Skip to content

Commit

Permalink
Re-sync with internal repository (#856)
Browse files Browse the repository at this point in the history
Co-authored-by: Facebook Community Bot <[email protected]>
  • Loading branch information
2 people authored and Riccardo Cipolleschi committed Nov 30, 2022
1 parent 85613e1 commit 1eb8f7e
Show file tree
Hide file tree
Showing 3 changed files with 26 additions and 10 deletions.
12 changes: 2 additions & 10 deletions lib/VM/JSObject.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -118,16 +118,8 @@ PseudoHandle<JSObject> JSObject::create(
Runtime &runtime,
Handle<JSObject> parentHandle,
Handle<HiddenClass> clazz) {
auto *cell = runtime.makeAFixed<JSObject>(
runtime, parentHandle, clazz, GCPointerBase::NoBarriers());
auto obj = JSObjectInit::initToPseudoHandle(runtime, cell);

obj->clazz_.setNonNull(runtime, *clazz, runtime.getHeap());
// If the hidden class has index like property, we need to clear the fast path
// flag.
if (LLVM_UNLIKELY(
obj->clazz_.getNonNull(runtime)->getHasIndexLikeProperties()))
obj->flags_.fastIndexProperties = false;
PseudoHandle<JSObject> obj = JSObject::create(runtime, clazz);
obj->parent_.set(runtime, parentHandle.get(), runtime.getHeap());
return obj;
}

Expand Down
2 changes: 2 additions & 0 deletions lib/VM/JSRegExp.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,7 @@ ExecutionStatus JSRegExp::initializeGroupNameMappingObj(
Handle<JSRegExp> selfHandle,
std::deque<llvh::SmallVector<char16_t, 5>> &orderedNamedGroups,
regex::ParsedGroupNamesMapping &parsedMappings) {
GCScope gcScope(runtime);
if (parsedMappings.size() == 0)
return ExecutionStatus::RETURNED;

Expand All @@ -184,6 +185,7 @@ ExecutionStatus JSRegExp::initializeGroupNameMappingObj(

MutableHandle<HermesValue> numberHandle{runtime};
for (const auto &identifier : orderedNamedGroups) {
GCScopeMarkerRAII marker{gcScope};
auto symbolRes =
runtime.getIdentifierTable().getSymbolHandle(runtime, identifier);
if (LLVM_UNLIKELY(symbolRes == ExecutionStatus::EXCEPTION)) {
Expand Down
22 changes: 22 additions & 0 deletions test/hermes/regress-named-capture-group.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
/**
* Copyright (c) Meta Platforms, Inc. and affiliates.
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*/

// RUN: %hermes -O %s

// Check Regex doesn't crash due to an underlying unitialized propStorage_.
// There was a bug that the hidden class of the named capture group mapping
// object would not have a properly initialized propStorage_.
// Thus, once the number of named groups exceeded the number of direct
// property slots, it crashed when trying to assign properties to
// the uninitialized propStorage_.

var s = '';
for (let i = 0; i < 1000; i++) {
s += `(?<foo${i}>a)`;
}
var re = new RegExp(s);
print(re.exec(""))

0 comments on commit 1eb8f7e

Please sign in to comment.