RESOLVED FIXED 147023
RegExp::match() should set m_state to ByteCode if compilation fails. 
https://bugs.webkit.org/show_bug.cgi?id=147023
Summary RegExp::match() should set m_state to ByteCode if compilation fails.
Mark Lam
Reported 2015-07-16 16:02:00 PDT
A RegExp has a YarrCodeBlock that has 4 MacroAssemblerCodeRefs for compiled code. If one of these compilations succeeds, RegExp::m_state will be set to JITCode. Subsequently, if RegExp tries to compile another one of these but fails, m_state will be left untouched i.e. it still says JITCode. As a result, when RegExp::match() later tries to execute the non-existant compiled code, it will crash. The fix is to downgrade m_state to ByteCode if RegExp ever fails to compile. This failure should be rare. We'll do the minimal work here to fix the issue and keep an eye on the perf bots. If perf regresses, we can do some optimization work then.
Attachments
the fix. (3.36 KB, patch)
2015-07-16 16:13 PDT, Mark Lam 		msaboff: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2015-07-16 16:03:23 PDT
<rdar://problem/21764196>
Mark Lam
Comment 2 2015-07-16 16:13:28 PDT
Created attachment 256937 [details] the fix.
Michael Saboff
Comment 3 2015-07-16 16:24:26 PDT
Comment on attachment 256937 [details] the fix. r=me
Mark Lam
Comment 4 2015-07-16 19:30:32 PDT
I've run the jsc and layout tests and did not see any regressions. Landed in r186920: <http://trac.webkit.org/r186920>.
Note You need to log in before you can comment on or make changes to this bug.