If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Crash on re.exec(str) if re.lastIndex set to certain values

VERIFIED FIXED in 1.5R4

Status

Rhino
Core
VERIFIED FIXED
16 years ago
14 years ago

People

(Reporter: Phil Schwartau, Assigned: rogerl (gone))

Tracking

({crash})

other
1.5R4
x86
All
crash

Details

(Reporter)

Description

16 years ago
The tests below each involve a regexp with the global flag set, where 
re.lastIndex has been set to out-of-bounds values: i.e. < 0  or > str.length.

In such a case, ECMA specifies that re.exec(str) should return null.
(and set re.lastIndex to 0). Here is what Rhino is currently doing: 

[] java org.mozilla.javascript.tools.shell.Main
Rhino 1.5 release 4 0000 00 00 (in progress)

js> var re = /abc/gi;
js> var str = 'AbcaBcabC';
js> re.lastIndex = -1;
-1
js> re.exec(str);
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException
        at 
org.mozilla.javascript.regexp.NativeRegExp.matchRENodes(NativeRegExp.java:1855)
        at 
org.mozilla.javascript.regexp.NativeRegExp.matchRegExp(NativeRegExp.java:1879)
        at 
org.mozilla.javascript.regexp.NativeRegExp.executeRegExp(NativeRegExp.java:1925)

                                etc.
                                etc.


js> var re = /abc/gi;
js> var str = 'AbcaBcabC';
js> re.lastIndex = 9999999;
9999999
js> re.exec(str);
null  <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< CORRECT


js> var re = /abc/gi;
js> var str = 'AbcaBcabC';
js> re.lastIndex = Number.MAX_VALUE;
1.7976931348623157e+308
js> re.exec(str);
Abc  <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< should be null!


js> re.lastIndex = Math.pow(2,31);
2147483648
js> re.exec(str);
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException
        at 
org.mozilla.javascript.regexp.NativeRegExp.matchRENodes(NativeRegExp.java:1855)
        at 
org.mozilla.javascript.regexp.NativeRegExp.matchRegExp(NativeRegExp.java:1879)
        at 
org.mozilla.javascript.regexp.NativeRegExp.executeRegExp(NativeRegExp.java:1925)
        at 
                                etc.
                                etc.


js> var re = /abc/gi;
js> var str = 'AbcaBcabC';
js> re.lastIndex = Math.pow(2,30);
1073741824
js> re.exec(str);
null  <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< CORRECT


js> var re = /abc/gi;
js> var str = 'AbcaBcabC';
js> re.lastIndex = Math.pow(2,31);
2147483648
js> re.exec(str);
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException
        at 
org.mozilla.javascript.regexp.NativeRegExp.matchRENodes(NativeRegExp.java:1855)
        at 
org.mozilla.javascript.regexp.NativeRegExp.matchRegExp(NativeRegExp.java:1879)
        at 
org.mozilla.javascript.regexp.NativeRegExp.executeRegExp(NativeRegExp.java:1925)
        at
                                etc.
                                etc.
(Reporter)

Comment 1

16 years ago
This problem is causing the following new testcase to fail: 

        mozilla/js/tests/ecma_3/RegExp/15.10.6.2-2.js
Keywords: crash
(Reporter)

Comment 2

16 years ago
The cases above where re.exec(str) returns 'Abc' instead of |null| 
might be a consequence of bug 124508 against Rhino:
"regexp.lastIndex should be integer-valued double, not uint32"

But I don't know if that's so, and I also don't know if that would
explain the crashes above. If it does, please dupe.
(Assignee)

Comment 3

16 years ago
Fix checked in - new engine implementation ported from SpiderMonkey.
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → FIXED
(Reporter)

Comment 4

16 years ago
Verified Fixed - the above testcase now passes in the rhino, rhinoi shells.
Status: RESOLVED → VERIFIED

Comment 5

14 years ago
Targeting as resolved against 1.5R4
Target Milestone: --- → 1.5R4
You need to log in before you can comment on or make changes to this bug.