Title: [249777] trunk
- Revision
- 249777
- Author
- msab...@apple.com
- Date
- 2019-09-11 14:22:33 -0700 (Wed, 11 Sep 2019)
Log Message
JSC crashes due to stack overflow while building RegExp
https://bugs.webkit.org/show_bug.cgi?id=201649
Reviewed by Yusuke Suzuki.
JSTests:
New regression test.
* stress/regexp-bol-optimize-out-of-stack.js: Added.
(test):
(catch):
Source/_javascript_Core:
Check for running out of stack when we are optimizing RegExp containing BOL terms or
other deep copying of disjunctions.
* yarr/YarrPattern.cpp:
(JSC::Yarr::YarrPatternConstructor::copyDisjunction):
(JSC::Yarr::YarrPatternConstructor::copyTerm):
(JSC::Yarr::YarrPatternConstructor::error):
(JSC::Yarr::YarrPattern::compile):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (249776 => 249777)
--- trunk/JSTests/ChangeLog 2019-09-11 21:10:11 UTC (rev 249776)
+++ trunk/JSTests/ChangeLog 2019-09-11 21:22:33 UTC (rev 249777)
@@ -1,3 +1,16 @@
+2019-09-10 Michael Saboff <msab...@apple.com>
+
+ JSC crashes due to stack overflow while building RegExp
+ https://bugs.webkit.org/show_bug.cgi?id=201649
+
+ Reviewed by Yusuke Suzuki.
+
+ New regression test.
+
+ * stress/regexp-bol-optimize-out-of-stack.js: Added.
+ (test):
+ (catch):
+
2019-09-10 Yusuke Suzuki <ysuz...@apple.com>
[WebAssembly] Use StreamingParser in existing Wasm::BBQPlan
Added: trunk/JSTests/stress/regexp-bol-optimize-out-of-stack.js (0 => 249777)
--- trunk/JSTests/stress/regexp-bol-optimize-out-of-stack.js (rev 0)
+++ trunk/JSTests/stress/regexp-bol-optimize-out-of-stack.js 2019-09-11 21:22:33 UTC (rev 249777)
@@ -0,0 +1,16 @@
+// This test that the beginning of line (bol) optimization throws when we run out of stack space.
+
+let expectedException = "SyntaxError: Invalid regular _expression_: regular _expression_ too large";
+
+function test()
+{
+ let source = Array(50000).join("(") + /(?:^|:|,)(?:\s*\[)+/g.toString() + Array(50000).join(")");
+ RegExp(source);
+}
+
+try {
+ test();
+} catch(e) {
+ if (e != expectedException)
+ throw "Expected \"" + expectedException + "\" exception, but got \"" + e + "\"";
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (249776 => 249777)
--- trunk/Source/_javascript_Core/ChangeLog 2019-09-11 21:10:11 UTC (rev 249776)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-09-11 21:22:33 UTC (rev 249777)
@@ -1,3 +1,19 @@
+2019-09-11 Michael Saboff <msab...@apple.com>
+
+ JSC crashes due to stack overflow while building RegExp
+ https://bugs.webkit.org/show_bug.cgi?id=201649
+
+ Reviewed by Yusuke Suzuki.
+
+ Check for running out of stack when we are optimizing RegExp containing BOL terms or
+ other deep copying of disjunctions.
+
+ * yarr/YarrPattern.cpp:
+ (JSC::Yarr::YarrPatternConstructor::copyDisjunction):
+ (JSC::Yarr::YarrPatternConstructor::copyTerm):
+ (JSC::Yarr::YarrPatternConstructor::error):
+ (JSC::Yarr::YarrPattern::compile):
+
2019-09-11 Truitt Savell <tsav...@apple.com>
Unreviewed, rolling out r249753.
Modified: trunk/Source/_javascript_Core/yarr/YarrPattern.cpp (249776 => 249777)
--- trunk/Source/_javascript_Core/yarr/YarrPattern.cpp 2019-09-11 21:10:11 UTC (rev 249776)
+++ trunk/Source/_javascript_Core/yarr/YarrPattern.cpp 2019-09-11 21:22:33 UTC (rev 249777)
@@ -702,6 +702,11 @@
// skip alternatives with m_startsWithBOL set true.
PatternDisjunction* copyDisjunction(PatternDisjunction* disjunction, bool filterStartsWithBOL = false)
{
+ if (UNLIKELY(!isSafeToRecurse())) {
+ m_error = ErrorCode::PatternTooLarge;
+ return 0;
+ }
+
std::unique_ptr<PatternDisjunction> newDisjunction;
for (unsigned alt = 0; alt < disjunction->m_alternatives.size(); ++alt) {
PatternAlternative* alternative = disjunction->m_alternatives[alt].get();
@@ -717,6 +722,11 @@
}
}
+ if (hasError(error())) {
+ newDisjunction = 0;
+ return 0;
+ }
+
if (!newDisjunction)
return 0;
@@ -727,6 +737,11 @@
PatternTerm copyTerm(PatternTerm& term, bool filterStartsWithBOL = false)
{
+ if (UNLIKELY(!isSafeToRecurse())) {
+ m_error = ErrorCode::PatternTooLarge;
+ return PatternTerm(term);
+ }
+
if ((term.type != PatternTerm::TypeParenthesesSubpattern) && (term.type != PatternTerm::TypeParentheticalAssertion))
return PatternTerm(term);
@@ -1100,6 +1115,8 @@
}
}
+ ErrorCode error() { return m_error; }
+
private:
bool isSafeToRecurse() const
{
@@ -1116,6 +1133,7 @@
CharacterClassConstructor m_characterClassConstructor;
Vector<String> m_unmatchedNamedForwardReferences;
void* m_stackLimit;
+ ErrorCode m_error { ErrorCode::NoError };
bool m_invertCharacterClass;
bool m_invertParentheticalAssertion { false };
};
@@ -1151,6 +1169,9 @@
constructor.optimizeDotStarWrappedExpressions();
constructor.optimizeBOL();
+ if (hasError(constructor.error()))
+ return constructor.error();
+
{
ErrorCode error = constructor.setupOffsets();
if (hasError(error))
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes