[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198
msaboff at apple.com
msaboff at apple.com
Sun Feb 20 23:08:32 UTC 2011
The following commit has been merged in the webkit-1.3 branch:
commit b1155bd15e738a08ebeb9f01d785431647bb3400
Author: msaboff at apple.com <msaboff at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue Jan 18 02:10:15 2011 +0000
2011-01-17 Michael Saboff <msaboff at apple.com>
Reviewed by Oliver Hunt.
[regexfuzz] Crash running regex with lookahead
https://bugs.webkit.org/show_bug.cgi?id=52548
Eliminated agressive chaining of backtracks. This code was overwriting
already valid backtrack information.
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::ParenthesesTail::processBacktracks):
2011-01-17 Michael Saboff <msaboff at apple.com>
Reviewed by Oliver Hunt.
[regexfuzz] Crash running regex with lookahead
https://bugs.webkit.org/show_bug.cgi?id=52548
New tests from regex fuzzer.
* fast/regex/parentheses-expected.txt:
* fast/regex/script-tests/parentheses.js:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@75991 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 60ab48f..f1ac70e 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2011-01-17 Michael Saboff <msaboff at apple.com>
+
+ Reviewed by Oliver Hunt.
+
+ [regexfuzz] Crash running regex with lookahead
+ https://bugs.webkit.org/show_bug.cgi?id=52548
+
+ New tests from regex fuzzer.
+
+ * fast/regex/parentheses-expected.txt:
+ * fast/regex/script-tests/parentheses.js:
+
2011-01-17 Dmitry Titov <dimich at chromium.org>
[Chromium] Not reviewed, test expectations update.
diff --git a/LayoutTests/fast/regex/parentheses-expected.txt b/LayoutTests/fast/regex/parentheses-expected.txt
index c086d36..6ec0df4 100644
--- a/LayoutTests/fast/regex/parentheses-expected.txt
+++ b/LayoutTests/fast/regex/parentheses-expected.txt
@@ -58,6 +58,16 @@ PASS regexp38.exec('xx') is ['xx','xx','xx']
PASS regexp38.exec('b') is ['b','b',undefined]
PASS regexp38.exec('z') is ['z','z',undefined]
PASS regexp38.exec('') is ['','',undefined]
+PASS regexp39.exec('') is ['',undefined,undefined]
+PASS regexp39.exec('8') is ['8','8',undefined]
+PASS regexp39.exec('zP') is ['',undefined,undefined]
+PASS regexp40.exec('') is ['',undefined,undefined,undefined,'']
+PASS regexp40.exec('8') is ['8','8','8',undefined,'']
+PASS regexp40.exec('zPz') is ['',undefined,undefined,undefined,'']
+PASS regexp40.exec('zPPz') is ['',undefined,undefined,undefined,'']
+PASS regexp40.exec('zPPPz') is ['',undefined,undefined,undefined,'']
+PASS regexp40.exec('zPPPPz') is ['',undefined,undefined,undefined,'']
+PASS /(?!(?=r{0}){2,})|((z)?)?/gi.test('') is true
PASS 'Hi Bob'.match(/(Rob)|(Bob)|(Robert)|(Bobby)/) is ['Bob',undefined,'Bob',undefined,undefined]
PASS successfullyParsed is true
diff --git a/LayoutTests/fast/regex/script-tests/parentheses.js b/LayoutTests/fast/regex/script-tests/parentheses.js
index ea4fff3..3b98b49 100644
--- a/LayoutTests/fast/regex/script-tests/parentheses.js
+++ b/LayoutTests/fast/regex/script-tests/parentheses.js
@@ -170,6 +170,21 @@ shouldBe("regexp38.exec('b')", "['b','b',undefined]");
shouldBe("regexp38.exec('z')", "['z','z',undefined]");
shouldBe("regexp38.exec('')", "['','',undefined]");
+var regexp39 = /(8|((?=P)))?/;
+shouldBe("regexp39.exec('')", "['',undefined,undefined]");
+shouldBe("regexp39.exec('8')", "['8','8',undefined]");
+shouldBe("regexp39.exec('zP')", "['',undefined,undefined]");
+
+var regexp40 = /((8)|((?=P){4}))?()/;
+shouldBe("regexp40.exec('')", "['',undefined,undefined,undefined,'']");
+shouldBe("regexp40.exec('8')", "['8','8','8',undefined,'']");
+shouldBe("regexp40.exec('zPz')", "['',undefined,undefined,undefined,'']");
+shouldBe("regexp40.exec('zPPz')", "['',undefined,undefined,undefined,'']");
+shouldBe("regexp40.exec('zPPPz')", "['',undefined,undefined,undefined,'']");
+shouldBe("regexp40.exec('zPPPPz')", "['',undefined,undefined,undefined,'']");
+
+shouldBeTrue("/(?!(?=r{0}){2,})|((z)?)?/gi.test('')");
+
shouldBe("'Hi Bob'.match(/(Rob)|(Bob)|(Robert)|(Bobby)/)", "['Bob',undefined,'Bob',undefined,undefined]");
var successfullyParsed = true;
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index d79c782..fdc1b89 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,16 @@
+2011-01-17 Michael Saboff <msaboff at apple.com>
+
+ Reviewed by Oliver Hunt.
+
+ [regexfuzz] Crash running regex with lookahead
+ https://bugs.webkit.org/show_bug.cgi?id=52548
+
+ Eliminated agressive chaining of backtracks. This code was overwriting
+ already valid backtrack information.
+
+ * yarr/YarrJIT.cpp:
+ (JSC::Yarr::YarrGenerator::ParenthesesTail::processBacktracks):
+
2011-01-17 Tony Gentilcore <tonyg at chromium.org>
Reviewed by Alexey Proskuryakov.
diff --git a/Source/JavaScriptCore/yarr/YarrJIT.cpp b/Source/JavaScriptCore/yarr/YarrJIT.cpp
index 2556531..ae59cba 100644
--- a/Source/JavaScriptCore/yarr/YarrJIT.cpp
+++ b/Source/JavaScriptCore/yarr/YarrJIT.cpp
@@ -981,12 +981,6 @@ class YarrGenerator : private MacroAssembler {
m_linkedBacktrack->linkToNextBacktrack(followonBacktrack);
}
- void chainBacktrackJumps(JumpList* jumpList)
- {
- if (m_linkedBacktrack && !(m_linkedBacktrack->hasDestination()))
- m_linkedBacktrack->setBacktrackJumpList(jumpList);
- }
-
BacktrackDestination& getBacktrackDestination()
{
return m_backtrack;
@@ -1050,8 +1044,6 @@ class YarrGenerator : private MacroAssembler {
stateBacktrack.setBacktrackJumpList(&m_pattBacktrackJumps);
stateBacktrack.setBacktrackSourceLabel(&m_backtrackFromAfterParens);
}
-
- parenthesesState.chainBacktrackJumps(&m_pattBacktrackJumps);
}
void setNextIteration(Label nextIteration)
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list