Closed Bug 126317 Opened 23 years ago Closed 22 years ago

Crash on re.exec(str) if re.lastIndex set to certain values

Categories

(Rhino Graveyard :: Core, defect)

Product:
Rhino Graveyard
Component:
Core
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: pschwartau, Assigned: rogerl)

Details

(Keywords: crash) 

The tests below each involve a regexp with the global flag set, where 
re.lastIndex has been set to out-of-bounds values: i.e. < 0  or > str.length.

In such a case, ECMA specifies that re.exec(str) should return null.
(and set re.lastIndex to 0). Here is what Rhino is currently doing: 

[] java org.mozilla.javascript.tools.shell.Main
Rhino 1.5 release 4 0000 00 00 (in progress)

js> var re = /abc/gi;
js> var str = 'AbcaBcabC';
js> re.lastIndex = -1;
-1
js> re.exec(str);
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException
        at 
org.mozilla.javascript.regexp.NativeRegExp.matchRENodes(NativeRegExp.java:1855)
        at 
org.mozilla.javascript.regexp.NativeRegExp.matchRegExp(NativeRegExp.java:1879)
        at 
org.mozilla.javascript.regexp.NativeRegExp.executeRegExp(NativeRegExp.java:1925)

                                etc.
                                etc.


js> var re = /abc/gi;
js> var str = 'AbcaBcabC';
js> re.lastIndex = 9999999;
9999999
js> re.exec(str);
null  <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< CORRECT


js> var re = /abc/gi;
js> var str = 'AbcaBcabC';
js> re.lastIndex = Number.MAX_VALUE;
1.7976931348623157e+308
js> re.exec(str);
Abc  <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< should be null!


js> re.lastIndex = Math.pow(2,31);
2147483648
js> re.exec(str);
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException
        at 
org.mozilla.javascript.regexp.NativeRegExp.matchRENodes(NativeRegExp.java:1855)
        at 
org.mozilla.javascript.regexp.NativeRegExp.matchRegExp(NativeRegExp.java:1879)
        at 
org.mozilla.javascript.regexp.NativeRegExp.executeRegExp(NativeRegExp.java:1925)
        at 
                                etc.
                                etc.


js> var re = /abc/gi;
js> var str = 'AbcaBcabC';
js> re.lastIndex = Math.pow(2,30);
1073741824
js> re.exec(str);
null  <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< CORRECT


js> var re = /abc/gi;
js> var str = 'AbcaBcabC';
js> re.lastIndex = Math.pow(2,31);
2147483648
js> re.exec(str);
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException
        at 
org.mozilla.javascript.regexp.NativeRegExp.matchRENodes(NativeRegExp.java:1855)
        at 
org.mozilla.javascript.regexp.NativeRegExp.matchRegExp(NativeRegExp.java:1879)
        at 
org.mozilla.javascript.regexp.NativeRegExp.executeRegExp(NativeRegExp.java:1925)
        at
                                etc.
                                etc.
This problem is causing the following new testcase to fail: 

        mozilla/js/tests/ecma_3/RegExp/15.10.6.2-2.js
Keywords: crash
The cases above where re.exec(str) returns 'Abc' instead of |null| 
might be a consequence of bug 124508 against Rhino:
"regexp.lastIndex should be integer-valued double, not uint32"

But I don't know if that's so, and I also don't know if that would
explain the crashes above. If it does, please dupe.
Fix checked in - new engine implementation ported from SpiderMonkey.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Verified Fixed - the above testcase now passes in the rhino, rhinoi shells.
Status: RESOLVED → VERIFIED
Targeting as resolved against 1.5R4
Target Milestone: --- → 1.5R4
You need to log in before you can comment on or make changes to this bug.