Fix incorrect assertion in operationRegExpExecNonGlobalOrSticky(). https://bugs.webkit.org/show_bug.cgi?id=203230 <rdar://problem/56460749> Reviewed by Robin Morisset. JSTests: * stress/incorrect-exception-assertion-in-operationRegExpExecNonGlobalOrSticky.js: Added. Source/JavaScriptCore: operationRegExpExecNonGlobalOrSticky() was asserting no exception when createRegExpMatchesArray() returns null. createRegExpMatchesArray() only returns null when RegExp::matchInline() returns -1. RegExp::matchInline() can return -1 either when there's an error, or if the match fails. When there's an error, RegExp::matchInline() also throws an exception via a throwError() helper. This patch fixes operationRegExpExecNonGlobalOrSticky() to check for an exception being thrown, or createRegExpMatchesArray() returning a null array due to a failed match. * dfg/DFGOperations.cpp: git-svn-id: http://svn.webkit.org/repository/webkit/trunk@251447 268f45cc-cd09-0410-ab3c-d52691b4dbfc

commit: 5b2a3a48dd65086e318829dce392ea1177fdf2ca [log] [tgz]
author: mark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Tue Oct 22 20:27:53 2019 +0000
committer: mark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Tue Oct 22 20:27:53 2019 +0000
tree: 58de1b3785afdaf2db3c683817e5b2be42fc01a6
parent: 36ec1ddc6450c1f458374c6af9c55bebf838585e [diff]
diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
index 7695e57..416ed7a 100644
--- a/JSTests/ChangeLog
+++ b/JSTests/ChangeLog

@@ -1,3 +1,13 @@
+2019-10-22  Mark Lam  <mark.lam@apple.com>
+
+        Fix incorrect assertion in operationRegExpExecNonGlobalOrSticky().
+        https://bugs.webkit.org/show_bug.cgi?id=203230
+        <rdar://problem/56460749>
+
+        Reviewed by Robin Morisset.
+
+        * stress/incorrect-exception-assertion-in-operationRegExpExecNonGlobalOrSticky.js: Added.
+
 2019-10-21  Mark Lam  <mark.lam@apple.com>
 
         Rolling out r251411: Fix is incorrect.

diff --git a/JSTests/stress/incorrect-exception-assertion-in-operationRegExpExecNonGlobalOrSticky.js b/JSTests/stress/incorrect-exception-assertion-in-operationRegExpExecNonGlobalOrSticky.js
new file mode 100644
index 0000000..bd3d04c
--- /dev/null
+++ b/JSTests/stress/incorrect-exception-assertion-in-operationRegExpExecNonGlobalOrSticky.js

@@ -0,0 +1,26 @@
+//@ runDefault("--alwaysUseShadowChicken=true", "--jitPolicyScale=0", "--useRandomizingFuzzerAgent=1", "--maxPerThreadStackUsage=1572863")
+//@ slow!
+
+class C {
+    constructor(func) {
+        this.func = func;
+    }
+    runTest() {
+        this.func();
+    }
+}
+function recurseAndTest() {
+    try {
+        recurseAndTest();
+        test.runTest();
+    } catch (e) {
+    }
+}
+const howManyParentheses = 1000;
+const deepRE = new RegExp('('.repeat(howManyParentheses) + ')'.repeat(howManyParentheses));
+let test = 
+    new C(() => {
+        deepRE.exec('');
+    });
+
+recurseAndTest();

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index d55e44e..979634d 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog

@@ -1,3 +1,23 @@
+2019-10-22  Mark Lam  <mark.lam@apple.com>
+
+        Fix incorrect assertion in operationRegExpExecNonGlobalOrSticky().
+        https://bugs.webkit.org/show_bug.cgi?id=203230
+        <rdar://problem/56460749>
+
+        Reviewed by Robin Morisset.
+
+        operationRegExpExecNonGlobalOrSticky() was asserting no exception when
+        createRegExpMatchesArray() returns null.  createRegExpMatchesArray() only returns
+        null when RegExp::matchInline() returns -1.  RegExp::matchInline() can return -1
+        either when there's an error, or if the match fails.  When there's an error,
+        RegExp::matchInline() also throws an exception via a throwError() helper.
+
+        This patch fixes operationRegExpExecNonGlobalOrSticky() to check for an exception
+        being thrown, or createRegExpMatchesArray() returning a null array due to a failed
+        match.
+
+        * dfg/DFGOperations.cpp:
+
 2019-10-22  Adrian Perez de Castro  <aperez@igalia.com>
 
         [GTK][WPE] Fix non-unified builds after r251326

diff --git a/Source/JavaScriptCore/dfg/DFGOperations.cpp b/Source/JavaScriptCore/dfg/DFGOperations.cpp
index 5f573e2..9a72536 100644
--- a/Source/JavaScriptCore/dfg/DFGOperations.cpp
+++ b/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -1341,12 +1341,10 @@
     unsigned lastIndex = 0;
     MatchResult result;
     JSArray* array = createRegExpMatchesArray(vm, globalObject, string, input, regExp, lastIndex, result);
-    if (!array) {
-        ASSERT(!scope.exception());
-        return JSValue::encode(jsNull());
-    }
-
     RETURN_IF_EXCEPTION(scope, { });
+    if (!array)
+        return JSValue::encode(jsNull());
+
     globalObject->regExpGlobalData().recordMatch(vm, globalObject, regExp, string, result);
     return JSValue::encode(array);
 }
commit	5b2a3a48dd65086e318829dce392ea1177fdf2ca	[log] [tgz]
author	mark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Tue Oct 22 20:27:53 2019 +0000
committer	mark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Tue Oct 22 20:27:53 2019 +0000
tree	58de1b3785afdaf2db3c683817e5b2be42fc01a6
parent	36ec1ddc6450c1f458374c6af9c55bebf838585e [diff]