[Webkit-unassigned] [Bug 50579] Regular expression methods crashing browser (buffer overflow?)
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Dec 7 07:47:16 PST 2010
https://bugs.webkit.org/show_bug.cgi?id=50579
--- Comment #4 from Peter Varga <pvarga at inf.u-szeged.hu> 2010-12-07 07:47:16 PST ---
I checked the YARR JIT. I don't have a complete solution but I summarize the partial results of my investigation:
Here is a more simple test case which I'm using for debugging: /a(b)(a*)|aaa/.test('aaa')
The problem is if the matching of term 'b' fails then it resets the result of subpattern matching and
it starts the matching from the beginning, but the index of position (edx) is never increased.
Thus the JIT does the same character check again and again in an infinite loop.
Wrong backtrack code block is executed since the backtrack logic extension was introduced.
Here is a simple asm example from the generated code:
match_b:
cmpw $0x62,-0x2(%eax,%edx,2)
jne parentheses_tail
...
expected_backtrack:
add $0x1,%edx
jmp available_input
...
current_backtrack:
mov %edx,%ebx
sub $0x2,%ebx
mov %ebx,(%edi)
jmp match_b
available_input:
mov %edx,%ebx
sub $0x2,%ebx
mov %ebx,(%edi)
add $0x0,%edx
cmp %ecx,%edx
jbe match_b
...
parentheses_tail:
movl $0xffffffff,0x8(%edi)
jmp current_backtrack;
It should jump to the "expected_backtrack" instead of "current_backtrack" label in the "parentheses_tail" code block.
The state.linkAlternativeBacktracks(this, true) links to the "current_backtrack" at RegexJIT.cpp:1958.
I guess the desired place of this link is at RegexJIT.cpp:1902 where the notEnoughInputForPreviousAlternative label
is linked now.
I hope this information is useful.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list