Closed
Bug 57631
Opened 25 years ago
Closed 25 years ago
RegExp with invalid pattern or invalid flag causes segfault
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
VERIFIED
FIXED
People
(Reporter: rginda, Assigned: rogerl)
References
Details
(Keywords: js1.5)
Attachments
(3 files)
|
1.76 KB,
text/plain
|
Details | |
|
1.05 KB,
patch
|
Details | Diff | Splinter Review | |
|
6.73 KB,
patch
|
Details | Diff | Splinter Review |
js> /()/
5: unterminated parenthetical (:
5: /()/
5: ^
js> new RegExp("()")
Segmentation fault (core dumped)
[rginda@rg2 Linux_All_DBG.OBJ]$
As useless as this regex may be, I think it's legal. At least, it probably
shouldn't crash.
|
||
Comment 1•25 years ago
|
||
|
Assignee | |
Comment 2•25 years ago
|
||
We're crashing in an ASSERT because the tokenstream is NULL but fields in it are
being validated; it should only be happening in debug versions.
Here's a patch:
Index: jsscan.c
===================================================================
RCS file: /m/pub/mozilla/js/src/jsscan.c,v
retrieving revision 3.34
diff -u -r3.34 jsscan.c
--- jsscan.c 2000/09/09 05:53:00 3.34
+++ jsscan.c 2000/10/24 19:41:47
@@ -513,7 +513,7 @@
js_AddRoot(cx, &linestr, "error line buffer");
- JS_ASSERT(ts->linebuf.limit < ts->linebuf.base + JS_LINE_LIMIT);
+ JS_ASSERT(ts && ts->linebuf.limit < ts->linebuf.base + JS_LINE_LIMIT);
onError = cx->errorReporter;
if (onError) {
/*
|
Reporter | |
Comment 3•25 years ago
|
||
I'll buy that. How about the bogus "unterminated parenthetical" error?
|
|
Assignee | |
Comment 4•25 years ago
|
||
Oh yeah, that. It's caused by the regexp parser being too greedy and assuming
it's got an atom when it doesn't. I'll attach a combined patch...
|
|
Assignee | |
Comment 5•25 years ago
|
||
|
|
||
Comment 7•25 years ago
|
||
NOTE: We are also getting a segfault by using an invalid flag, e.g. 'a'.
EXAMPLE
js> var re = new RegExp('matchthis','a');
js> ---> SEGFAULT
|
|
||
Updated•25 years ago
|
Summary: regexp causes segfault → RegExp with invalid pattern or invalid flag causes segfault
|
|
Assignee | |
Comment 8•25 years ago
|
||
Turns out to be the same bug and should be fixed by the same patch.
Status: NEW → ASSIGNED
|
|
||
Comment 9•25 years ago
|
||
Testcase added to JS test suite:
js/tests/ecma_3/RegExp/regress-57631.js
|
|
Assignee | |
Comment 10•25 years ago
|
||
|
|
Assignee | |
Comment 11•25 years ago
|
||
Generated a meta bug to capture all current R.E. bugs.
|
|
Assignee | |
Comment 12•25 years ago
|
||
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
|
|
||
Comment 13•25 years ago
|
||
Verified Fixed - ran this test suite directory on Linux, WinNT, and Mac
js/tests/ecma_3/RegExp/
with both debug and optimized versions of the JS shell, and got 0 errors.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•