Fix incorrect assertion in operationRegExpExecNonGlobalOrSticky().
https://bugs.webkit.org/show_bug.cgi?id=203230
<rdar://problem/56460749>
Reviewed by Robin Morisset.
JSTests:
* stress/incorrect-exception-assertion-in-operationRegExpExecNonGlobalOrSticky.js: Added.
Source/JavaScriptCore:
operationRegExpExecNonGlobalOrSticky() was asserting no exception when
createRegExpMatchesArray() returns null. createRegExpMatchesArray() only returns
null when RegExp::matchInline() returns -1. RegExp::matchInline() can return -1
either when there's an error, or if the match fails. When there's an error,
RegExp::matchInline() also throws an exception via a throwError() helper.
This patch fixes operationRegExpExecNonGlobalOrSticky() to check for an exception
being thrown, or createRegExpMatchesArray() returning a null array due to a failed
match.
* dfg/DFGOperations.cpp:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@251447 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
index 7695e57..416ed7a 100644
--- a/JSTests/ChangeLog
+++ b/JSTests/ChangeLog
@@ -1,3 +1,13 @@
+2019-10-22 Mark Lam <mark.lam@apple.com>
+
+ Fix incorrect assertion in operationRegExpExecNonGlobalOrSticky().
+ https://bugs.webkit.org/show_bug.cgi?id=203230
+ <rdar://problem/56460749>
+
+ Reviewed by Robin Morisset.
+
+ * stress/incorrect-exception-assertion-in-operationRegExpExecNonGlobalOrSticky.js: Added.
+
2019-10-21 Mark Lam <mark.lam@apple.com>
Rolling out r251411: Fix is incorrect.
diff --git a/JSTests/stress/incorrect-exception-assertion-in-operationRegExpExecNonGlobalOrSticky.js b/JSTests/stress/incorrect-exception-assertion-in-operationRegExpExecNonGlobalOrSticky.js
new file mode 100644
index 0000000..bd3d04c
--- /dev/null
+++ b/JSTests/stress/incorrect-exception-assertion-in-operationRegExpExecNonGlobalOrSticky.js
@@ -0,0 +1,26 @@
+//@ runDefault("--alwaysUseShadowChicken=true", "--jitPolicyScale=0", "--useRandomizingFuzzerAgent=1", "--maxPerThreadStackUsage=1572863")
+//@ slow!
+
+class C {
+ constructor(func) {
+ this.func = func;
+ }
+ runTest() {
+ this.func();
+ }
+}
+function recurseAndTest() {
+ try {
+ recurseAndTest();
+ test.runTest();
+ } catch (e) {
+ }
+}
+const howManyParentheses = 1000;
+const deepRE = new RegExp('('.repeat(howManyParentheses) + ')'.repeat(howManyParentheses));
+let test =
+ new C(() => {
+ deepRE.exec('');
+ });
+
+recurseAndTest();
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index d55e44e..979634d 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,23 @@
+2019-10-22 Mark Lam <mark.lam@apple.com>
+
+ Fix incorrect assertion in operationRegExpExecNonGlobalOrSticky().
+ https://bugs.webkit.org/show_bug.cgi?id=203230
+ <rdar://problem/56460749>
+
+ Reviewed by Robin Morisset.
+
+ operationRegExpExecNonGlobalOrSticky() was asserting no exception when
+ createRegExpMatchesArray() returns null. createRegExpMatchesArray() only returns
+ null when RegExp::matchInline() returns -1. RegExp::matchInline() can return -1
+ either when there's an error, or if the match fails. When there's an error,
+ RegExp::matchInline() also throws an exception via a throwError() helper.
+
+ This patch fixes operationRegExpExecNonGlobalOrSticky() to check for an exception
+ being thrown, or createRegExpMatchesArray() returning a null array due to a failed
+ match.
+
+ * dfg/DFGOperations.cpp:
+
2019-10-22 Adrian Perez de Castro <aperez@igalia.com>
[GTK][WPE] Fix non-unified builds after r251326
diff --git a/Source/JavaScriptCore/dfg/DFGOperations.cpp b/Source/JavaScriptCore/dfg/DFGOperations.cpp
index 5f573e2..9a72536 100644
--- a/Source/JavaScriptCore/dfg/DFGOperations.cpp
+++ b/Source/JavaScriptCore/dfg/DFGOperations.cpp
@@ -1341,12 +1341,10 @@
unsigned lastIndex = 0;
MatchResult result;
JSArray* array = createRegExpMatchesArray(vm, globalObject, string, input, regExp, lastIndex, result);
- if (!array) {
- ASSERT(!scope.exception());
- return JSValue::encode(jsNull());
- }
-
RETURN_IF_EXCEPTION(scope, { });
+ if (!array)
+ return JSValue::encode(jsNull());
+
globalObject->regExpGlobalData().recordMatch(vm, globalObject, regExp, string, result);
return JSValue::encode(array);
}