrPatternConstructor::setupOffsets):
* Source/JavaScriptCore/yarr/YarrSyntaxChecker.cpp:
(JSC::Yarr::SyntaxChecker::atomParenthesesSubpatternBegin):
Originally-landed-as: 305413.479@rapid/safari-7624.2.5.110-branch
(a0acd4b94ec1). rdar://176061626
Canonical link: https://commits.webkit.org/314241@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
