Bug 180761 - REGRESSION (r225695): Repro crash on yahoo login page
Summary: REGRESSION (r225695): Repro crash on yahoo login page
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Michael Saboff
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2017-12-13 11:26 PST by Michael Saboff
Modified: 2017-12-14 14:16 PST (History)
7 users (show)

See Also:

Attachments
Patch (80.58 KB, patch)
2017-12-14 13:41 PST, Michael Saboff 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Saboff 2017-12-13 11:26:12 PST 
The crashing RegExp is:
  /([-!#$%&'*+\/=?^`{|}~]|\w)(([-!#$%&'*+\/=?^`{|}~]|\w)|(\.([-!#$%&'*+\/=?^`{|}~]|\w)))*@\w(\w|([-.]\w))*\.\w{2,4}/.exec(”https://mail.yahoo.com/);

A reduced test case is:
  /(?:(?: |a)|\.a)* a*/.exec("/a.aaa”);

The issue is that we are trying to backtrack in a nested alternative after the containing saved parenthesis context has been released.  The backtracking of normal alternatives is done by jumping to an address stored on the stack.  At this point my guess is that we are doing extra backtracking.
Comment 1 Michael Saboff 2017-12-13 11:26:40 PST 
<rdar://problem/35986606>
Comment 2 Michael Saboff 2017-12-14 13:41:56 PST 
Created attachment 329393 [details]
Patch
Comment 3 JF Bastien 2017-12-14 13:44:53 PST 
Comment on attachment 329393 [details]
Patch

r=me
Comment 4 WebKit Commit Bot 2017-12-14 14:16:42 PST 
Comment on attachment 329393 [details]
Patch

Clearing flags on attachment: 329393

Committed r225930: <https://trac.webkit.org/changeset/225930>
Comment 5 WebKit Commit Bot 2017-12-14 14:16:43 PST 
All reviewed patches have been landed.  Closing bug.