Closed Bug 126317 Opened 23 years ago Closed 23 years ago

Crash on re.exec(str) if re.lastIndex set to certain values

Categories

(Rhino Graveyard :: Core, defect)

Product:
Rhino Graveyard
Component:
Core
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: pschwartau, Assigned: rogerl)

Details

(Keywords: crash)

The tests below each involve a regexp with the global flag set, where re.lastIndex has been set to out-of-bounds values: i.e. < 0 or > str.length. In such a case, ECMA specifies that re.exec(str) should return null. (and set re.lastIndex to 0). Here is what Rhino is currently doing: [] java org.mozilla.javascript.tools.shell.Main Rhino 1.5 release 4 0000 00 00 (in progress) js> var re = /abc/gi; js> var str = 'AbcaBcabC'; js> re.lastIndex = -1; -1 js> re.exec(str); Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException at org.mozilla.javascript.regexp.NativeRegExp.matchRENodes(NativeRegExp.java:1855) at org.mozilla.javascript.regexp.NativeRegExp.matchRegExp(NativeRegExp.java:1879) at org.mozilla.javascript.regexp.NativeRegExp.executeRegExp(NativeRegExp.java:1925) etc. etc. js> var re = /abc/gi; js> var str = 'AbcaBcabC'; js> re.lastIndex = 9999999; 9999999 js> re.exec(str); null <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< CORRECT js> var re = /abc/gi; js> var str = 'AbcaBcabC'; js> re.lastIndex = Number.MAX_VALUE; 1.7976931348623157e+308 js> re.exec(str); Abc <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< should be null! js> re.lastIndex = Math.pow(2,31); 2147483648 js> re.exec(str); Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException at org.mozilla.javascript.regexp.NativeRegExp.matchRENodes(NativeRegExp.java:1855) at org.mozilla.javascript.regexp.NativeRegExp.matchRegExp(NativeRegExp.java:1879) at org.mozilla.javascript.regexp.NativeRegExp.executeRegExp(NativeRegExp.java:1925) at etc. etc. js> var re = /abc/gi; js> var str = 'AbcaBcabC'; js> re.lastIndex = Math.pow(2,30); 1073741824 js> re.exec(str); null <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< CORRECT js> var re = /abc/gi; js> var str = 'AbcaBcabC'; js> re.lastIndex = Math.pow(2,31); 2147483648 js> re.exec(str); Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException at org.mozilla.javascript.regexp.NativeRegExp.matchRENodes(NativeRegExp.java:1855) at org.mozilla.javascript.regexp.NativeRegExp.matchRegExp(NativeRegExp.java:1879) at org.mozilla.javascript.regexp.NativeRegExp.executeRegExp(NativeRegExp.java:1925) at etc. etc.
This problem is causing the following new testcase to fail: mozilla/js/tests/ecma_3/RegExp/15.10.6.2-2.js
Keywords: crash
The cases above where re.exec(str) returns 'Abc' instead of |null| might be a consequence of bug 124508 against Rhino: "regexp.lastIndex should be integer-valued double, not uint32" But I don't know if that's so, and I also don't know if that would explain the crashes above. If it does, please dupe.
Fix checked in - new engine implementation ported from SpiderMonkey.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Verified Fixed - the above testcase now passes in the rhino, rhinoi shells.
Status: RESOLVED → VERIFIED
Targeting as resolved against 1.5R4
Target Milestone: --- → 1.5R4
You need to log in before you can comment on or make changes to this bug.