<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[201714] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/201714">201714</a></dd>
<dt>Author</dt> <dd>oliver@apple.com</dd>
<dt>Date</dt> <dd>2016-06-06 10:31:28 -0700 (Mon, 06 Jun 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>RegExp unicode parsing reads an extra character before failing
https://bugs.webkit.org/show_bug.cgi?id=158376
Reviewed by Saam Barati.
Source/JavaScriptCore:
This was a probably harmless bug, but keeps triggering assertions
for me locally. Essentially we'd see a parse error, set the error
type, but then carry on parsing. In debug builds this asserts, in
release builds you are pretty safe unless you're exceptionally
unlucky with where the error occurs.
* yarr/YarrParser.h:
(JSC::Yarr::Parser::parseEscape):
LayoutTests:
Add a couple of tests.
* js/script-tests/regexp-unicode.js:</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsjsregexpunicodeexpectedtxt">trunk/LayoutTests/js/regexp-unicode-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsscripttestsregexpunicodejs">trunk/LayoutTests/js/script-tests/regexp-unicode.js</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreyarrYarrParserh">trunk/Source/JavaScriptCore/yarr/YarrParser.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (201713 => 201714)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-06-06 17:22:23 UTC (rev 201713)
+++ trunk/LayoutTests/ChangeLog 2016-06-06 17:31:28 UTC (rev 201714)
</span><span class="lines">@@ -1,3 +1,14 @@
</span><ins>+2016-06-03 Oliver Hunt <oliver@apple.com>
+
+ RegExp unicode parsing reads an extra character before failing
+ https://bugs.webkit.org/show_bug.cgi?id=158376
+
+ Reviewed by Saam Barati.
+
+ Add a couple of tests.
+
+ * js/script-tests/regexp-unicode.js:
+
</ins><span class="cx"> 2016-06-06 Chris Dumez <cdumez@apple.com>
</span><span class="cx">
</span><span class="cx"> Crash under JSObject::getOwnPropertyDescriptor()
</span></span></pre></div>
<a id="trunkLayoutTestsjsregexpunicodeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/js/regexp-unicode-expected.txt (201713 => 201714)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regexp-unicode-expected.txt 2016-06-06 17:22:23 UTC (rev 201713)
+++ trunk/LayoutTests/js/regexp-unicode-expected.txt 2016-06-06 17:31:28 UTC (rev 201714)
</span><span class="lines">@@ -151,6 +151,8 @@
</span><span class="cx"> PASS r = new RegExp("[\\x]", "u") threw exception SyntaxError: Invalid regular expression: invalid escaped character for unicode pattern.
</span><span class="cx"> PASS r = new RegExp("\\u", "u") threw exception SyntaxError: Invalid regular expression: invalid escaped character for unicode pattern.
</span><span class="cx"> PASS r = new RegExp("[\\u]", "u") threw exception SyntaxError: Invalid regular expression: invalid escaped character for unicode pattern.
</span><ins>+PASS r = new RegExp("\\u{", "u") threw exception SyntaxError: Invalid regular expression: invalid unicode {} escape.
+PASS r = new RegExp("\\u{\udead", "u") threw exception SyntaxError: Invalid regular expression: invalid unicode {} escape.
</ins><span class="cx"> PASS successfullyParsed is true
</span><span class="cx">
</span><span class="cx"> TEST COMPLETE
</span></span></pre></div>
<a id="trunkLayoutTestsjsscripttestsregexpunicodejs"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/js/script-tests/regexp-unicode.js (201713 => 201714)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/script-tests/regexp-unicode.js 2016-06-06 17:22:23 UTC (rev 201713)
+++ trunk/LayoutTests/js/script-tests/regexp-unicode.js 2016-06-06 17:31:28 UTC (rev 201714)
</span><span class="lines">@@ -205,11 +205,11 @@
</span><span class="cx"> var invalidEscapeException = "SyntaxError: Invalid regular expression: invalid escaped character for unicode pattern";
</span><span class="cx"> var newRegExp;
</span><span class="cx">
</span><del>-function shouldThrowInvalidEscape(pattern)
</del><ins>+function shouldThrowInvalidEscape(pattern, error='invalidEscapeException')
</ins><span class="cx"> {
</span><span class="cx"> newRegExp = 'r = new RegExp("' + pattern + '", "u")';
</span><span class="cx">
</span><del>- shouldThrow(newRegExp, 'invalidEscapeException');
</del><ins>+ shouldThrow(newRegExp, error);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> shouldThrowInvalidEscape("\\\\-");
</span><span class="lines">@@ -222,3 +222,5 @@
</span><span class="cx"> shouldThrowInvalidEscape("\\\\u");
</span><span class="cx"> shouldThrowInvalidEscape("[\\\\u]");
</span><span class="cx">
</span><ins>+shouldThrowInvalidEscape("\\\\u{", '"SyntaxError: Invalid regular expression: invalid unicode {} escape"');
+shouldThrowInvalidEscape("\\\\u{\\udead", '"SyntaxError: Invalid regular expression: invalid unicode {} escape"');
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (201713 => 201714)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2016-06-06 17:22:23 UTC (rev 201713)
+++ trunk/Source/JavaScriptCore/ChangeLog 2016-06-06 17:31:28 UTC (rev 201714)
</span><span class="lines">@@ -1,3 +1,19 @@
</span><ins>+2016-06-03 Oliver Hunt <oliver@apple.com>
+
+ RegExp unicode parsing reads an extra character before failing
+ https://bugs.webkit.org/show_bug.cgi?id=158376
+
+ Reviewed by Saam Barati.
+
+ This was a probably harmless bug, but keeps triggering assertions
+ for me locally. Essentially we'd see a parse error, set the error
+ type, but then carry on parsing. In debug builds this asserts, in
+ release builds you are pretty safe unless you're exceptionally
+ unlucky with where the error occurs.
+
+ * yarr/YarrParser.h:
+ (JSC::Yarr::Parser::parseEscape):
+
</ins><span class="cx"> 2016-06-06 Guillaume Emont <guijemont@igalia.com>
</span><span class="cx">
</span><span class="cx"> [jsc][mips] fix JIT::emit_op_log_shadow_chicken_prologue/_tail
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreyarrYarrParserh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/yarr/YarrParser.h (201713 => 201714)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/yarr/YarrParser.h 2016-06-06 17:22:23 UTC (rev 201713)
+++ trunk/Source/JavaScriptCore/yarr/YarrParser.h 2016-06-06 17:31:28 UTC (rev 201714)
</span><span class="lines">@@ -448,10 +448,10 @@
</span><span class="cx"> consume();
</span><span class="cx"> UChar32 codePoint = 0;
</span><span class="cx"> do {
</span><del>- if (atEndOfPattern())
</del><ins>+ if (atEndOfPattern() || !isASCIIHexDigit(peek())) {
</ins><span class="cx"> m_err = InvalidUnicodeEscape;
</span><del>- if (!isASCIIHexDigit(peek()))
- m_err = InvalidUnicodeEscape;
</del><ins>+ break;
+ }
</ins><span class="cx">
</span><span class="cx"> codePoint = (codePoint << 4) | toASCIIHexValue(consume());
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>