LibRegex: Avoid use-after-return of MatchState in 'is_an_eligible_jump'

The opcode may have last been accessed by block_satisfies_atomic_rewrite_precondition, which would set it to a state that no longer exists. Set the state to the correct one unconditionally to ensure we're looking at the right value. Fixes #5145.
Author: https://github.com/alimpfard Commit: https://github.com/LadybirdBrowser/ladybird/commit/b0e471228dd Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/5200 Reviewed-by: https://github.com/gmta ✅
2026-04-26 09:45:06 +02:00 · 2025-06-24 16:41:28 +02:00 · 2025-06-24 16:44:28 +00:00
parent 2947ae7d6e
commit b0e471228d
2 changed files with 5 additions and 4 deletions
--- a/Libraries/LibRegex/RegexOptimizer.cpp
+++ b/Libraries/LibRegex/RegexOptimizer.cpp
@@ -1013,8 +1013,10 @@ void Regex<Parser>::attempt_rewrite_loops_as_atomic_groups(BasicBlockList const&
        AlternateForm form;
    };
    Vector<CandidateBlock> candidate_blocks;
+    auto state = MatchState::only_for_enumeration();

-    auto is_an_eligible_jump = [](OpCode const& opcode, size_t ip, size_t block_start, AlternateForm alternate_form) {
+    auto is_an_eligible_jump = [&state](OpCode& opcode, size_t ip, size_t block_start, AlternateForm alternate_form) {
+        opcode.set_state(state);
        switch (opcode.opcode_id()) {
        case OpCodeId::JumpNonEmpty: {
            auto const& op = static_cast<OpCode_JumpNonEmpty const&>(opcode);
@@ -1049,7 +1051,6 @@ void Regex<Parser>::attempt_rewrite_loops_as_atomic_groups(BasicBlockList const&
        Optional<Block> fork_fallback_block;
        if (i + 1 < basic_blocks.size())
            fork_fallback_block = basic_blocks[i + 1];
-        auto state = MatchState::only_for_enumeration();
        // Check if the last instruction in this block is a jump to the block itself:
        {
            state.instruction_position = forking_block.end;