147023 – RegExp::match() should set m_state to ByteCode if compilation fails.

Bug 147023 - RegExp::match() should set m_state to ByteCode if compilation fails.

Summary: RegExp::match() should set m_state to ByteCode if compilation fails.

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Mark Lam

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2015-07-16 16:02 PDT by Mark Lam
Modified:	2015-07-16 19:30 PDT (History)
CC List:	8 users (show)

See Also:

Attachments
the fix. (3.36 KB, patch) 2015-07-16 16:13 PDT, Mark Lam	msaboff: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Lam 2015-07-16 16:02:00 PDT

A RegExp has a YarrCodeBlock that has 4 MacroAssemblerCodeRefs for compiled code.  If one of these compilations succeeds, RegExp::m_state will be set to JITCode.  Subsequently, if RegExp tries to compile another one of these but fails, m_state will be left untouched i.e. it still says JITCode.  As a result, when RegExp::match() later tries to execute the non-existant compiled code, it will crash.  The fix is to downgrade m_state to ByteCode if RegExp ever fails to compile.

This failure should be rare.  We'll do the minimal work here to fix the issue and keep an eye on the perf bots.  If perf regresses, we can do some optimization work then.

Comment 1 Mark Lam 2015-07-16 16:03:23 PDT

<rdar://problem/21764196>

Comment 2 Mark Lam 2015-07-16 16:13:28 PDT

Created attachment 256937 [details]
the fix.

Comment 3 Michael Saboff 2015-07-16 16:24:26 PDT

Comment on attachment 256937 [details]
the fix.

r=me

Comment 4 Mark Lam 2015-07-16 19:30:32 PDT

I've run the jsc and layout tests and did not see any regressions.

Landed in r186920: <http://trac.webkit.org/r186920>.