- Revision
- 255975
- Author
- [email protected]
- Date
- 2020-02-06 13:36:48 -0800 (Thu, 06 Feb 2020)
Log Message
_javascript_ string corruption using RegExp with unicode character
https://bugs.webkit.org/show_bug.cgi?id=187947
Reviewed by Yusuke Suzuki.
JSTests:
This change adds regression test for string corruption that occured after
non-BMP character was removed by String.prototype.replace.
The issue was fixed in https://trac.webkit.org/changeset/253648/webkit.
Also, this patch brings back:
1. An out-of-order character class range test.
2. Dangling and combined surrogates tests (as webkit.org/b/154863 is now resolved).
* stress/regress-187947.js: Added.
LayoutTests:
Besides adding a regression test, this patch brings back:
1. An out-of-order character class range test.
2. Dangling and combined surrogates tests (as webkit.org/b/154863 is now resolved).
* js/dom/regexp-range-out-of-order-expected.txt:
* js/dom/script-tests/regexp-range-out-of-order.js:
* js/regexp-unicode-expected.txt:
* js/script-tests/regexp-extended-characters-match.js:
* js/script-tests/regexp-unicode.js:
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (255974 => 255975)
--- trunk/JSTests/ChangeLog 2020-02-06 20:06:08 UTC (rev 255974)
+++ trunk/JSTests/ChangeLog 2020-02-06 21:36:48 UTC (rev 255975)
@@ -1,3 +1,20 @@
+2020-02-06 Sukolsak Sakshuwong <[email protected]> and Alexey Shvayka <[email protected]>
+
+ _javascript_ string corruption using RegExp with unicode character
+ https://bugs.webkit.org/show_bug.cgi?id=187947
+
+ Reviewed by Yusuke Suzuki.
+
+ This change adds regression test for string corruption that occured after
+ non-BMP character was removed by String.prototype.replace.
+ The issue was fixed in https://trac.webkit.org/changeset/253648/webkit.
+
+ Also, this patch brings back:
+ 1. An out-of-order character class range test.
+ 2. Dangling and combined surrogates tests (as webkit.org/b/154863 is now resolved).
+
+ * stress/regress-187947.js: Added.
+
2020-02-05 Justin Michaud <[email protected]>
Deleting a property should not turn structures into uncacheable dictionaries
Added: trunk/JSTests/stress/regress-187947.js (0 => 255975)
--- trunk/JSTests/stress/regress-187947.js (rev 0)
+++ trunk/JSTests/stress/regress-187947.js 2020-02-06 21:36:48 UTC (rev 255975)
@@ -0,0 +1,16 @@
+function shouldBe(actual, expected) {
+ if (actual !== expected)
+ throw new Error('bad value: ' + actual);
+}
+
+var ab16bit = 'abcĀ'.replace(/c.*/, '');
+
+var map = {};
+map[ab16bit];
+
+var ropeAB = 'a' + 'b';
+var ropeABC = ropeAB + 'c';
+
+map[ropeAB];
+map[ropeABC] = 42;
+shouldBe(JSON.stringify(map), '{"abc":42}');
Modified: trunk/LayoutTests/ChangeLog (255974 => 255975)
--- trunk/LayoutTests/ChangeLog 2020-02-06 20:06:08 UTC (rev 255974)
+++ trunk/LayoutTests/ChangeLog 2020-02-06 21:36:48 UTC (rev 255975)
@@ -1,3 +1,20 @@
+2020-02-06 Sukolsak Sakshuwong <[email protected]> and Alexey Shvayka <[email protected]>
+
+ _javascript_ string corruption using RegExp with unicode character
+ https://bugs.webkit.org/show_bug.cgi?id=187947
+
+ Reviewed by Yusuke Suzuki.
+
+ Besides adding a regression test, this patch brings back:
+ 1. An out-of-order character class range test.
+ 2. Dangling and combined surrogates tests (as webkit.org/b/154863 is now resolved).
+
+ * js/dom/regexp-range-out-of-order-expected.txt:
+ * js/dom/script-tests/regexp-range-out-of-order.js:
+ * js/regexp-unicode-expected.txt:
+ * js/script-tests/regexp-extended-characters-match.js:
+ * js/script-tests/regexp-unicode.js:
+
2020-02-06 Commit Queue <[email protected]>
Unreviewed, rolling out r255910, r255970, and r255972.
Modified: trunk/LayoutTests/js/dom/regexp-range-out-of-order-expected.txt (255974 => 255975)
--- trunk/LayoutTests/js/dom/regexp-range-out-of-order-expected.txt 2020-02-06 20:06:08 UTC (rev 255974)
+++ trunk/LayoutTests/js/dom/regexp-range-out-of-order-expected.txt 2020-02-06 21:36:48 UTC (rev 255975)
@@ -4,6 +4,7 @@
PASS /^[s{-.[]()]$/ threw exception SyntaxError: Invalid regular _expression_: range out of order in character class.
+PASS new RegExp("[ā-Ā]") threw exception SyntaxError: Invalid regular _expression_: range out of order in character class.
PASS successfullyParsed is true
TEST COMPLETE
Modified: trunk/LayoutTests/js/dom/script-tests/regexp-range-out-of-order.js (255974 => 255975)
--- trunk/LayoutTests/js/dom/script-tests/regexp-range-out-of-order.js 2020-02-06 20:06:08 UTC (rev 255974)
+++ trunk/LayoutTests/js/dom/script-tests/regexp-range-out-of-order.js 2020-02-06 21:36:48 UTC (rev 255975)
@@ -4,4 +4,5 @@
);
-shouldThrow('/^[\s{-.\[\]\(\)]$/');
+shouldThrow('/^[\s{-.\[\]\(\)]$/', '"SyntaxError: Invalid regular _expression_: range out of order in character class"');
+shouldThrow('new RegExp("[\u0101-\u0100]")', '"SyntaxError: Invalid regular _expression_: range out of order in character class"');
Modified: trunk/LayoutTests/js/regexp-unicode-expected.txt (255974 => 255975)
--- trunk/LayoutTests/js/regexp-unicode-expected.txt 2020-02-06 20:06:08 UTC (rev 255974)
+++ trunk/LayoutTests/js/regexp-unicode-expected.txt 2020-02-06 21:36:48 UTC (rev 255975)
@@ -86,6 +86,21 @@
PASS re2.test("A") is true
PASS re2.test("\x{FFFF}") is false
PASS re2.test("𒍅") is true
+PASS /[𐰁�#�]/u.exec("𐰁").toString() is "𐰁"
+PASS /[�𐰁�]/u.exec("𐰁").toString() is "𐰁"
+PASS /[�#�𐰁]/u.exec("𐰁").toString() is "𐰁"
+PASS /[�𐰁�]/u.exec("𐰁").toString() is "𐰁"
+PASS /[𐰁�#�]{2}/u.exec("𐰁") is null
+PASS /[�𐰁�]{2}/u.exec("𐰁") is null
+PASS /[�#�𐰁]{2}/u.exec("𐰁") is null
+PASS /[�𐰁�]{2}/u.exec("𐰁") is null
+PASS /�|�|𐰁/u.exec("𐰁").toString() is "𐰁"
+PASS /�|𐰁|�/u.exec("𐰁").toString() is "𐰁"
+PASS /�|�|𐰁/u.exec("�").toString() is "�"
+PASS /�|𐰁|�/u.exec("�").toString() is "�"
+PASS /�𐰁/u.exec("𐰁") is null
+PASS /�𐰁/u.exec("�") is null
+PASS "�𐰁".match(/�𐰁/u)[0].length is 3
PASS /𝌆{2}/u.test("𝌆𝌆") is true
PASS /𝌆{2}/u.test("𝌆𝌆") is true
PASS "𐐅𐐅𐐅𐐅".match(/𐐅{3}/u)[0] is "𐐅𐐅𐐅"
Modified: trunk/LayoutTests/js/script-tests/regexp-extended-characters-match.js (255974 => 255975)
--- trunk/LayoutTests/js/script-tests/regexp-extended-characters-match.js 2020-02-06 20:06:08 UTC (rev 255974)
+++ trunk/LayoutTests/js/script-tests/regexp-extended-characters-match.js 2020-02-06 21:36:48 UTC (rev 255975)
@@ -2,8 +2,6 @@
"This test checks regular expressions using extended (> 255) characters and character classes."
);
-// shouldThrow('var r = new RegExp("[\u0101-\u0100]"); r.exec("a")', 'null');
-
shouldBe('(new RegExp("[\u0100-\u0101]")).exec("a")', 'null');
shouldBe('(new RegExp("[\u0100]")).exec("a")', 'null');
shouldBe('(new RegExp("\u0100")).exec("a")', 'null');
Modified: trunk/LayoutTests/js/script-tests/regexp-unicode.js (255974 => 255975)
--- trunk/LayoutTests/js/script-tests/regexp-unicode.js 2020-02-06 20:06:08 UTC (rev 255974)
+++ trunk/LayoutTests/js/script-tests/regexp-unicode.js 2020-02-06 21:36:48 UTC (rev 255975)
@@ -104,22 +104,21 @@
shouldBeTrue('re2.test("\u{12345}")');
// Make sure we properly handle dangling surrogates and combined surrogates
-// FIXME: These tests are disabled until https://bugs.webkit.org/show_bug.cgi?id=154863 is fixed
-// shouldBe('/[\u{10c01}\uD803#\uDC01]/u.exec("\u{10c01}").toString()', '"\u{10c01}"');
-// shouldBe('/[\uD803\u{10c01}\uDC01]/u.exec("\u{10c01}").toString()', '"\u{10c01}"');
-// shouldBe('/[\uD803#\uDC01\u{10c01}]/u.exec("\u{10c01}").toString()', '"\u{10c01}"');
-// shouldBe('/[\uD803\uD803\uDC01\uDC01]/u.exec("\u{10c01}").toString()', '"\u{10c01}"');
-// shouldBeNull('/[\u{10c01}\uD803#\uDC01]{2}/u.exec("\u{10c01}")');
-// shouldBeNull('/[\uD803\u{10c01}\uDC01]{2}/u.exec("\u{10c01}")');
-// shouldBeNull('/[\uD803#\uDC01\u{10c01}]{2}/u.exec("\u{10c01}")');
-// shouldBeNull('/[\uD803\uD803\uDC01\uDC01]{2}/u.exec("\u{10c01}")');
-// shouldBe('/\uD803|\uDC01|\u{10c01}/u.exec("\u{10c01}").toString()', '"\u{10c01}"');
-// shouldBe('/\uD803|\uD803\uDC01|\uDC01/u.exec("\u{10c01}").toString()', '"\u{10c01}"');
-// shouldBe('/\uD803|\uDC01|\u{10c01}/u.exec("\u{D803}").toString()', '"\u{D803}"');
-// shouldBe('/\uD803|\uD803\uDC01|\uDC01/u.exec("\u{DC01}").toString()', '"\u{DC01}"');
-// shouldBeNull('/\uD803\u{10c01}/u.exec("\u{10c01}")');
-// shouldBeNull('/\uD803\u{10c01}/u.exec("\uD803")');
-// shouldBe('"\uD803\u{10c01}".match(/\uD803\u{10c01}/u)[0].length', '3');
+shouldBe('/[\u{10c01}\uD803#\uDC01]/u.exec("\u{10c01}").toString()', '"\u{10c01}"');
+shouldBe('/[\uD803\u{10c01}\uDC01]/u.exec("\u{10c01}").toString()', '"\u{10c01}"');
+shouldBe('/[\uD803#\uDC01\u{10c01}]/u.exec("\u{10c01}").toString()', '"\u{10c01}"');
+shouldBe('/[\uD803\uD803\uDC01\uDC01]/u.exec("\u{10c01}").toString()', '"\u{10c01}"');
+shouldBeNull('/[\u{10c01}\uD803#\uDC01]{2}/u.exec("\u{10c01}")');
+shouldBeNull('/[\uD803\u{10c01}\uDC01]{2}/u.exec("\u{10c01}")');
+shouldBeNull('/[\uD803#\uDC01\u{10c01}]{2}/u.exec("\u{10c01}")');
+shouldBeNull('/[\uD803\uD803\uDC01\uDC01]{2}/u.exec("\u{10c01}")');
+shouldBe('/\uD803|\uDC01|\u{10c01}/u.exec("\u{10c01}").toString()', '"\u{10c01}"');
+shouldBe('/\uD803|\uD803\uDC01|\uDC01/u.exec("\u{10c01}").toString()', '"\u{10c01}"');
+shouldBe('/\uD803|\uDC01|\u{10c01}/u.exec("\u{D803}").toString()', '"\u{D803}"');
+shouldBe('/\uD803|\uD803\uDC01|\uDC01/u.exec("\u{DC01}").toString()', '"\u{DC01}"');
+shouldBeNull('/\uD803\u{10c01}/u.exec("\u{10c01}")');
+shouldBeNull('/\uD803\u{10c01}/u.exec("\uD803")');
+shouldBe('"\uD803\u{10c01}".match(/\uD803\u{10c01}/u)[0].length', '3');
// Check quantified matches
shouldBeTrue('/\u{1d306}{2}/u.test("\u{1d306}\u{1d306}")');
