[webkit-changes] [201714] trunk

[oliver]

Title: [201714] trunk

Revision

201714

Author

oli...@apple.com

Date

2016-06-06 10:31:28 -0700 (Mon, 06 Jun 2016)

Log Message

RegExp unicode parsing reads an extra character before failing
https://bugs.webkit.org/show_bug.cgi?id=158376

Reviewed by Saam Barati.

Source/_javascript_Core:

This was a probably harmless bug, but keeps triggering assertions
for me locally. Essentially we'd see a parse error, set the error
type, but then carry on parsing. In debug builds this asserts, in
release builds you are pretty safe unless you're exceptionally
unlucky with where the error occurs.

* yarr/YarrParser.h:
(JSC::Yarr::Parser::parseEscape):

LayoutTests:

Add a couple of tests.

* js/script-tests/regexp-unicode.js:

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/LayoutTests/js/regexp-unicode-expected.txt
• trunk/LayoutTests/js/script-tests/regexp-unicode.js
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/yarr/YarrParser.h

Diff

Modified: trunk/LayoutTests/ChangeLog (201713 => 201714)

--- trunk/LayoutTests/ChangeLog	2016-06-06 17:22:23 UTC (rev 201713)
+++ trunk/LayoutTests/ChangeLog	2016-06-06 17:31:28 UTC (rev 201714)
@@ -1,3 +1,14 @@
+2016-06-03  Oliver Hunt  <oli...@apple.com>
+
+        RegExp unicode parsing reads an extra character before failing
+        https://bugs.webkit.org/show_bug.cgi?id=158376
+
+        Reviewed by Saam Barati.
+
+        Add a couple of tests.
+
+        * js/script-tests/regexp-unicode.js:
+
 2016-06-06  Chris Dumez  <cdu...@apple.com>
 
         Crash under JSObject::getOwnPropertyDescriptor()

Modified: trunk/LayoutTests/js/regexp-unicode-expected.txt (201713 => 201714)

--- trunk/LayoutTests/js/regexp-unicode-expected.txt	2016-06-06 17:22:23 UTC (rev 201713)
+++ trunk/LayoutTests/js/regexp-unicode-expected.txt	2016-06-06 17:31:28 UTC (rev 201714)
@@ -151,6 +151,8 @@
 PASS r = new RegExp("[\\x]", "u") threw exception SyntaxError: Invalid regular _expression_: invalid escaped character for unicode pattern.
 PASS r = new RegExp("\\u", "u") threw exception SyntaxError: Invalid regular _expression_: invalid escaped character for unicode pattern.
 PASS r = new RegExp("[\\u]", "u") threw exception SyntaxError: Invalid regular _expression_: invalid escaped character for unicode pattern.
+PASS r = new RegExp("\\u{", "u") threw exception SyntaxError: Invalid regular _expression_: invalid unicode {} escape.
+PASS r = new RegExp("\\u{\udead", "u") threw exception SyntaxError: Invalid regular _expression_: invalid unicode {} escape.
 PASS successfullyParsed is true
 
 TEST COMPLETE

Modified: trunk/LayoutTests/js/script-tests/regexp-unicode.js (201713 => 201714)

--- trunk/LayoutTests/js/script-tests/regexp-unicode.js	2016-06-06 17:22:23 UTC (rev 201713)
+++ trunk/LayoutTests/js/script-tests/regexp-unicode.js	2016-06-06 17:31:28 UTC (rev 201714)
@@ -205,11 +205,11 @@
 var invalidEscapeException = "SyntaxError: Invalid regular _expression_: invalid escaped character for unicode pattern";
 var newRegExp;
 
-function shouldThrowInvalidEscape(pattern)
+function shouldThrowInvalidEscape(pattern, error='invalidEscapeException')
 {
     newRegExp = 'r = new RegExp("' + pattern + '", "u")';
 
-    shouldThrow(newRegExp, 'invalidEscapeException');
+    shouldThrow(newRegExp, error);
 }
 
 shouldThrowInvalidEscape("\\\\-");
@@ -222,3 +222,5 @@
 shouldThrowInvalidEscape("\\\\u");
 shouldThrowInvalidEscape("[\\\\u]");
 
+shouldThrowInvalidEscape("\\\\u{", '"SyntaxError: Invalid regular _expression_: invalid unicode {} escape"');
+shouldThrowInvalidEscape("\\\\u{\\udead", '"SyntaxError: Invalid regular _expression_: invalid unicode {} escape"');

Modified: trunk/Source/_javascript_Core/ChangeLog (201713 => 201714)

--- trunk/Source/_javascript_Core/ChangeLog	2016-06-06 17:22:23 UTC (rev 201713)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-06-06 17:31:28 UTC (rev 201714)
@@ -1,3 +1,19 @@
+2016-06-03  Oliver Hunt  <oli...@apple.com>
+
+        RegExp unicode parsing reads an extra character before failing
+        https://bugs.webkit.org/show_bug.cgi?id=158376
+
+        Reviewed by Saam Barati.
+
+        This was a probably harmless bug, but keeps triggering assertions
+        for me locally. Essentially we'd see a parse error, set the error
+        type, but then carry on parsing. In debug builds this asserts, in
+        release builds you are pretty safe unless you're exceptionally
+        unlucky with where the error occurs.
+
+        * yarr/YarrParser.h:
+        (JSC::Yarr::Parser::parseEscape):
+
 2016-06-06  Guillaume Emont  <guijem...@igalia.com>
 
         [jsc][mips] fix JIT::emit_op_log_shadow_chicken_prologue/_tail

Modified: trunk/Source/_javascript_Core/yarr/YarrParser.h (201713 => 201714)

--- trunk/Source/_javascript_Core/yarr/YarrParser.h	2016-06-06 17:22:23 UTC (rev 201713)
+++ trunk/Source/_javascript_Core/yarr/YarrParser.h	2016-06-06 17:31:28 UTC (rev 201714)
@@ -448,10 +448,10 @@
                 consume();
                 UChar32 codePoint = 0;
                 do {
-                    if (atEndOfPattern())
+                    if (atEndOfPattern() || !isASCIIHexDigit(peek())) {
                         m_err = InvalidUnicodeEscape;
-                    if (!isASCIIHexDigit(peek()))
-                        m_err = InvalidUnicodeEscape;
+                        break;
+                    }
 
                     codePoint = (codePoint << 4) | toASCIIHexValue(consume());
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes