Both the YARR interpreter and the JIT use a mixture of unsigned and int offsets when referencing or generating code to reference subject strings. Usually this works out due to 2's complement math, however there have been bugs reported where we underflow / overflow counts, reference out of bounds memory, or trying to generate code to do the same. Instead we should make the YARR code "unsigned" clean for all references to subject strings. This bug is in response to two radars: <rdar://problem/27084358> ASSERTION FAILED: (&term - term.atom.parenthesesWidth)->inputPosition == term.inputPosition <rdar://problem/27171689> REGRESSION (r197869): CrashOnOverflow in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)1>::generateCharacterClassFixed The first is an issue in the YARR interpreter and the second in the YARR JIT.
Created attachment 283587 [details] Patch
Comment on attachment 283587 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=283587&action=review rs=me. Let's hope we our test coverage will catch any missing case. > Source/JavaScriptCore/yarr/YarrJIT.cpp:2660 > + , m_checkedOffset(0) You don't need to initialized Checked. If you want to do it anyway to make the initial value explicit, it would be better to have in at declaration with the C++11 syntax.
Committed r203206: <http://trac.webkit.org/changeset/203206>
*** Bug 107898 has been marked as a duplicate of this bug. ***