Closed Bug 57631 Opened 24 years ago Closed 24 years ago

RegExp with invalid pattern or invalid flag causes segfault

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: rginda, Assigned: rogerl)

References

Details

(Keywords: js1.5)

Attachments

(3 files)

WinNT stack trace
1.76 KB, text/plain
Details
Fix jsscan.c & jsregxp.c
1.05 KB, patch
Details | Diff | Splinter Review
new mega patch fixes all RE bugs
6.73 KB, patch
Details | Diff | Splinter Review 
js> /()/
5: unterminated parenthetical (:
5: /()/
5: ^
js> new RegExp("()")
Segmentation fault (core dumped)
[rginda@rg2 Linux_All_DBG.OBJ]$ 

As useless as this regex may be, I think it's legal.  At least, it probably
shouldn't crash.
Attached file WinNT stack trace 

    
    

    
  
We're crashing in an ASSERT because the tokenstream is NULL but fields in it are 
being validated; it should only be happening in debug versions. 

Here's a patch:

Index: jsscan.c
===================================================================
RCS file: /m/pub/mozilla/js/src/jsscan.c,v
retrieving revision 3.34
diff -u -r3.34 jsscan.c
--- jsscan.c    2000/09/09 05:53:00     3.34
+++ jsscan.c    2000/10/24 19:41:47
@@ -513,7 +513,7 @@

     js_AddRoot(cx, &linestr, "error line buffer");

-    JS_ASSERT(ts->linebuf.limit < ts->linebuf.base + JS_LINE_LIMIT);
+    JS_ASSERT(ts && ts->linebuf.limit < ts->linebuf.base + JS_LINE_LIMIT);
     onError = cx->errorReporter;
     if (onError) {
         /*

    
    

    
  
I'll buy that.  How about the bogus "unterminated parenthetical" error?

    
    

    
  
Oh yeah, that.  It's caused by the regexp parser being too greedy and assuming 
it's got an atom when it doesn't. I'll attach a combined patch...

    
    

    
  


  

    
    

    
  
*** Bug 60923 has been marked as a duplicate of this bug. ***

    
    

    
  
NOTE: We are also getting a segfault by using an invalid flag, e.g. 'a'.

EXAMPLE

js> var re = new RegExp('matchthis','a');   
js> --->  SEGFAULT


    
  
Summary: regexp causes segfault → RegExp with invalid pattern or invalid flag causes segfault

    
  
Keywords: js1.5

    
    

    
  
Turns out to be the same bug and should be fixed by the same patch.
Status: NEW → ASSIGNED

    
    

    
  
Testcase added to JS test suite:

                js/tests/ecma_3/RegExp/regress-57631.js

    
    

    
  


  

    
  
Blocks: 66234

    
    

    
  
Generated a meta bug to capture all current R.E. bugs.

    
    

    
  
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED

    
    

    
  
Verified Fixed - ran this test suite directory on Linux, WinNT, and Mac

                    js/tests/ecma_3/RegExp/ 

with both debug and optimized versions of the JS shell, and got 0 errors.
Status: RESOLVED → VERIFIED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: