Fix incorrect assertion in operationRegExpExecNonGlobalOrSticky().
https://bugs.webkit.org/show_bug.cgi?id=203230
<rdar://problem/56460749>
Reviewed by Robin Morisset.
JSTests:
* stress/incorrect-exception-assertion-in-operationRegExpExecNonGlobalOrSticky.js: Added.
Source/JavaScriptCore:
operationRegExpExecNonGlobalOrSticky() was asserting no exception when
createRegExpMatchesArray() returns null. createRegExpMatchesArray() only returns
null when RegExp::matchInline() returns -1. The only way RegExp::matchInline()
can return -1 is via a throwError() helper which throws an exception. The other
return path in RegExp::matchInline() explicitly ASSERT(result >= -1). Hence, the
assertion in operationRegExpExecNonGlobalOrSticky() is wrong.
* dfg/DFGOperations.cpp:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@251411 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
index 0a938fc..dca3bb1 100644
--- a/JSTests/ChangeLog
+++ b/JSTests/ChangeLog
@@ -1,3 +1,13 @@
+2019-10-21 Mark Lam <mark.lam@apple.com>
+
+ Fix incorrect assertion in operationRegExpExecNonGlobalOrSticky().
+ https://bugs.webkit.org/show_bug.cgi?id=203230
+ <rdar://problem/56460749>
+
+ Reviewed by Robin Morisset.
+
+ * stress/incorrect-exception-assertion-in-operationRegExpExecNonGlobalOrSticky.js: Added.
+
2019-10-21 Saam Barati <sbarati@apple.com>
ValuePow's constant folding rule differs from what the runtime does
diff --git a/JSTests/stress/incorrect-exception-assertion-in-operationRegExpExecNonGlobalOrSticky.js b/JSTests/stress/incorrect-exception-assertion-in-operationRegExpExecNonGlobalOrSticky.js
new file mode 100644
index 0000000..bd3d04c
--- /dev/null
+++ b/JSTests/stress/incorrect-exception-assertion-in-operationRegExpExecNonGlobalOrSticky.js
@@ -0,0 +1,26 @@
+//@ runDefault("--alwaysUseShadowChicken=true", "--jitPolicyScale=0", "--useRandomizingFuzzerAgent=1", "--maxPerThreadStackUsage=1572863")
+//@ slow!
+
+class C {
+ constructor(func) {
+ this.func = func;
+ }
+ runTest() {
+ this.func();
+ }
+}
+function recurseAndTest() {
+ try {
+ recurseAndTest();
+ test.runTest();
+ } catch (e) {
+ }
+}
+const howManyParentheses = 1000;
+const deepRE = new RegExp('('.repeat(howManyParentheses) + ')'.repeat(howManyParentheses));
+let test =
+ new C(() => {
+ deepRE.exec('');
+ });
+
+recurseAndTest();
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index ef9ad6d..a83e1c9 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,20 @@
+2019-10-21 Mark Lam <mark.lam@apple.com>
+
+ Fix incorrect assertion in operationRegExpExecNonGlobalOrSticky().
+ https://bugs.webkit.org/show_bug.cgi?id=203230
+ <rdar://problem/56460749>
+
+ Reviewed by Robin Morisset.
+
+ operationRegExpExecNonGlobalOrSticky() was asserting no exception when
+ createRegExpMatchesArray() returns null. createRegExpMatchesArray() only returns
+ null when RegExp::matchInline() returns -1. The only way RegExp::matchInline()
+ can return -1 is via a throwError() helper which throws an exception. The other
+ return path in RegExp::matchInline() explicitly ASSERT(result >= -1). Hence, the
+ assertion in operationRegExpExecNonGlobalOrSticky() is wrong.
+
+ * dfg/DFGOperations.cpp:
+
2019-10-21 Saam Barati <sbarati@apple.com>
ValuePow's constant folding rule differs from what the runtime does
diff --git a/Source/JavaScriptCore/dfg/DFGOperations.cpp b/Source/JavaScriptCore/dfg/DFGOperations.cpp
index a1f6576..3d8ab52 100644
--- a/Source/JavaScriptCore/dfg/DFGOperations.cpp
+++ b/Source/JavaScriptCore/dfg/DFGOperations.cpp
@@ -1245,12 +1245,9 @@
unsigned lastIndex = 0;
MatchResult result;
JSArray* array = createRegExpMatchesArray(vm, globalObject, string, input, regExp, lastIndex, result);
- if (!array) {
- ASSERT(!scope.exception());
- return JSValue::encode(jsNull());
- }
-
RETURN_IF_EXCEPTION(scope, { });
+ ASSERT(array);
+
globalObject->regExpGlobalData().recordMatch(vm, globalObject, regExp, string, result);
return JSValue::encode(array);
}