| Summary: | Strength reduction analyzes RegEx.exec incorrectly and generate a hole for the result array | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | EntryHi <entryhii> |
| Component: | JavaScriptCore | Assignee: | Michael Saboff <msaboff> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | bfulgham, mark.lam, mcatanzaro, msaboff, webkit-bug-importer, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Local Build | ||
| Hardware: | PC | ||
| OS: | Linux | ||
It appears that capture groups that aren't matched are not added to the results array. Investigating further. The results length is correct, but the undefined entries aren't populated thus the holes. When the calling code accesses the results, the value is the same, "undefined". Investigating further. Pull request: https://github.com/WebKit/WebKit/pull/5988 non security issue. Committed 256241@main (b0b694fd099f): <https://commits.webkit.org/256241@main> Reviewed commits have been landed. Closing PR #5988 and removing active labels. (In reply to Yusuke Suzuki from comment #4) > non security issue. Well https://support.apple.com/en-us/HT213600 says this is CVE-2023-23496, so... somebody requested a CVE for this. |
function write() { let m = /ab(c)?d/.exec("abd") return m } noInline(write) let all = [] for(let i=0;i<300;i++){ all.push(write()) } let a = all[50] let b = all[100] print(Object.keys(a),a.length, describe(a)) print(Object.keys(b),b.length, describe(b)) With the above script as input to JSC, run JSC with the following parameters: ./jsc test.js --useConcurrentJIT=0 Variable a is the result for interpreter while b is the result for JIT. a.length == b.length, but Object.keys(a) != Object.keys(b). There is a hole in b. This may be caused by strength reduction in DFG JIT.