[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198
msaboff at apple.com
msaboff at apple.com
Sun Feb 20 23:28:12 UTC 2011
The following commit has been merged in the webkit-1.3 branch:
commit 633f239bbc07677cf01f6c4412120e758f84ed30
Author: msaboff at apple.com <msaboff at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Thu Jan 20 21:31:21 2011 +0000
2011-01-20 Michael Saboff <msaboff at apple.com>
Reviewed by Oliver Hunt.
<rdar://problem/8890203> [RegexFuzz] Crash in generated code (52773)
https://bugs.webkit.org/show_bug.cgi?id=52773
Fixed case where an existing DataLabelPtr is overwritten. The
replacing DataLabelPtr is now resolved immediately in
linkDataLabelToBacktrackIfExists(). Cleanup - eliminated bool
return value for the routine as it was never used.
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::TermGenerationState::linkDataLabelToBacktrackIfExists):
2011-01-20 Michael Saboff <msaboff at apple.com>
Reviewed by Oliver Hunt.
<rdar://problem/8890203> [RegexFuzz] Crash in generated code (52773)
https://bugs.webkit.org/show_bug.cgi?id=52773
New test to validate fix.
* fast/regex/parentheses-expected.txt:
* fast/regex/script-tests/parentheses.js:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@76275 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index a562a16..302fb8d 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2011-01-20 Michael Saboff <msaboff at apple.com>
+
+ Reviewed by Oliver Hunt.
+
+ <rdar://problem/8890203> [RegexFuzz] Crash in generated code (52773)
+ https://bugs.webkit.org/show_bug.cgi?id=52773
+
+ New test to validate fix.
+
+ * fast/regex/parentheses-expected.txt:
+ * fast/regex/script-tests/parentheses.js:
+
2011-01-20 Dirk Schulze <krit at webkit.org>
Reviewed by Rob Buis.
diff --git a/LayoutTests/fast/regex/parentheses-expected.txt b/LayoutTests/fast/regex/parentheses-expected.txt
index 0f6a391..33672e9 100644
--- a/LayoutTests/fast/regex/parentheses-expected.txt
+++ b/LayoutTests/fast/regex/parentheses-expected.txt
@@ -74,6 +74,7 @@ PASS regexp42.exec('4321') is ['4','4','4']
PASS /(?!(?=r{0}){2,})|((z)?)?/gi.test('') is true
PASS regexp43.exec('SSS') is ['']
PASS regexp44.exec('SSS') is ['',undefined]
+PASS regexp45.exec('vt') is null
PASS 'Hi Bob'.match(/(Rob)|(Bob)|(Robert)|(Bobby)/) is ['Bob',undefined,'Bob',undefined,undefined]
PASS successfullyParsed is true
diff --git a/LayoutTests/fast/regex/script-tests/parentheses.js b/LayoutTests/fast/regex/script-tests/parentheses.js
index 9031dec..1b11941 100644
--- a/LayoutTests/fast/regex/script-tests/parentheses.js
+++ b/LayoutTests/fast/regex/script-tests/parentheses.js
@@ -199,6 +199,9 @@ shouldBe("regexp43.exec('SSS')", "['']");
var regexp44 = /(?!(?:\3+(s+?)))/gy;
shouldBe("regexp44.exec('SSS')", "['',undefined]");
+var regexp45 = /((?!(?:|)v{2,}|))/;
+shouldBeNull("regexp45.exec('vt')");
+
shouldBe("'Hi Bob'.match(/(Rob)|(Bob)|(Robert)|(Bobby)/)", "['Bob',undefined,'Bob',undefined,undefined]");
var successfullyParsed = true;
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 2cc19fe..d637790 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,18 @@
+2011-01-20 Michael Saboff <msaboff at apple.com>
+
+ Reviewed by Oliver Hunt.
+
+ <rdar://problem/8890203> [RegexFuzz] Crash in generated code (52773)
+ https://bugs.webkit.org/show_bug.cgi?id=52773
+
+ Fixed case where an existing DataLabelPtr is overwritten. The
+ replacing DataLabelPtr is now resolved immediately in
+ linkDataLabelToBacktrackIfExists(). Cleanup - eliminated bool
+ return value for the routine as it was never used.
+
+ * yarr/YarrJIT.cpp:
+ (JSC::Yarr::YarrGenerator::TermGenerationState::linkDataLabelToBacktrackIfExists):
+
2011-01-20 Andras Becsi <abecsi at webkit.org>
Reviewed by Csaba Osztrogonác.
diff --git a/Source/JavaScriptCore/yarr/YarrJIT.cpp b/Source/JavaScriptCore/yarr/YarrJIT.cpp
index 34a6017..38430c8 100644
--- a/Source/JavaScriptCore/yarr/YarrJIT.cpp
+++ b/Source/JavaScriptCore/yarr/YarrJIT.cpp
@@ -639,8 +639,10 @@ class YarrGenerator : private MacroAssembler {
if (m_subDataLabelPtr) {
*m_subDataLabelPtr = dp;
m_subDataLabelPtr = 0;
- } else
+ } else {
+ ASSERT(!hasDataLabel());
m_dataLabelPtr = dp;
+ }
}
void clearSubDataLabelPtr()
@@ -930,24 +932,19 @@ class YarrGenerator : private MacroAssembler {
return m_backtrack.plantJumpToBacktrackIfExists(generator);
}
- bool linkDataLabelToBacktrackIfExists(YarrGenerator* generator, DataLabelPtr dataLabel)
+ void linkDataLabelToBacktrackIfExists(YarrGenerator* generator, DataLabelPtr dataLabel)
{
// If we have a stack offset backtrack destination, use it directly
if (m_backtrack.isStackOffset()) {
generator->m_expressionState.addIndirectJumpEntry(m_backtrack.getStackOffset(), dataLabel);
m_backtrack.clearSubDataLabelPtr();
} else {
- // Otherwise set the data label (which may be linked)
- setBacktrackDataLabel(dataLabel);
-
- if ((m_backtrack.isLabel()) && (m_backtrack.hasDataLabel())) {
- generator->m_expressionState.m_backtrackRecords.append(AlternativeBacktrackRecord(m_backtrack.getDataLabel(), m_backtrack.getLabel()));
- m_backtrack.clearDataLabel();
- return true;
- }
+ // If we have a backtrack label, connect the datalabel to it directly.
+ if (m_backtrack.isLabel())
+ generator->m_expressionState.m_backtrackRecords.append(AlternativeBacktrackRecord(dataLabel, m_backtrack.getLabel()));
+ else
+ setBacktrackDataLabel(dataLabel);
}
-
- return false;
}
void addBacktrackJump(Jump jump)
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list