Changeset 28395 in webkit


Ignore:
Timestamp:
Dec 4, 2007 11:08:28 AM (16 years ago)
Author:
Darin Adler
Message:

JavaScriptCore:

Reviewed by Geoff.

Test: fast/js/regexp-overflow.html

  • pcre/pcre_compile.cpp: (calculateCompiledPatternLengthAndFlags): Add room for the additional BRA/KET that was generated in the compile code but not taken into account here.

LayoutTests:

Reviewed by Geoff.

  • fast/js/regexp-overflow-expected.txt: Updated.
  • fast/js/resources/regexp-overflow.js: Added test cases.
Location:
trunk
Files:
5 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/ChangeLog

    r28370 r28395  
     12007-12-04  Darin Adler  <darin@apple.com>
     2
     3        Reviewed by Geoff.
     4
     5        - fix first part of http://bugs.webkit.org/show_bug.cgi?id=16220
     6          <rdar://problem/5625221> Crash opening www.news.com (CNet)
     7
     8        Test: fast/js/regexp-overflow.html
     9
     10        * pcre/pcre_compile.cpp:
     11        (calculateCompiledPatternLengthAndFlags): Add room for the additional BRA/KET that
     12        was generated in the compile code but not taken into account here.
     13
    1142007-12-03  Darin Adler  <darin@apple.com>
    215

  • trunk/JavaScriptCore/pcre/pcre_compile.cpp

    r28272 r28395  
    15101510                         copy, which has to be moved up. The remainder can be handled by code
    15111511                         that is common with the non-zero minimum case below. We have to
    1512                          adjust the value or repeat_max, since one less copy is required. Once
    1513                          again, we may have to adjust any OP_RECURSE calls inside the group. */
     1512                         adjust the value of repeat_max, since one less copy is required. */
    15141513                       
    15151514                        else {
     
    26582657                    length++;
    26592658                    if (maxRepeats > 0) length += (maxRepeats - 1) * (duplength + 3 + 2 * LINK_SIZE);
     2659                    if (maxRepeats > 1) length += 2 + 2 * LINK_SIZE; // BRA/KET created in else case
    26602660                }
    26612661               
     
    27072707    return length;
    27082708}
    2709 
    2710 #ifdef DEBUG
    2711 static void printCompiledRegExp(JSRegExp* re, int length)
    2712 {
    2713     printf("Length = %d top_bracket = %d top_backref = %d\n",
    2714            length, re->top_bracket, re->top_backref);
    2715    
    2716     if (re->options) {
    2717         printf("%s%s%s\n",
    2718                ((re->options & IsAnchoredOption) != 0)? "anchored " : "",
    2719                ((re->options & IgnoreCaseOption) != 0)? "ignores case " : "",
    2720                ((re->options & MatchAcrossMultipleLinesOption) != 0)? "multiline " : "");
    2721     }
    2722    
    2723     if (re->options & UseFirstByteOptimizationOption) {
    2724         char ch = re->first_byte & 255;
    2725         const char* caseless = (re->first_byte & REQ_IGNORE_CASE) ? " (ignores case)" : "";
    2726         if (isASCIIAlphanumeric(ch))
    2727             printf("First char = %c%s\n", ch, caseless);
    2728         else
    2729             printf("First char = \\x%02x%s\n", ch, caseless);
    2730     }
    2731    
    2732     if (re->options & UseRequiredByteOptimizationOption) {
    2733         char ch = re->req_byte & 255;
    2734         const char* caseless = (re->req_byte & REQ_IGNORE_CASE) ? " (ignores case)" : "";
    2735         if (isASCIIAlphanumeric(ch))
    2736             printf("Req char = %c%s\n", ch, caseless);
    2737         else
    2738             printf("Req char = \\x%02x%s\n", ch, caseless);
    2739     }
    2740    
    2741     // This debugging function has been removed from JavaScriptCore's PCRE
    2742     //pcre_printint(re, stdout);
    2743 }
    2744 #endif
    27452709
    27462710/*************************************************
     
    28382802   
    28392803    *code++ = OP_END;
    2840    
    2841 #ifndef DEBUG
     2804
     2805    ASSERT(code - codestart <= length);
    28422806    if (code - codestart > length)
    28432807        errorcode = ERR7;
    2844 #endif
    28452808   
    28462809    /* Give an error if there's back reference to a non-existent capturing
     
    28962859    }
    28972860   
    2898 #ifdef DEBUG
    2899     printCompiledRegExp(re);
    2900    
    2901     /* This check is done here in the debugging case so that the code that
    2902      was compiled can be seen. */
    2903     if (code - codestart > length) {
    2904         (pcre_free)(re);
    2905         *errorptr = error_text(ERR7);
    2906         return NULL;
    2907     }
    2908    
    2909 #endif
    2910    
    29112861    if (numSubpatterns)
    29122862        *numSubpatterns = re->top_bracket;

  • trunk/LayoutTests/ChangeLog

    r28372 r28395  
     12007-12-04  Darin Adler  <darin@apple.com>
     2
     3        Reviewed by Geoff.
     4
     5        - test for first part of http://bugs.webkit.org/show_bug.cgi?id=16220
     6          <rdar://problem/5625221> Crash opening www.news.com (CNet)
     7
     8        * fast/js/regexp-overflow-expected.txt: Updated.
     9        * fast/js/resources/regexp-overflow.js: Added test cases.
     10
    1112007-12-03  Dan Bernstein  <mitz@apple.com>
    212

  • trunk/LayoutTests/fast/js/regexp-overflow-expected.txt

    r28058 r28395  
    1 Tests some regular expressions with braces in them that used to overflow the regular expression compilation preflight computation.
     1Tests some regular expressions that used to overflow the regular expression compilation preflight computation.
    22
    33On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
     
    77PASS /^(\d{1,2})([ -:\/\.]{1})(\d{1,2})(\2{1})?(\d{2,4})?$/.exec("1:1").toString() is "1:1,1,:,1,,"
    88PASS /^(\d{4})([ -:\/\.]{1})(\d{1,2})(\2{1})(\d{1,2})T(\d{1,2})([ -:\/\.]{1})(\d{1,2})(\7{1})(\d{1,2})Z$/.exec("1234:5:6T7/8/9Z").toString() is "1234:5:6T7/8/9Z,1234,:,5,:,6,7,/,8,/,9"
     9PASS /\[["'\s]{0,1}([\w-]*)["'\s]{0,1}([\W]{0,1}=){0,2}["'\s]{0,1}([\w-]*)["'\s]{0,1}\]$/.exec("[]").toString() is "[],,,"
     10PASS /(x){0,2}/.exec("").toString() is ","
    911
    1012PASS successfullyParsed is true

  • trunk/LayoutTests/fast/js/resources/regexp-overflow.js

    r28058 r28395  
    11description(
    2 'Tests some regular expressions with braces in them that used to overflow the regular expression compilation preflight computation.'
     2'Tests some regular expressions that used to overflow the regular expression compilation preflight computation.'
    33);
    44
    55shouldBe('/(\\d)(\\1{1})/.exec("11").toString()', '"11,1,1"');
     6
    67shouldBe('/^(\\d{1,2})([ -:\\/\\.]{1})(\\d{1,2})(\\2{1})?(\\d{2,4})?$/.exec("1:1").toString()', '"1:1,1,:,1,,"');
    7 shouldBe('/^(\\d{4})([ -:\\/\\.]{1})(\\d{1,2})(\\2{1})(\\d{1,2})T(\\d{1,2})([ -:\\/\\.]{1})(\\d{1,2})(\\7{1})(\\d{1,2})Z$/.exec("1234:5:6T7/8/9Z").toString()', '"1234:5:6T7/8/9Z,1234,:,5,:,6,7,/,8,/,9"');
     8
     9shouldBe('/^(\\d{4})([ -:\\/\\.]{1})(\\d{1,2})(\\2{1})(\\d{1,2})T(\\d{1,2})([ -:\\/\\.]{1})(\\d{1,2})(\\7{1})(\\d{1,2})Z$/.exec("1234:5:6T7/8/9Z").toString()',
     10    '"1234:5:6T7/8/9Z,1234,:,5,:,6,7,/,8,/,9"');
     11
     12shouldBe('/\\[["\'\\s]{0,1}([\\w-]*)["\'\\s]{0,1}([\\W]{0,1}=){0,2}["\'\\s]{0,1}([\\w-]*)["\'\\s]{0,1}\\]$/.exec("[]").toString()',
     13    '"[],,,"');
     14
     15shouldBe('/(x){0,2}/.exec("").toString()', '","');
    816
    917debug('');
Note: See TracChangeset for help on using the changeset viewer.