[JSC] RegExp with deeply nested subexpressions overflow the stack in Yarr
authorbenjamin@webkit.org <benjamin@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 26 May 2016 03:19:06 +0000 (03:19 +0000)
committerbenjamin@webkit.org <benjamin@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 26 May 2016 03:19:06 +0000 (03:19 +0000)
commit51be83d11f3ccf665e44c8aa13beadfcd3d00d4a
treeed56282c80763cb789933d4bfc08035d45c1ee02
parent9d59588835140f620d0452e57011f14947427d34
[JSC] RegExp with deeply nested subexpressions overflow the stack in Yarr
https://bugs.webkit.org/show_bug.cgi?id=158011
rdar://problem/25946592

Reviewed by Saam Barati.

Source/JavaScriptCore:

When generating the meta-data required for compilation,
Yarr uses a recursive function over the various expression in the pattern.

If you have many nested expressions, you can run out of stack
and crash the WebProcess.
This patch changes that into a soft failure. The expression is just
considered invalid.

* runtime/RegExp.cpp:
(JSC::RegExp::finishCreation):
(JSC::RegExp::compile):
(JSC::RegExp::compileMatchOnly):
* yarr/YarrPattern.cpp:
(JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
(JSC::Yarr::YarrPatternConstructor::setupOffsets):
(JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
(JSC::Yarr::YarrPattern::compile):
(JSC::Yarr::YarrPattern::YarrPattern):
(JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets): Deleted.
(JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets): Deleted.
* yarr/YarrPattern.h:

LayoutTests:

* js/script-tests/stack-overflow-arrity-catch.js:
With the new failure, this test can fail on allocating
the RegExp for a valid reason.

The new expression should not have this issue.
* js/script-tests/stack-overflow-regexp.js: Added.
(shouldThrow.recursiveCall):
(shouldThrow):
(recursiveCall):
* js/stack-overflow-regexp-expected.txt: Added.
* js/stack-overflow-regexp.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@201412 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/js/script-tests/stack-overflow-arrity-catch.js
LayoutTests/js/script-tests/stack-overflow-regexp.js [new file with mode: 0644]
LayoutTests/js/stack-overflow-regexp-expected.txt [new file with mode: 0644]
LayoutTests/js/stack-overflow-regexp.html [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/RegExp.cpp
Source/JavaScriptCore/yarr/YarrPattern.cpp
Source/JavaScriptCore/yarr/YarrPattern.h