Unreachable code in src/regexp/jsregexp.h |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4987975527563264 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: Unreachable code Crash Address: Crash State: src/regexp/jsregexp.h Minimized Testcase (12.33 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97dtASI1jgSJlA7OQC5nowiNkItegJAK469zqPokP8KoMGVVNxaM2t05r91hRzPYphUgZqQMYU6AbluPfwANPcp7gJPqHUPv1B_eMNCJTCjxDpSI944SoCP8xuBjoHAmOxqtEXTAeyd7Va9yHPIlCVA66aGhg Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 22 2016
Yang agreed to take a look. Thanks!
,
Apr 25 2016
Shorter repro:
/[]* /u.exec("\u1234");
,
Apr 25 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/6f67d171f10040f7096c1d663572c7a1dfe6b036 commit 6f67d171f10040f7096c1d663572c7a1dfe6b036 Author: yangguo <yangguo@chromium.org> Date: Mon Apr 25 13:30:52 2016 [regexp] Fix non-match and max match length in RegExpCharacterClass. R=mstarzinger@chromium.org BUG= chromium:605862 LOG=N Review URL: https://codereview.chromium.org/1916763002 Cr-Commit-Position: refs/heads/master@{#35764} [modify] https://crrev.com/6f67d171f10040f7096c1d663572c7a1dfe6b036/src/regexp/jsregexp.cc [modify] https://crrev.com/6f67d171f10040f7096c1d663572c7a1dfe6b036/src/regexp/regexp-ast.h [add] https://crrev.com/6f67d171f10040f7096c1d663572c7a1dfe6b036/test/mjsunit/regress/regress-crbug-605862.js
,
Apr 26 2016
ClusterFuzz has detected this issue as fixed in range 35763:35764. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4987975527563264 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: Unreachable code Crash Address: Crash State: src/regexp/jsregexp.h Fixed: V8: r35763:35764 Minimized Testcase (12.33 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97dtASI1jgSJlA7OQC5nowiNkItegJAK469zqPokP8KoMGVVNxaM2t05r91hRzPYphUgZqQMYU6AbluPfwANPcp7gJPqHUPv1B_eMNCJTCjxDpSI944SoCP8xuBjoHAmOxqtEXTAeyd7Va9yHPIlCVA66aGhg See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 26 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by mstarzinger@chromium.org
, Apr 22 2016Not specific to Ignition. Reproduces with the following snippet ... function replace(string) { return string.replace(/L/g, "\ud800") .replace(/l/g, "\ud801") .replace(/T/g, "\udc00") .replace(/\./g, ("Empty array []")); } function test(regexp_source, subject) { subject = replace(subject); regexp_source = replace(regexp_source); new RegExp(regexp_source, "u").exec(subject); } test("(L).*\\1(.)", "LLTLl");