RESOLVED FIXED 59221
[RegexFuzz] Regression blocking testing 
https://bugs.webkit.org/show_bug.cgi?id=59221
Summary [RegexFuzz] Regression blocking testing
Oliver Hunt
Reported 2011-04-22 12:20:56 PDT
new RegExp("(?!(u|m{0,}g+)u{1,}|2{2,}!1%n|(?!K|(?=y)|(?=ip))+?)(?=(?=(((?:7))*?)*?))p", "m").exec("u55up") This triggers the following assertion (which implies a out of bounds read), it also blocks the fuzzer: ASSERTION FAILED: position < 0 /Volumes/BigData/git/WebKit/OpenSource/Source/JavaScriptCore/yarr/YarrInterpreter.cpp(205) : int JSC::Yarr::Interpreter::InputStream::readChecked(int) 1 JSC::Yarr::Interpreter::InputStream::readChecked(int) 2 JSC::Yarr::Interpreter::checkCharacter(int, int) 3 JSC::Yarr::Interpreter::matchDisjunction(JSC::Yarr::ByteDisjunction*, JSC::Yarr::Interpreter::DisjunctionContext*, bool, bool) 4 JSC::Yarr::Interpreter::interpret() 5 JSC::Yarr::interpret(JSC::Yarr::BytecodePattern*, unsigned short const*, unsigned int, unsigned int, int*) 6 JSC::RegExp::match(JSC::UString const&, int, WTF::Vector<int, 32ul>*) 7 JSC::RegExpConstructor::performMatch(JSC::RegExp*, JSC::UString const&, int, int&, int&, int**) 8 JSC::RegExpObject::match(JSC::ExecState*) 9 JSC::RegExpObject::exec(JSC::ExecState*)
Attachments
The patch (5.02 KB, patch)
2011-04-29 14:41 PDT, Gavin Barraclough 		oliver: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Gavin Barraclough
Comment 1 2011-04-29 11:57:05 PDT
Reduction: /(?=(a)b|c?)()*d/.exec("ax")
Gavin Barraclough
Comment 2 2011-04-29 13:08:56 PDT
Reduction with YARR JIT disabled: /(?=a|b?)c/.exec("x")
Gavin Barraclough
Comment 3 2011-04-29 14:09:25 PDT
Reduction: /(?=(a)b|c?)()*d/.exec("ax")
Gavin Barraclough
Comment 4 2011-04-29 14:41:15 PDT
Created attachment 91742 [details] The patch
Gavin Barraclough
Comment 5 2011-04-29 14:55:50 PDT
fixed in r85361
Note You need to log in before you can comment on or make changes to this bug.