[Webkit-unassigned] [Bug 187947] JavaScript string corruption using RegExp with unicode character
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jul 26 18:22:58 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=187947
Yusuke Suzuki <utatane.tea at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |sbarati at apple.com,
| |utatane.tea at gmail.com
--- Comment #3 from Yusuke Suzuki <utatane.tea at gmail.com> ---
(In reply to Sukolsak Sakshuwong from comment #2)
> The code from the snippet above causes an assertion failure in Debug mode:
>
> ASSERTION FAILED: is8Bit()
> /webkit/WebKitBuild/Debug/usr/local/include/wtf/text/StringImpl.h(271) :
> const LChar *WTF::StringImpl::characters8() const
> 1 0x10c34a419 WTFCrash
> 2 0x10c34dd19 WTF::StringImpl::characters8() const
> 3 0x10d6976f4 JSC::JSRopeString::resolveRopeInternal8NoSubstring(unsigned
> char*) const
> 4 0x10d69758a JSC::JSRopeString::resolveRopeInternal8(unsigned char*) const
> 5 0x10d698c82
> JSC::JSRopeString::resolveRopeToExistingAtomicString(JSC::ExecState*) const
> 6 0x10cc9436c JSC::JSString::toExistingAtomicString(JSC::ExecState*) const
> 7 0x10d36f12f JSC::LLInt::getByVal(JSC::VM&, JSC::ExecState*,
> JSC::Instruction*, JSC::JSValue, JSC::JSValue)
> 8 0x10d36eeb5 llint_slow_path_get_by_val
> 9 0x10c439862 llint_entry
> 10 0x10c4355b2 vmEntryToJavaScript
> 11 0x10d28b50a JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
> 12 0x10d28aab1 JSC::Interpreter::executeProgram(JSC::SourceCode const&,
> JSC::ExecState*, JSC::JSObject*)
> 13 0x10d543ad7 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&,
> JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
> 14 0x10c285010 runWithOptions(GlobalObject*, CommandLine&, bool&)
> 15 0x10c25c9cc jscmain(int, char**)::$_3::operator()(JSC::VM&,
> GlobalObject*, bool&) const
> 16 0x10c244174 int runJSC<jscmain(int, char**)::$_3>(CommandLine, bool,
> jscmain(int, char**)::$_3 const&)
> 17 0x10c242c5f jscmain(int, char**)
> 18 0x10c242bbe main
> 19 0x7fff6dff4015 start
> Segmentation fault: 11
>
> Here is a smaller script that reproduces the same bug:
>
> var ab16bit = 'abcĀ'.replace(/c.*/, '');
>
> var map = {};
> map[ab16bit];
>
> var ropeAB = 'a' + 'b';
> var ropeABC = ropeAB + 'c';
>
> map[ropeAB];
> map[ropeABC] = 42;
> console.log(JSON.stringify(map)); // Expected: {"abc":42}. Actual:
> {"a\u0000c":42}.
>
> "map[ab16bit]" creates a 16-bit AtomicString "ab". ropeAB and ropeABC are
> initially 8-bit JSRopeStrings. "map[ropeAB]" causes ropeAB to resolve into
> the 16-bit AtomicString "ab". Because of https://webkit.org/b/133574, ropeAB
> becomes a 16-bit string. However, ropeABC, which points to ropeAB, is still
> an 8-bit JSRopeString. So, when it is forced to resolve, it copies only the
> first two bytes of ropeAB, which is "a\0". Thus it returns "a\0c".
>
> One way to fix this seems to be that, when an 8-bit JSRopeString becomes
> 16-bit, it should set all its ancestor JSRopeStrings to be 16-bit. But I'm
> not sure how.
I think the correct fix should be making AtomicString 8-bit if it can be.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180727/8a674551/attachment-0001.html>
More information about the webkit-unassigned
mailing list