[webkit-changes] [201105] trunk

[msaboff]

Title: [201105] trunk

Revision

201105

Author

msab...@apple.com

Date

2016-05-18 15:36:01 -0700 (Wed, 18 May 2016)

Log Message

r199812 broke test262
https://bugs.webkit.org/show_bug.cgi?id=157595

Reviewed by Filip Pizlo.

Source/_javascript_Core:

Added a reasonable limit to the size of the match result array to catch possible
infinite loops when matching.
Added a new tests that creates an infinite loop in RegExp.prototype.[Symbol.match]
by creating a subclass of RegExp where the base RegExp's global flag is false and
the subclass overrides .global with a getter that always returns true.

* builtins/RegExpPrototype.js:
(match):
* tests/stress/regress-157595.js: Added.
(MyRegExp):
(MyRegExp.prototype.get global):
(test):
(catch):

Tools:

Added a new run type, runOneLargeHeap, for tests that use a large amount of memory.
This run type will not run with the --memory-limited option.  Without that option,
we'll only the default test variant.

* Scripts/run-jsc-stress-tests:

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/builtins/RegExpPrototype.js
• trunk/Tools/ChangeLog
• trunk/Tools/Scripts/run-jsc-stress-tests

Added Paths

• trunk/Source/_javascript_Core/tests/stress/regress-157595.js

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (201104 => 201105)

--- trunk/Source/_javascript_Core/ChangeLog	2016-05-18 22:27:47 UTC (rev 201104)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-05-18 22:36:01 UTC (rev 201105)
@@ -1,3 +1,24 @@
+2016-05-18  Michael Saboff  <msab...@apple.com>
+
+        r199812 broke test262
+        https://bugs.webkit.org/show_bug.cgi?id=157595
+
+        Reviewed by Filip Pizlo.
+
+        Added a reasonable limit to the size of the match result array to catch possible
+        infinite loops when matching.
+        Added a new tests that creates an infinite loop in RegExp.prototype.[Symbol.match]
+        by creating a subclass of RegExp where the base RegExp's global flag is false and
+        the subclass overrides .global with a getter that always returns true.
+
+        * builtins/RegExpPrototype.js:
+        (match):
+        * tests/stress/regress-157595.js: Added.
+        (MyRegExp):
+        (MyRegExp.prototype.get global):
+        (test):
+        (catch):
+
 2016-05-18  Yusuke Suzuki  <utatane....@gmail.com>
 
         [ES6] Namespace object re-export should be handled as local export

Modified: trunk/Source/_javascript_Core/builtins/RegExpPrototype.js (201104 => 201105)

--- trunk/Source/_javascript_Core/builtins/RegExpPrototype.js	2016-05-18 22:27:47 UTC (rev 201104)
+++ trunk/Source/_javascript_Core/builtins/RegExpPrototype.js	2016-05-18 22:36:01 UTC (rev 201105)
@@ -97,8 +97,9 @@
     let unicode = regexp.unicode;
     regexp.lastIndex = 0;
     let resultList = [];
-    let stringLength = str.length;
 
+    const maximumReasonableMatchSize = 100000000;
+
     while (true) {
         let result = @regExpExec(regexp, str);
         
@@ -108,6 +109,9 @@
             return resultList;
         }
 
+        if (resultList.length > maximumReasonableMatchSize)
+            throw new @Error("Out of memory");
+
         if (!@isObject(result))
             throw new @TypeError("RegExp.prototype.@@match call to RegExp.exec didn't return null or an object");
 

Added: trunk/Source/_javascript_Core/tests/stress/regress-157595.js (0 => 201105)

--- trunk/Source/_javascript_Core/tests/stress/regress-157595.js	                        (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/regress-157595.js	2016-05-18 22:36:01 UTC (rev 201105)
@@ -0,0 +1,27 @@
+// Test that an overridden global on a RegExp object doesn't cause an infinite loop
+// in String.match(). Instead it should eventually throw an Out of Memory exception.
+//@ runOneLargeHeap
+
+class MyRegExp extends RegExp {
+    constructor(pattern) {
+        super(pattern, "");
+    }
+
+    get global() {
+        return true;
+    }
+};
+
+function test()
+{
+    let r = new MyRegExp(".");
+
+    return "abc".match(r);
+}
+
+try {
+    test();
+} catch(e) {
+    if (e.message != "Out of memory")
+        throw "Wrong error: " + e;
+}

Modified: trunk/Tools/ChangeLog (201104 => 201105)

--- trunk/Tools/ChangeLog	2016-05-18 22:27:47 UTC (rev 201104)
+++ trunk/Tools/ChangeLog	2016-05-18 22:36:01 UTC (rev 201105)
@@ -1,3 +1,16 @@
+2016-05-18  Michael Saboff  <msab...@apple.com>
+
+        r199812 broke test262
+        https://bugs.webkit.org/show_bug.cgi?id=157595
+
+        Reviewed by Filip Pizlo.
+
+        Added a new run type, runOneLargeHeap, for tests that use a large amount of memory.
+        This run type will not run with the --memory-limited option.  Without that option,
+        we'll only the default test variant.
+
+        * Scripts/run-jsc-stress-tests:
+
 2016-05-18  Simon Fraser  <simon.fra...@apple.com>
 
         REGRESSION (r200534) Command-+ no longer zooms pages 

Modified: trunk/Tools/Scripts/run-jsc-stress-tests (201104 => 201105)

--- trunk/Tools/Scripts/run-jsc-stress-tests	2016-05-18 22:27:47 UTC (rev 201104)
+++ trunk/Tools/Scripts/run-jsc-stress-tests	2016-05-18 22:36:01 UTC (rev 201105)
@@ -784,6 +784,15 @@
     run("ram-size-#{size}", "--forceRAMSize=#{size}")
 end
 
+def runOneLargeHeap
+    if $memoryLimited
+        $didAddRunCommand = true
+        puts "Skipping #{$collectionName}/#{$benchmark}"
+    else
+        run("default")
+    end
+end
+
 def runNoJIT
     run("no-jit", "--useJIT=false")
 end

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes