175903 – REGRESSION (r221052): DumpRenderTree crashed in com.apple.JavaScriptCore: JSC::Yarr::YarrCodeBlock::execute + 137

Bug 175903 - REGRESSION (r221052): DumpRenderTree crashed in com.apple.JavaScriptCore: JSC::Yarr::YarrCodeBlock::execute + 137

Summary: REGRESSION (r221052): DumpRenderTree crashed in com.apple.JavaScriptCore: JSC...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	Other
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Michael Saboff

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2017-08-23 13:26 PDT by Michael Saboff
Modified:	2017-08-23 15:24 PDT (History)
CC List:	6 users (show)

See Also:

Attachments
Patch (5.22 KB, patch) 2017-08-23 14:04 PDT, Michael Saboff	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Saboff 2017-08-23 13:26:23 PDT

Crashing in code generated by generateCharacterClassGreedy() with something like "a\u{10410}\u{10410}b".match(/a(\u{10410}*)bc|a(\u{10410}*)b/ui).

Looks like we increment "count" before checking is we are at the end of the string.

Comment 1 Michael Saboff 2017-08-23 13:26:46 PDT

<rdar://problem/34035972>

Comment 2 Michael Saboff 2017-08-23 14:04:48 PDT

Created attachment 318914 [details]
Patch

Comment 3 Saam Barati 2017-08-23 14:55:03 PDT

Comment on attachment 318914 [details]
Patch

r=me

Comment 4 WebKit Commit Bot 2017-08-23 15:24:34 PDT

Comment on attachment 318914 [details]
Patch

Clearing flags on attachment: 318914

Committed r221111: <http://trac.webkit.org/changeset/221111>

Comment 5 WebKit Commit Bot 2017-08-23 15:24:35 PDT

All reviewed patches have been landed.  Closing bug.