Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 7c8c020f78cee3786a371746d985d79b0750134b
https://github.com/WebKit/WebKit/commit/7c8c020f78cee3786a371746d985d79b0750134b
Author: Yusuke Suzuki <[email protected]>
Date: 2026-04-22 (Wed, 22 Apr 2026)
Changed paths:
A JSTests/stress/regexp-jit-sibling-alt-frame-slot-collision.js
M Source/JavaScriptCore/yarr/YarrPattern.cpp
Log Message:
-----------
[YARR] Fix YarrJIT SIGBUS from sibling-alt frame slot aliasing
https://bugs.webkit.org/show_bug.cgi?id=312976
rdar://175322483
Reviewed by Sosuke Suzuki.
In /(a*(|)|()*)*b/.exec("aa"), sibling alternatives of a nested
disjunction share a starting frame offset. But
clearParenContextHeadSlotsInRange clears parenContextHeadIndex slots
regardless of whether it is used differently in the different alternative.
Let's make things much simpler. This patch stops sharing frame slots
between multiple alternatives and just monotonically increasing the
slots. This is simply bound by the pattern, and it assigns unique frame
slot throughout the pattern, which makes a lot of handlings simpler in
particular when using ParenContext.
Test: JSTests/stress/regexp-jit-sibling-alt-frame-slot-collision.js
* JSTests/stress/regexp-jit-sibling-alt-frame-slot-collision.js: Added.
(shouldBe):
* Source/JavaScriptCore/yarr/YarrPattern.cpp:
(JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
Canonical link: https://commits.webkit.org/311786@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
