Closed Bug 228087 Opened 22 years ago Closed 21 years ago

bug with braces in JavaScript regular expressions

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.6final

People

(Reporter: bex, Assigned: brendan)

References

(
URL
)

Details

(Keywords: js1.5, Whiteboard: [ have filed bug 228336 against Rhino on this same issue ])

Attachments

(2 files, 2 obsolete files)

proposed fix, v2
5.39 KB, patch
Details | Diff | Splinter Review
diff -w version of last patch
3.70 KB, patch
igor
: review+
shaver
: superreview+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.6b) Gecko/20031208 Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.6b) Gecko/20031208 the link is a sample page. Basicly, something changed from Mozilla 1.5 to 1.6 about the way braces '{}' are handled inside regular expressions. Escaping them will force it to work, but it shouldn't be necessarry. I know JavaScript handles braces in a special way, but does the RegEx engine? Reproducible: Always Steps to Reproduce: 1. go to the web page 2. click the 'run test' button 3. view the error in the JavaScript console Actual Results: after clicking 'run test', it only pops up 2 alert boxes. The expressions were not parsed properly. Expected Results: it should pop up 4 alert boxes.
Isn't there an existing bug on this? Wish we had a new email address for Phil. /be
Status: UNCONFIRMED → NEW
Ever confirmed: true
It looks like the RegExp rewrite in bug 85721 has changed Mozilla's behavior on the regexps bex has provided here. Compare: ------------------- RC5a release of SpiderMonkey ------------------- js> re = /{1.*}/g; /{1.*}/g js> re = /{1[.!}]*}/g; /{1[.!}]*}/g -------------------- Current SpiderMonkey shell -------------------- js> re = /{1.*}/g; 25: SyntaxError: invalid quantifier {: 25: re = /{1.*}/g; 25: .....^ js> re = /{1[.!}]*}/g; 29: SyntaxError: invalid quantifier {: 29: re = /{1[.!}]*}/g; 29: .....^ Note that these regexps are illegal per ECMA-262 Edition 3, which prohibits the use of unescaped braces in regexp patterns unless they form part of a quantifier. However, as part of the RegExp rewrite, we decided to follow Perl and IE on this, and allow unescaped braces even if they are not part of a quantifier. See bug 188206 comment 12; also bug 223273 comment 29 and following. It looks like the RegExp parser is mistakenly identifying bex's use of braces as quantifiers (hence the SyntaxErrors), instead of the non-quantifier, literal use of unescaped braces that we permit.
Testcase added to JS testsuite: mozilla/js/tests/ecma_3/RegExp/regress-228087.js Currently failing in both the SpiderMonkey and Rhino shell. I have filed bug 228336 against Rhino on this issue. Again - this test passes in the RC5a release of SpiderMonkey, so the current bug is a regression from previous behavior.
Whiteboard: [ have filed bug 228336 against Rhino on this same issue ]
Note: both testcases for bug 188206 and bug 223273 contained tests for literal use of unescaped braces, but they were not exhaustive enough - otherwise this bug would have been caught sooner.
Argh. /be
Assignee: general → brendan
Flags: blocking1.6+
Keywords: js1.5
Priority: -- → P1
Target Milestone: --- → mozilla1.6final
Trivial, and I'm using #if 0 for now, but eventually the code will go away, once someone figures out why it was added. /be
Attachment #137867 - Flags: review?(shaver)
Comment on attachment 137867 [details] [diff] [review] proposed fix [Checked in: Comment 9] r=shaver
Attachment #137867 - Flags: review?(shaver) → review+
Comment on attachment 137867 [details] [diff] [review] proposed fix [Checked in: Comment 9] Looking for 1.6 branch approval. /be
Attachment #137867 - Flags: approval1.6?
Attachment #137867 - Flags: approval1.6? → approval1.6+
Fixed in trunk and 1.6 branch. /be
Status: NEW → RESOLVED
Closed: 22 years ago
Flags: blocking1.6+
Resolution: --- → FIXED
The fix does not address all test cases in ecma_3/RegExp/regress-228087.js, in particular, SM still fails with patterns like /c{3 }/, session 6 of the test. As far as I can see in Perl anything after { that does not match \d+(,(\d*)?)?\} leads to treating of { as literal symbol.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Attached patch untested patch (obsolete) — Splinter Review
Someone please test for me so this can get into 1.6. I'll try to get time to test it later today, but no promises. /be
Comment on attachment 138712 [details] [diff] [review] untested patch Going for both testing/reviewing buddies on this one. /be
Attachment #138712 - Flags: superreview?(shaver)
Attachment #138712 - Flags: review?(igor)
Attachment #137867 - Attachment description: proposed fix → proposed fix [Checked in: Comment 9]
Attachment #137867 - Attachment is obsolete: true
Flags: blocking1.6+
Will this latest patch make it in time for 1.6f? Asa states: > Today we took (hopefully) the last of the 1.6 changes so I'll be testing the > builds over the weekend, working on release documentation, and looking forward > to a Mozilla 1.6 early next week. http://weblogs.mozillazine.org/asa/archives/004655.html This also seems like a somewhat substantial bug.
Got time to test this, it passes all the new js/tests tests, and regresses the now-bogus test ecma_3/RegExp/regress-188206.js as expected (that test wants brutal SyntaxError exceptions for "Invalid use of regexp quantifiers", contrary to this bug and backward compatibility. /be
monday morning builds will be the candidates so lets tet this in if its good.
Comment on attachment 138712 [details] [diff] [review] untested patch Oops, missed a core file in js/tests -- why doesn't the testsuite driver flag core dumps as failures? /be
Attachment #138712 - Attachment is obsolete: true
Attachment #138712 - Flags: superreview?(shaver)
Attachment #138712 - Flags: review?(igor)
Attached patch proposed fix, v2Splinter Review
Apply this, diff -w next for review. /be
The essential change is to put all the {min,max} quantifier parsing code inside the if (JS7_ISDEC(c)) that notices {min (where min is a decimal literal). Then, only if we find the closing } right after either min, or the comma after min, or min,max do we create a REOP_QUANT node. The old code created the node early, and the previous fix-attempt patch here left that bogo-node around when "failing" to parse a quantifier, trying to fall back so the braced mess parsed as a flat string to match.... /be
Comment on attachment 138844 [details] [diff] [review] diff -w version of last patch This does, indeed, pass the testsuite with the one new expected regression (the test that wants a SyntaxError thrown for "abused" braces in regexps). Hope it's not too late for 1.6. /be
Attachment #138844 - Flags: superreview?(shaver)
Attachment #138844 - Flags: review?(igor)
we are shooting to use the build from tomorrow morning as the 1.6 release builds.
Attachment #138844 - Flags: superreview?(shaver) → superreview+
Fixed on trunk and in the 1.6 branch. Igor, feel free to comment and stamp r+ or whatever. I'm closing this bug, though, since the fix looks good according to code review and testing. /be
Status: REOPENED → RESOLVED
Closed: 22 years ago21 years ago
Resolution: --- → FIXED
Comment on attachment 138844 [details] [diff] [review] diff -w version of last patch Review is OK, I will apply the similar treatment to Rhino. Sorry for delay with it: vacation etc.
Attachment #138844 - Flags: review?(igor) → review+
Flags: testcase+
fixed by bug 289628
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: