Bug 59221 - [RegexFuzz] Regression blocking testing
Summary: [RegexFuzz] Regression blocking testing
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC OS X 10.5
: P2 Normal
Assignee: Gavin Barraclough
Depends on:
Reported: 2011-04-22 12:20 PDT by Oliver Hunt
Modified: 2011-04-29 14:55 PDT (History)
5 users (show)

See Also:

The patch (5.02 KB, patch)
2011-04-29 14:41 PDT, Gavin Barraclough
oliver: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Oliver Hunt 2011-04-22 12:20:56 PDT
new RegExp("(?!(u|m{0,}g+)u{1,}|2{2,}!1%n|(?!K|(?=y)|(?=ip))+?)(?=(?=(((?:7))*?)*?))p", "m").exec("u55up")

This triggers the following assertion (which implies a out of bounds read), it also blocks the fuzzer:

ASSERTION FAILED: position < 0
/Volumes/BigData/git/WebKit/OpenSource/Source/JavaScriptCore/yarr/YarrInterpreter.cpp(205) : int JSC::Yarr::Interpreter::InputStream::readChecked(int)
1   JSC::Yarr::Interpreter::InputStream::readChecked(int)
2   JSC::Yarr::Interpreter::checkCharacter(int, int)
3   JSC::Yarr::Interpreter::matchDisjunction(JSC::Yarr::ByteDisjunction*, JSC::Yarr::Interpreter::DisjunctionContext*, bool, bool)
4   JSC::Yarr::Interpreter::interpret()
5   JSC::Yarr::interpret(JSC::Yarr::BytecodePattern*, unsigned short const*, unsigned int, unsigned int, int*)
6   JSC::RegExp::match(JSC::UString const&, int, WTF::Vector<int, 32ul>*)
7   JSC::RegExpConstructor::performMatch(JSC::RegExp*, JSC::UString const&, int, int&, int&, int**)
8   JSC::RegExpObject::match(JSC::ExecState*)
9   JSC::RegExpObject::exec(JSC::ExecState*)
Comment 1 Gavin Barraclough 2011-04-29 11:57:05 PDT
Reduction: /(?=(a)b|c?)()*d/.exec("ax")
Comment 2 Gavin Barraclough 2011-04-29 13:08:56 PDT
Reduction with YARR JIT disabled:

Comment 3 Gavin Barraclough 2011-04-29 14:09:25 PDT
Reduction: /(?=(a)b|c?)()*d/.exec("ax")
Comment 4 Gavin Barraclough 2011-04-29 14:41:15 PDT
Created attachment 91742 [details]
The patch
Comment 5 Gavin Barraclough 2011-04-29 14:55:50 PDT
fixed in r85361