Closed
Bug 57631
Opened 24 years ago
Closed 24 years ago
RegExp with invalid pattern or invalid flag causes segfault
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
VERIFIED
FIXED
People
(Reporter: rginda, Assigned: rogerl)
References
Details
(Keywords: js1.5)
Attachments
(3 files)
1.76 KB,
text/plain
|
Details | |
1.05 KB,
patch
|
Details | Diff | Splinter Review | |
6.73 KB,
patch
|
Details | Diff | Splinter Review |
js> /()/ 5: unterminated parenthetical (: 5: /()/ 5: ^ js> new RegExp("()") Segmentation fault (core dumped) [rginda@rg2 Linux_All_DBG.OBJ]$ As useless as this regex may be, I think it's legal. At least, it probably shouldn't crash.
Comment 1•24 years ago
|
||
Assignee | ||
Comment 2•24 years ago
|
||
We're crashing in an ASSERT because the tokenstream is NULL but fields in it are being validated; it should only be happening in debug versions. Here's a patch: Index: jsscan.c =================================================================== RCS file: /m/pub/mozilla/js/src/jsscan.c,v retrieving revision 3.34 diff -u -r3.34 jsscan.c --- jsscan.c 2000/09/09 05:53:00 3.34 +++ jsscan.c 2000/10/24 19:41:47 @@ -513,7 +513,7 @@ js_AddRoot(cx, &linestr, "error line buffer"); - JS_ASSERT(ts->linebuf.limit < ts->linebuf.base + JS_LINE_LIMIT); + JS_ASSERT(ts && ts->linebuf.limit < ts->linebuf.base + JS_LINE_LIMIT); onError = cx->errorReporter; if (onError) { /*
Reporter | ||
Comment 3•24 years ago
|
||
I'll buy that. How about the bogus "unterminated parenthetical" error?
Assignee | ||
Comment 4•24 years ago
|
||
Oh yeah, that. It's caused by the regexp parser being too greedy and assuming it's got an atom when it doesn't. I'll attach a combined patch...
Assignee | ||
Comment 5•24 years ago
|
||
Comment 7•24 years ago
|
||
NOTE: We are also getting a segfault by using an invalid flag, e.g. 'a'. EXAMPLE js> var re = new RegExp('matchthis','a'); js> ---> SEGFAULT
Updated•24 years ago
|
Summary: regexp causes segfault → RegExp with invalid pattern or invalid flag causes segfault
Assignee | ||
Comment 8•24 years ago
|
||
Turns out to be the same bug and should be fixed by the same patch.
Status: NEW → ASSIGNED
Comment 9•24 years ago
|
||
Testcase added to JS test suite: js/tests/ecma_3/RegExp/regress-57631.js
Assignee | ||
Comment 10•24 years ago
|
||
Assignee | ||
Comment 11•24 years ago
|
||
Generated a meta bug to capture all current R.E. bugs.
Assignee | ||
Comment 12•24 years ago
|
||
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Comment 13•24 years ago
|
||
Verified Fixed - ran this test suite directory on Linux, WinNT, and Mac js/tests/ecma_3/RegExp/ with both debug and optimized versions of the JS shell, and got 0 errors.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•