Bug 254600

Summary:	[JSC] Fix Paren Context allocation and use with Duplicate Named Capture groups
Product:	WebKit	Reporter:	Michael Saboff <msaboff>
Component:	JavaScriptCore	Assignee:	Michael Saboff <msaboff>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	WebKit Local Build
Hardware:	Unspecified
OS:	Unspecified

Michael Saboff

Reported 2023-03-28 09:51:44 PDT

With a RegExp like /((?:(?<f>\w))(?<f>.)(a*c)?)*/, we ASSERT in YarrJIT.cpp:offsetForDuplicateNamedGroupId() with a zero duplicateNamedGroupId and we improperly restore the non-existent '0' duplicate named group's matching subpattern Id.

Attachments
Add attachment proposed patch, testcase, etc.

Michael Saboff

Comment 1 2023-03-28 09:52:05 PDT

<rdar://107180725>

Michael Saboff

Comment 2 2023-03-28 10:16:30 PDT

Pull request: https://github.com/WebKit/WebKit/pull/12061

EWS

Comment 3 2023-03-28 15:39:04 PDT

Committed 262239@main (126b01e1d8ac): <https://commits.webkit.org/262239@main> Reviewed commits have been landed. Closing PR #12061 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.