Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 1088aa8bd9981b871a451fa77b336383025ab347
https://github.com/WebKit/WebKit/commit/1088aa8bd9981b871a451fa77b336383025ab347
Author: Sosuke Suzuki <[email protected]>
Date: 2026-04-24 (Fri, 24 Apr 2026)
Changed paths:
A JSTests/stress/regexp-v-flag-dangling-hyphen.js
M Source/JavaScriptCore/yarr/YarrParser.h
Log Message:
-----------
[YARR] Reject dangling hyphen in class set under `/v` flag
https://bugs.webkit.org/show_bug.cgi?id=312948
Reviewed by Yusuke Suzuki.
In UnicodeSets mode (/v), '-' is a ClassSetSyntaxCharacter and is only
legal between two ClassSetCharacters as part of a ClassSetRange. A bare
or trailing '-' with no right-hand side (e.g. /[a-]/v, /[\d-]/v) must be
rejected, but JSC was incorrectly accepting them by emitting both the
cached character and a literal '-'.
This patch makes ClassSetParserDelegate raise InvalidClassSetCharacter
in flushCachedCharacterIfNeeded() and end() when CachedCharacterHyphen
or AfterCharacterClassHyphen state is reached, since both represent an
incomplete ClassSetRange.
Test: JSTests/stress/regexp-v-flag-dangling-hyphen.js
* JSTests/stress/regexp-v-flag-dangling-hyphen.js: Added.
(shouldThrowSyntaxError):
(shouldNotThrow):
* Source/JavaScriptCore/yarr/YarrParser.h:
(JSC::Yarr::Parser::ClassSetParserDelegate::flushCachedCharacterIfNeeded):
(JSC::Yarr::Parser::ClassSetParserDelegate::end):
Canonical link: https://commits.webkit.org/311999@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
