RESOLVED FIXED 159233
REGRESSION (r200946): Improper backtracking from last alternative in sticky patterns 
https://bugs.webkit.org/show_bug.cgi?id=159233
Summary REGRESSION (r200946): Improper backtracking from last alternative in sticky p...
Michael Saboff
Reported 2016-06-28 16:03:33 PDT
Various sticky patterns fail in unexpected ways when the last alternative doesn't match. It seems that we retry with an index that isn't correct. This manifests itself in a couple different ways. The expression 's = ”\n”.split(/.{2}|(?=$)./ym)' will crash in JIT'ed code, while the expression 'let m = ".a".match(/x(.)|[-\d]/gy")' will ASSERT in debug builds: #0 0x106b8ccb8 in WTFCrash (JavaScriptCore+0x2a87cb8) #1 0x1066e889a in JSC::JSRopeString::finishCreationSubstringOfResolved(JSC::VM&, JSC::JSString*, unsigned int, unsigned int) (JavaScriptCore+0x25e389a) #2 0x1066e8176 in JSC::JSRopeString::createSubstringOfResolved(JSC::VM&, JSC::JSString*, unsigned int, unsigned int) (JavaScriptCore+0x25e3176) #3 0x1066fa423 in JSC::JSValue JSC::collectMatches<JSC::RegExpObject::matchGlobal(JSC::ExecState*, JSC::JSGlobalObject*, JSC::JSString*)::$_1>(JSC::VM&, JSC::ExecState*, JSC::JSString*, WTF::String const&, JSC::RegExpConstructor*, JSC::RegExp*, JSC::RegExpObject::matchGlobal(JSC::ExecState*, JSC::JSGlobalObject*, JSC::JSString*)::$_1 const&)::'lambda'()::operator()() const (JavaScriptCore+0x25f5423) #4 0x1066f89b3 in JSC::JSValue JSC::collectMatches<JSC::RegExpObject::matchGlobal(JSC::ExecState*, JSC::JSGlobalObject*, JSC::JSString*)::$_1>(JSC::VM&, JSC::ExecState*, JSC::JSString*, WTF::String const&, JSC::RegExpConstructor*, JSC::RegExp*, JSC::RegExpObject::matchGlobal(JSC::ExecState*, JSC::JSGlobalObject*, JSC::JSString*)::$_1 const&) (JavaScriptCore+0x25f39b3) #5 0x1066f6c90 in JSC::RegExpObject::matchGlobal(JSC::ExecState*, JSC::JSGlobalObject*, JSC::JSString*) (JavaScriptCore+0x25f1c90)
Attachments
Patch (3.11 KB, patch)
2016-06-28 16:24 PDT, Michael Saboff 		mark.lam: review+
DetailsFormatted DiffDiff
With style fixes and updated tests (5.84 KB, patch)
2016-06-28 16:32 PDT, Michael Saboff 		mark.lam: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2016-06-28 16:04:12 PDT
<rdar://problem/27008975> <rdar://problem/27018880>
Michael Saboff
Comment 2 2016-06-28 16:24:44 PDT
Created attachment 282295 [details] Patch
WebKit Commit Bot
Comment 3 2016-06-28 16:26:27 PDT
Attachment 282295 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/yarr/YarrJIT.cpp:1848: Multi line control clauses should use braces. [whitespace/braces] [4] ERROR: Source/JavaScriptCore/yarr/YarrJIT.cpp:1851: Missing space before { [whitespace/braces] [5] Total errors found: 2 in 2 files If any of these errors are false positives, please file a bug against check-webkit-style.
Mark Lam
Comment 4 2016-06-28 16:28:09 PDT
Comment on attachment 282295 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=282295&action=review Got tests? > Source/JavaScriptCore/yarr/YarrJIT.cpp:1851 > + else if (m_pattern.sticky() && m_ops[op.m_nextOp].m_op == OpBodyAlternativeEnd) > + // It is a sticky pattern and the last alternative failed, jump to the end. > + m_backtrackingState.takeBacktracksToJumpList(lastStickyAlternativeFailures, this); > + else{ Please fix style errors.
Michael Saboff
Comment 5 2016-06-28 16:32:40 PDT
Created attachment 282297 [details] With style fixes and updated tests
Mark Lam
Comment 6 2016-06-28 16:34:13 PDT
Comment on attachment 282297 [details] With style fixes and updated tests r=me
Michael Saboff
Comment 7 2016-06-28 17:39:18 PDT
Committed r202597: <http://trac.webkit.org/changeset/202597>
Note You need to log in before you can comment on or make changes to this bug.