Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 1c2510c51bca8fefd22f5f3eef3579c9e26bb211
      
https://github.com/WebKit/WebKit/commit/1c2510c51bca8fefd22f5f3eef3579c9e26bb211
  Author: Michael Saboff <msab...@apple.com>
  Date:   2023-05-23 (Tue, 23 May 2023)

  Changed paths:
    A JSTests/stress/regexp-duplicate-named-captures-interpreter.js
    M JSTests/stress/regexp-duplicate-named-captures.js
    M Source/JavaScriptCore/yarr/YarrInterpreter.cpp

  Log Message:
  -----------
  [JSC] WTF::CrashOnOverflow::crash() with ''.search('(?<A>)|(?<A>)*\\k<A>');
https://bugs.webkit.org/show_bug.cgi?id=257180
rdar://109356634

Reviewed by Alexey Shvayka.

Updated the generic RegExp SubPattern byte code generation to add the duplicate 
named group ID to the
ByteTerm::Type::ParenthesesSubpattern only since we don't create an matching 
ParenthesesSubpatternEnd
byte term.

Also added code in recordParenthesesMatch() to set the subpatternId for the 
duplicate named group when
one of its subpatterns matches.

Added two new tests and since this only happened in the Yarr Interpreter, I 
created a test wrapper
that calls stress/regexp-duplicate-named-captures.js with the RegExp JIT turned 
off.

* JSTests/stress/regexp-duplicate-named-captures-interpreter.js: Added.
* JSTests/stress/regexp-duplicate-named-captures.js:
* Source/JavaScriptCore/yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::recordParenthesesMatch):
(JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd):

Canonical link: https://commits.webkit.org/264441@main


_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to