Skip to content

[YARR] Reset firstCharacterAdditionalReadSize at BodyAlternativeNext reentry#61950

Merged
webkit-commit-queue merged 1 commit intoWebKit:mainfrom
sosukesuzuki:eng/rest-firstCharacterAdditionalReadSize-at-bodyAlternativeNext-reentry
Apr 7, 2026
Merged

[YARR] Reset firstCharacterAdditionalReadSize at BodyAlternativeNext reentry#61950
webkit-commit-queue merged 1 commit intoWebKit:mainfrom
sosukesuzuki:eng/rest-firstCharacterAdditionalReadSize-at-bodyAlternativeNext-reentry

Conversation

@sosukesuzuki
Copy link
Copy Markdown
Contributor

@sosukesuzuki sosukesuzuki commented Apr 3, 2026
edited by webkit-early-warning-system
Loading

8c10428

[YARR] Reset `firstCharacterAdditionalReadSize` at `BodyAlternativeNext` reentry
https://bugs.webkit.org/show_bug.cgi?id=311388

Reviewed by Yusuke Suzuki.

The non-BMP first-character optimization sets
firstCharacterAdditionalReadSize to 1 when tryReadUnicodeChar reads a
surrogate pair, and the BodyAlternativeEnd trampoline reads it back to
advance the index past the pair on the next iteration.

BodyAlternativeBegin resets the register at its reentry label;
BodyAlternativeNext did not. After a prior alternative read a surrogate
pair, the register stayed at 1 across the alt boundary, and if the next
alternative short-circuited without its own tryReadUnicodeChar call,
the trampoline added the stale 1 and skipped a valid match position.

Mirror the BodyAlternativeBegin reset at BodyAlternativeNext, and add
the same defensive reset at the once-through BodyAlternativeEnd reentry.

Test: JSTests/stress/regexp-jit-non-bmp-first-character-additional-read-size-reset.js

* JSTests/stress/regexp-jit-non-bmp-first-character-additional-read-size-reset.js: Added.
(shouldBe):
* Source/JavaScriptCore/yarr/YarrJIT.cpp:

Canonical link: https://commits.webkit.org/310677@main

8f503ef

Misc iOS, visionOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 win
✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ✅ 🧪 wpe-wk2 ✅ 🧪 win-tests
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🧪 api-wpe
✅ 🧪 ios-wk2-wpt ✅ 🧪 api-mac-debug ✅ 🛠 gtk3-libwebrtc
✅ 🛠 🧪 jsc ✅ 🧪 api-ios ✅ 🧪 mac-wk1 ✅ 🛠 gtk
✅ 🛠 🧪 jsc-debug-arm64 ✅ 🛠 ios-safer-cpp ✅ 🧪 mac-wk2 ✅ 🧪 gtk-wk2
✅ 🛠 vision ✅ 🧪 mac-AS-debug-wk2 ✅ 🧪 api-gtk
✅ 🛠 🧪 merge ✅ 🛠 vision-sim ✅ 🧪 mac-wk2-stress ✅ 🛠 playstation
✅ 🧪 vision-wk2 ✅ 🧪 mac-intel-wk2 ✅ 🛠 jsc-armv7
✅ 🛠 tv ✅ 🛠 mac-safer-cpp ✅ 🧪 jsc-armv7-tests
✅ 🛠 tv-sim
✅ 🛠 watch
✅ 🛠 watch-sim

@sosukesuzuki sosukesuzuki self-assigned this Apr 3, 2026
@sosukesuzuki sosukesuzuki added the JavaScriptCore For bugs in JavaScriptCore, the JS engine used by WebKit, other than kxmlcore issues. label Apr 3, 2026
@webkit-early-warning-system
Copy link
Copy Markdown
Collaborator

webkit-early-warning-system commented Apr 3, 2026
edited
Loading

EWS run on current version of this PR (hash 8f503ef)

Details

Misc iOS, visionOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 win
✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ✅ 🧪 wpe-wk2 ✅ 🧪 win-tests
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🧪 api-wpe
✅ 🧪 ios-wk2-wpt ✅ 🧪 api-mac-debug ✅ 🛠 gtk3-libwebrtc
✅ 🛠 🧪 jsc ✅ 🧪 api-ios ✅ 🧪 mac-wk1 ✅ 🛠 gtk
✅ 🛠 🧪 jsc-debug-arm64 ✅ 🛠 ios-safer-cpp ✅ 🧪 mac-wk2 ✅ 🧪 gtk-wk2
✅ 🛠 vision ✅ 🧪 mac-AS-debug-wk2 ✅ 🧪 api-gtk
✅ 🛠 🧪 merge ✅ 🛠 vision-sim ✅ 🧪 mac-wk2-stress ✅ 🛠 playstation
✅ 🧪 vision-wk2 ✅ 🧪 mac-intel-wk2 ✅ 🛠 jsc-armv7
✅ 🛠 tv ✅ 🛠 mac-safer-cpp ✅ 🧪 jsc-armv7-tests
✅ 🛠 tv-sim
✅ 🛠 watch
✅ 🛠 watch-sim

@sosukesuzuki sosukesuzuki marked this pull request as ready for review April 4, 2026 07:51
@sosukesuzuki sosukesuzuki requested a review from a team as a code owner April 4, 2026 07:51
@sosukesuzuki sosukesuzuki added the merge-queue Applied to send a pull request to merge-queue label Apr 7, 2026
@sosukesuzuki
[YARR] Reset firstCharacterAdditionalReadSize at `BodyAlternativeNe…
8c10428 
…xt` reentry

https://bugs.webkit.org/show_bug.cgi?id=311388

Reviewed by Yusuke Suzuki.

The non-BMP first-character optimization sets
firstCharacterAdditionalReadSize to 1 when tryReadUnicodeChar reads a
surrogate pair, and the BodyAlternativeEnd trampoline reads it back to
advance the index past the pair on the next iteration.

BodyAlternativeBegin resets the register at its reentry label;
BodyAlternativeNext did not. After a prior alternative read a surrogate
pair, the register stayed at 1 across the alt boundary, and if the next
alternative short-circuited without its own tryReadUnicodeChar call,
the trampoline added the stale 1 and skipped a valid match position.

Mirror the BodyAlternativeBegin reset at BodyAlternativeNext, and add
the same defensive reset at the once-through BodyAlternativeEnd reentry.

Test: JSTests/stress/regexp-jit-non-bmp-first-character-additional-read-size-reset.js

* JSTests/stress/regexp-jit-non-bmp-first-character-additional-read-size-reset.js: Added.
(shouldBe):
* Source/JavaScriptCore/yarr/YarrJIT.cpp:

Canonical link: https://commits.webkit.org/310677@main
@webkit-commit-queue webkit-commit-queue force-pushed the eng/rest-firstCharacterAdditionalReadSize-at-bodyAlternativeNext-reentry branch from 8f503ef to 8c10428 Compare April 7, 2026 00:42
@webkit-commit-queue
Copy link
Copy Markdown
Collaborator

webkit-commit-queue commented Apr 7, 2026

Committed 310677@main (8c10428): https://commits.webkit.org/310677@main

Reviewed commits have been landed. Closing PR #61950 and removing active labels.

@webkit-commit-queue webkit-commit-queue merged commit 8c10428 into WebKit:main Apr 7, 2026
@webkit-commit-queue webkit-commit-queue removed the merge-queue Applied to send a pull request to merge-queue label Apr 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Constellation Constellation Constellation approved these changes

Assignees

@sosukesuzuki sosukesuzuki

Labels

JavaScriptCore For bugs in JavaScriptCore, the JS engine used by WebKit, other than kxmlcore issues.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sosukesuzuki @webkit-early-warning-system @webkit-commit-queue @Constellation