[v8-dev] Add missing string length check in regexp engine. (issue 10536170)

Thu, 14 Jun 2012 06:46:47 -0700 

Reviewers: Erik Corry,

Description:
Add missing string length check in regexp engine.

[email protected]
BUG=v8:2172
TEST=regress-2172.js


Please review this at https://chromiumcodereview.appspot.com/10536170/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files:
  M src/ia32/regexp-macro-assembler-ia32.cc
  M src/x64/regexp-macro-assembler-x64.cc
  A + test/mjsunit/regress/regress-2172.js


Index: src/ia32/regexp-macro-assembler-ia32.cc
diff --git a/src/ia32/regexp-macro-assembler-ia32.cc b/src/ia32/regexp-macro-assembler-ia32.cc index 07782cc809f6fcea102b0db6467845b412f2a846..622dc4254d08994d76866e3293afc115467be122 100644 
--- a/src/ia32/regexp-macro-assembler-ia32.cc
+++ b/src/ia32/regexp-macro-assembler-ia32.cc
@@ -316,6 +316,11 @@ void RegExpMacroAssemblerIA32::CheckNotBackReferenceIgnoreCase( 
   // uncaptured. In either case succeed immediately.
   __ j(equal, &fallthrough);

+  // Check that there are sufficient characters left in the input.
+  __ mov(eax, edi);
+  __ add(eax, ebx);
+  BranchOrBacktrack(greater, on_no_match);
+
   if (mode_ == ASCII) {
     Label success;
     Label fail;
Index: src/x64/regexp-macro-assembler-x64.cc
diff --git a/src/x64/regexp-macro-assembler-x64.cc b/src/x64/regexp-macro-assembler-x64.cc index a72a0a0d1d99adcd9ff54c7b3d0a365f15e03ab6..86f7bfe6ca66533853f9c93f03851b05ef7c1e4a 100644 
--- a/src/x64/regexp-macro-assembler-x64.cc
+++ b/src/x64/regexp-macro-assembler-x64.cc
@@ -353,6 +353,14 @@ void RegExpMacroAssemblerX64::CheckNotBackReferenceIgnoreCase( 
   // In either case succeed immediately.
   __ j(equal, &fallthrough);

+  // -----------------------
+  // rdx - Start of capture
+  // rbx - length of capture
+  // Check that there are sufficient characters left in the input.
+  __ movl(rax, rdi);
+  __ addl(rax, rbx);
+  BranchOrBacktrack(greater, on_no_match);
+
   if (mode_ == ASCII) {
     Label loop_increment;
     if (on_no_match == NULL) {
Index: test/mjsunit/regress/regress-2172.js
diff --git a/test/mjsunit/regress/regress-113924.js b/test/mjsunit/regress/regress-2172.js 
similarity index 95%
copy from test/mjsunit/regress/regress-113924.js
copy to test/mjsunit/regress/regress-2172.js
index 3ecdec48f219b9ea545702ebf3a396debe7a93f8..09c5466f2ad49d796facc23f0b169ea90a8743d4 100644 
--- a/test/mjsunit/regress/regress-113924.js
+++ b/test/mjsunit/regress/regress-2172.js
@@ -25,7 +25,6 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-var count=12000;
-while(count--) {
-  eval("var a = new Object(10); a[2] += 7;");
+for (var i = 0; i < 10000; i++){
+  (i + "\0").split(/(.)\1/i);
 }


--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev

Reply via email to