175903 – REGRESSION (r221052): DumpRenderTree crashed in com.apple.JavaScriptCore: JSC::Yarr::YarrCodeBlock::execute + 137

RESOLVED FIXED 175903

REGRESSION (r221052): DumpRenderTree crashed in com.apple.JavaScriptCore: JSC::Yarr::YarrCodeBlock::execute + 137

https://bugs.webkit.org/show_bug.cgi?id=175903

Summary REGRESSION (r221052): DumpRenderTree crashed in com.apple.JavaScriptCore: JSC...

Michael Saboff

Reported 2017-08-23 13:26:23 PDT

Crashing in code generated by generateCharacterClassGreedy() with something like "a\u{10410}\u{10410}b".match(/a(\u{10410}*)bc|a(\u{10410}*)b/ui). Looks like we increment "count" before checking is we are at the end of the string.

Attachments
Patch (5.22 KB, patch) 2017-08-23 14:04 PDT, Michael Saboff	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Michael Saboff

Comment 1 2017-08-23 13:26:46 PDT

<rdar://problem/34035972>

Michael Saboff

Comment 2 2017-08-23 14:04:48 PDT

Created attachment 318914 [details] Patch

Saam Barati

Comment 3 2017-08-23 14:55:03 PDT

Comment on attachment 318914 [details] Patch r=me

WebKit Commit Bot

Comment 4 2017-08-23 15:24:34 PDT

Comment on attachment 318914 [details] Patch Clearing flags on attachment: 318914 Committed r221111: <http://trac.webkit.org/changeset/221111>

WebKit Commit Bot

Comment 5 2017-08-23 15:24:35 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version Other

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Michael Saboff

Reported

2017-08-23 13:26 PDT

Modified

2017-08-23 15:24 PDT History

CC List

6 users Show

URL

Keywords InRadar

Depends on

Blocks