59221 2011-04-22 12:20:56 -0700 [RegexFuzz] Regression blocking testing 2011-04-29 14:55:50 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) PC OS X 10.5 RESOLVED FIXED P2 Normal --- 1 oliver barraclough barraclough ggaren jruderman oliver pvarga oldest_to_newest 390964 0 oliver 2011-04-22 12:20:56 -0700 new RegExp("(?!(u|m{0,}g+)u{1,}|2{2,}!1%n|(?!K|(?=y)|(?=ip))+?)(?=(?=(((?:7))*?)*?))p", "m").exec("u55up") This triggers the following assertion (which implies a out of bounds read), it also blocks the fuzzer: ASSERTION FAILED: position < 0 /Volumes/BigData/git/WebKit/OpenSource/Source/JavaScriptCore/yarr/YarrInterpreter.cpp(205) : int JSC::Yarr::Interpreter::InputStream::readChecked(int) 1 JSC::Yarr::Interpreter::InputStream::readChecked(int) 2 JSC::Yarr::Interpreter::checkCharacter(int, int) 3 JSC::Yarr::Interpreter::matchDisjunction(JSC::Yarr::ByteDisjunction*, JSC::Yarr::Interpreter::DisjunctionContext*, bool, bool) 4 JSC::Yarr::Interpreter::interpret() 5 JSC::Yarr::interpret(JSC::Yarr::BytecodePattern*, unsigned short const*, unsigned int, unsigned int, int*) 6 JSC::RegExp::match(JSC::UString const&, int, WTF::Vector<int, 32ul>*) 7 JSC::RegExpConstructor::performMatch(JSC::RegExp*, JSC::UString const&, int, int&, int&, int**) 8 JSC::RegExpObject::match(JSC::ExecState*) 9 JSC::RegExpObject::exec(JSC::ExecState*) 395403 1 barraclough 2011-04-29 11:57:05 -0700 Reduction: /(?=(a)b|c?)()*d/.exec("ax") 395453 2 barraclough 2011-04-29 13:08:56 -0700 Reduction with YARR JIT disabled: /(?=a|b?)c/.exec("x") 395495 3 barraclough 2011-04-29 14:09:25 -0700 Reduction: /(?=(a)b|c?)()*d/.exec("ax") 395527 4 91742 barraclough 2011-04-29 14:41:15 -0700 Created attachment 91742 The patch 395537 5 barraclough 2011-04-29 14:55:50 -0700 fixed in r85361 91742 2011-04-29 14:41:15 -0700 2011-04-29 14:45:38 -0700 The patch 59221.patch text/plain 5141 barraclough SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gODUzNTcpCisrKyBTb3VyY2Uv SmF2YVNjcmlwdENvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMjEgQEAK KzIwMTEtMDQtMjkgIEdhdmluIEJhcnJhY2xvdWdoICA8YmFycmFjbG91Z2hAYXBwbGUuY29tPgor CisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIGh0dHBzOi8v YnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD01OTIyMQorICAgICAgICBbUmVnZXhGdXp6 XSBSZWdyZXNzaW9uIGJsb2NraW5nIHRlc3RpbmcKKworICAgICAgICBPa2F5LCBzbyB0aGUgYnVn IGhlcmUgaXMgdGhhdCB3aGVuLCBpbiB0aGUgY2FzZSBvZiBhIFR5cGVQYXJlbnRoZXRpY2FsQXNz ZXJ0aW9uCisgICAgICAgIG5vZGUsIGVtaXREaXNqdW5jdGlvbiByZWN1cnNpdmVseSBjYWxscyB0 byBpdHNlbGYgdG8gZW1pdCB0aGUgbmVzdGVkIGRpc2p1bmN0aW9uCisgICAgICAgIHRoZSB2YWx1 ZSBvZiBwYXJlbnRoZXNlc0lucHV0Q291bnRBbHJlYWR5Q2hlY2tlZCBpcyBib2d1cyAoZG9lc24n dCB0YWtlIGludG8KKyAgICAgICAgYWNjb3VudCB0aGUgdW5jaGVjayB0aGF0IGhhcyBqdXN0IHRh a2VuIHBsYWNlKS4KKworICAgICAgICBBbHNvLCB0aGUgc3BlY2lhbCBoYW5kbGluZyBnaXZlbiB0 byBjb3VudFRvQ2hlY2sgaW4gdGhlIGNhc2Ugb2YgcGFyZW50aGV0aWNhbAorICAgICAgICBhc3Nl cnRpb25zIGlzIG5vbnNlbnNlLCBkZWxldGUgaXQsIGFsb25nIHdpdGggdGhlIGlzUGFyZW50aGV0 aWNhbEFzc2VydGlvbiBhcmd1bWVudC4KKworICAgICAgICAqIHlhcnIvWWFyckludGVycHJldGVy LmNwcDoKKyAgICAgICAgKEpTQzo6WWFycjo6Qnl0ZUNvbXBpbGVyOjplbWl0RGlzanVuY3Rpb24p OgorCiAyMDExLTA0LTI5ICBDc2FiYSBPc3p0cm9nb27DoWMgIDxvc3N5QHdlYmtpdC5vcmc+CiAK ICAgICAgICAgUmV2aWV3ZWQgYnkgQWRhbSBCYXJ0aC4KSW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0 Q29yZS95YXJyL1lhcnJJbnRlcnByZXRlci5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL0phdmFT Y3JpcHRDb3JlL3lhcnIvWWFyckludGVycHJldGVyLmNwcAkocmV2aXNpb24gODUyNzEpCisrKyBT b3VyY2UvSmF2YVNjcmlwdENvcmUveWFyci9ZYXJySW50ZXJwcmV0ZXIuY3BwCSh3b3JraW5nIGNv cHkpCkBAIC0xNzcxLDcgKzE3NzEsNyBAQCBwdWJsaWM6CiAgICAgICAgIG1fY3VycmVudEFsdGVy bmF0aXZlSW5kZXggPSBuZXdBbHRlcm5hdGl2ZUluZGV4OwogICAgIH0KIAotICAgIHZvaWQgZW1p dERpc2p1bmN0aW9uKFBhdHRlcm5EaXNqdW5jdGlvbiogZGlzanVuY3Rpb24sIHVuc2lnbmVkIGlu cHV0Q291bnRBbHJlYWR5Q2hlY2tlZCA9IDAsIHVuc2lnbmVkIHBhcmVudGhlc2VzSW5wdXRDb3Vu dEFscmVhZHlDaGVja2VkID0gMCwgYm9vbCBpc1BhcmVudGhldGljYWxBc3NlcnRpb24gPSBmYWxz ZSkKKyAgICB2b2lkIGVtaXREaXNqdW5jdGlvbihQYXR0ZXJuRGlzanVuY3Rpb24qIGRpc2p1bmN0 aW9uLCB1bnNpZ25lZCBpbnB1dENvdW50QWxyZWFkeUNoZWNrZWQgPSAwLCB1bnNpZ25lZCBwYXJl bnRoZXNlc0lucHV0Q291bnRBbHJlYWR5Q2hlY2tlZCA9IDApCiAgICAgewogICAgICAgICBmb3Ig KHVuc2lnbmVkIGFsdCA9IDA7IGFsdCA8IGRpc2p1bmN0aW9uLT5tX2FsdGVybmF0aXZlcy5zaXpl KCk7ICsrYWx0KSB7CiAgICAgICAgICAgICB1bnNpZ25lZCBjdXJyZW50Q291bnRBbHJlYWR5Q2hl Y2tlZCA9IGlucHV0Q291bnRBbHJlYWR5Q2hlY2tlZDsKQEAgLTE3ODYsMTIgKzE3ODYsNyBAQCBw dWJsaWM6CiAgICAgICAgICAgICB9CiAKICAgICAgICAgICAgIHVuc2lnbmVkIG1pbmltdW1TaXpl ID0gYWx0ZXJuYXRpdmUtPm1fbWluaW11bVNpemU7Ci0gICAgICAgICAgICBpbnQgY291bnRUb0No ZWNrOwotCi0gICAgICAgICAgICBpZiAoaXNQYXJlbnRoZXRpY2FsQXNzZXJ0aW9uICYmIHBhcmVu dGhlc2VzSW5wdXRDb3VudEFscmVhZHlDaGVja2VkID4gbWluaW11bVNpemUpCi0gICAgICAgICAg ICAgICAgY291bnRUb0NoZWNrID0gMDsKLSAgICAgICAgICAgIGVsc2UKLSAgICAgICAgICAgICAg ICBjb3VudFRvQ2hlY2sgPSBtaW5pbXVtU2l6ZSAtIHBhcmVudGhlc2VzSW5wdXRDb3VudEFscmVh ZHlDaGVja2VkOworICAgICAgICAgICAgaW50IGNvdW50VG9DaGVjayA9IG1pbmltdW1TaXplIC0g cGFyZW50aGVzZXNJbnB1dENvdW50QWxyZWFkeUNoZWNrZWQ7CiAKICAgICAgICAgICAgIEFTU0VS VChjb3VudFRvQ2hlY2sgPj0gMCk7CiAgICAgICAgICAgICBpZiAoY291bnRUb0NoZWNrKSB7CkBA IC0xODcxLDcgKzE4NjYsNyBAQCBwdWJsaWM6CiAgICAgICAgICAgICAgICAgICAgICAgICB1bmNo ZWNrQW1vdW50ID0gMDsKIAogICAgICAgICAgICAgICAgICAgICBhdG9tUGFyZW50aGV0aWNhbEFz c2VydGlvbkJlZ2luKHRlcm0ucGFyZW50aGVzZXMuc3VicGF0dGVybklkLCB0ZXJtLmludmVydCgp LCB0ZXJtLmZyYW1lTG9jYXRpb24sIGFsdGVybmF0aXZlRnJhbWVMb2NhdGlvbik7Ci0gICAgICAg ICAgICAgICAgICAgIGVtaXREaXNqdW5jdGlvbih0ZXJtLnBhcmVudGhlc2VzLmRpc2p1bmN0aW9u LCBjdXJyZW50Q291bnRBbHJlYWR5Q2hlY2tlZCwgcG9zaXRpdmVJbnB1dE9mZnNldCwgdHJ1ZSk7 CisgICAgICAgICAgICAgICAgICAgIGVtaXREaXNqdW5jdGlvbih0ZXJtLnBhcmVudGhlc2VzLmRp c2p1bmN0aW9uLCBjdXJyZW50Q291bnRBbHJlYWR5Q2hlY2tlZCwgcG9zaXRpdmVJbnB1dE9mZnNl dCAtIHVuY2hlY2tBbW91bnQpOwogICAgICAgICAgICAgICAgICAgICBhdG9tUGFyZW50aGV0aWNh bEFzc2VydGlvbkVuZCgwLCB0ZXJtLmZyYW1lTG9jYXRpb24sIHRlcm0ucXVhbnRpdHlDb3VudCwg dGVybS5xdWFudGl0eVR5cGUpOwogICAgICAgICAgICAgICAgICAgICBpZiAodW5jaGVja0Ftb3Vu dCkgewogICAgICAgICAgICAgICAgICAgICAgICAgY2hlY2tJbnB1dCh1bmNoZWNrQW1vdW50KTsK SW5kZXg6IExheW91dFRlc3RzL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9D aGFuZ2VMb2cJKHJldmlzaW9uIDg1MzU4KQorKysgTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCSh3b3Jr aW5nIGNvcHkpCkBAIC0xLDMgKzEsMTUgQEAKKzIwMTEtMDQtMjkgIEdhdmluIEJhcnJhY2xvdWdo ICA8YmFycmFjbG91Z2hAYXBwbGUuY29tPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAo T09QUyEpLgorCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9p ZD01OTIyMQorICAgICAgICBbUmVnZXhGdXp6XSBSZWdyZXNzaW9uIGJsb2NraW5nIHRlc3RpbmcK KworICAgICAgICBBZGQgbmV3IHRlc3RzIGZvciBwYXJlbnRoZXRpY2FsIGFzc2VydGlvbnMuCisK KyAgICAgICAgKiBmYXN0L3JlZ2V4L2Fzc2VydGlvbi1leHBlY3RlZC50eHQ6CisgICAgICAgICog ZmFzdC9yZWdleC9zY3JpcHQtdGVzdHMvYXNzZXJ0aW9uLmpzOgorCiAyMDExLTA0LTI5ICBPamFu IFZhZmFpICA8b2phbkBjaHJvbWl1bS5vcmc+CiAKICAgICAgICAgSW5sdWRlIG5ldyBleHBlY3Rl ZCByZXN1bHRzIGFjY2lkZW50YWxseSBleGNsdWRlZCBmcm9tCkluZGV4OiBMYXlvdXRUZXN0cy9m YXN0L3JlZ2V4L2Fzc2VydGlvbi1leHBlY3RlZC50eHQKPT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gTGF5b3V0VGVz dHMvZmFzdC9yZWdleC9hc3NlcnRpb24tZXhwZWN0ZWQudHh0CShyZXZpc2lvbiA4NTI3MSkKKysr IExheW91dFRlc3RzL2Zhc3QvcmVnZXgvYXNzZXJ0aW9uLWV4cGVjdGVkLnR4dAkod29ya2luZyBj b3B5KQpAQCAtMzcsNiArMzcsOSBAQCBQQVNTIHJlZ2V4MjAuZXhlYygneCcpIGlzIG51bGwKIFBB U1MgcmVnZXgyMC5leGVjKCd4eCcpIGlzIFsneCcsJ3h4J10KIFBBU1MgcmVnZXgyMC5leGVjKCd4 eHgnKSBpcyBbJ3gnLCd4eCddCiBQQVNTIHJlZ2V4MjEuZXhlYygnYWFiJykgaXMgWydhYWInXQor UEFTUyByZWdleDIyLmV4ZWMoJzU1dXAnKSBpcyBudWxsCitQQVNTIHJlZ2V4MjMuZXhlYygnYXgn KSBpcyBudWxsCitQQVNTIHJlZ2V4MjQuZXhlYygneCcpIGlzIG51bGwKIFBBU1Mgc3VjY2Vzc2Z1 bGx5UGFyc2VkIGlzIHRydWUKIAogVEVTVCBDT01QTEVURQpJbmRleDogTGF5b3V0VGVzdHMvZmFz dC9yZWdleC9zY3JpcHQtdGVzdHMvYXNzZXJ0aW9uLmpzCj09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExheW91dFRl c3RzL2Zhc3QvcmVnZXgvc2NyaXB0LXRlc3RzL2Fzc2VydGlvbi5qcwkocmV2aXNpb24gODUyNzEp CisrKyBMYXlvdXRUZXN0cy9mYXN0L3JlZ2V4L3NjcmlwdC10ZXN0cy9hc3NlcnRpb24uanMJKHdv cmtpbmcgY29weSkKQEAgLTc2LDUgKzc2LDE0IEBAIHNob3VsZEJlKCJyZWdleDIwLmV4ZWMoJ3h4 eCcpIiwgIlsneCcsJ3gKIHZhciByZWdleDIxID0gLyg/PWErYilhYWIvOwogc2hvdWxkQmUoInJl Z2V4MjEuZXhlYygnYWFiJykiLCAiWydhYWInXSIpOwogCit2YXIgcmVnZXgyMiA9IC8oPyEodXxt ezAsfWcrKXV7MSx9fDJ7Mix9ITElbnwoPyFLfCg/PXkpfCg/PWlwKSkrPykoPz0oPz0oKCg/Ojcp KSo/KSo/KSlwL207CitzaG91bGRCZSgicmVnZXgyMi5leGVjKCc1NXVwJykiLCAibnVsbCIpOwor Cit2YXIgcmVnZXgyMyA9IC8oPz0oYSlifGM/KSgpKmQvOworc2hvdWxkQmUoInJlZ2V4MjMuZXhl YygnYXgnKSIsICJudWxsIik7CisKK3ZhciByZWdleDI0ID0gLyg/PWF8Yj8pYy87CitzaG91bGRC ZSgicmVnZXgyNC5leGVjKCd4JykiLCAibnVsbCIpOworCiB2YXIgc3VjY2Vzc2Z1bGx5UGFyc2Vk ID0gdHJ1ZTsKIAo=