[Webkit-unassigned] [Bug 50579] Regular expression methods crashing browser (buffer overflow?)

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=50579





--- Comment #4 from Peter Varga <pvarga at inf.u-szeged.hu>  2010-12-07 07:47:16 PST ---
I checked the YARR JIT. I don't have a complete solution but I summarize the partial results of my investigation:

Here is a more simple test case which I'm using for debugging: /a(b)(a*)|aaa/.test('aaa')

The problem is if the matching of term 'b' fails then it resets the result of subpattern matching and 
it starts the matching from the beginning, but the index of position (edx) is never increased. 
Thus the JIT does the same character check again and again in an infinite loop.

Wrong backtrack code block is executed since the backtrack logic extension was introduced.
Here is a simple asm example from the generated code:

match_b:
  cmpw   $0x62,-0x2(%eax,%edx,2)
  jne    parentheses_tail
...
expected_backtrack:
  add    $0x1,%edx
  jmp    available_input
...
current_backtrack:
  mov    %edx,%ebx
  sub    $0x2,%ebx
  mov    %ebx,(%edi)
  jmp    match_b 
available_input:
  mov    %edx,%ebx
  sub    $0x2,%ebx
  mov    %ebx,(%edi)
  add    $0x0,%edx
  cmp    %ecx,%edx
  jbe    match_b
...
parentheses_tail:
  movl   $0xffffffff,0x8(%edi)
  jmp    current_backtrack;

It should jump to the "expected_backtrack" instead of "current_backtrack" label in the "parentheses_tail" code block.

The state.linkAlternativeBacktracks(this, true) links to the "current_backtrack" at RegexJIT.cpp:1958.
I guess the desired place of this link is at RegexJIT.cpp:1902 where the notEnoughInputForPreviousAlternative label
is linked now.

I hope this information is useful.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.