Closed
Bug 9141
Opened 25 years ago
Closed 25 years ago
Regular expression crashes system
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
VERIFIED
FIXED
M14
People
(Reporter: waldemar, Assigned: rogerl)
Details
(Keywords: crash, js1.5)
The following page crashes the system:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/
TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
</HEAD>
<BODY>
<SCRIPT type="text/javascript">
var s = "x";
for (var i = 0; i != 13; i++) s += s;
var a = /(?:xx|x)*/(s);
var b = /(xx|x)*/(s);
document.write("Results = " + a.length + "," + b.length);
</SCRIPT>
</BODY>
Assignee | ||
Updated•25 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Updated•25 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → WORKSFORME
Assignee | ||
Comment 1•25 years ago
|
||
This works o.k. for me, both pc & mac. The newer version of the regexp. engine
got checked in recently, and likely contained this fix.
Reporter | ||
Updated•25 years ago
|
Status: VERIFIED → REOPENED
Reporter | ||
Comment 3•25 years ago
|
||
Executing
var s = "x"; for (var i = 0; i != 13; i++) s += s; var a = /(?:xx|x)*/(s);
still crashes my JSRef, taken from today's tip build.
Waldemar
i haven't been able to reproduce a crash using either test case on linux and
winnt. haven't tried the mac yet.
Status: REOPENED → RESOLVED
Closed: 25 years ago → 25 years ago
Target Milestone: M9
Reporter | ||
Updated•25 years ago
|
Status: RESOLVED → REOPENED
Reporter | ||
Comment 6•25 years ago
|
||
Not cool on the Mac (JSRef).
Assignee | ||
Comment 8•25 years ago
|
||
Moving out to M10 per choffman's request
Assignee | ||
Updated•25 years ago
|
Target Milestone: M10 → M11
Assignee | ||
Updated•25 years ago
|
Target Milestone: M11 → M15
Assignee | ||
Comment 9•25 years ago
|
||
Runs fine on NT/Linux/Solaris - I need to get me at a mac. Waldemar, can you
make this happen and then point me at the macsbug ?
Updated•25 years ago
|
Severity: normal → critical
Assignee | ||
Comment 10•25 years ago
|
||
I checked in a version of the greedy matcher that uses less stack - hopefully
this will fix it?? Waldemar, could you try this version out and let me know?
Also, is there any way of increasing the stack on the Mac build to see how close
this crash is to the limit? if it's not close at all I'll have to re-write the
recursion to use a heap-based stack or something.
Reporter | ||
Comment 11•25 years ago
|
||
Changing stack usage by a constant factor would not fix this bug; I could just
increase the 13 to 14 in the script to make it reappear. The problem is our
inability to detect when the stack gets too large. I think it would be fine to
refuse to process a regular expression and report a JavaScript error if the
regular expression stack gets too large (or greater than some large fixed
amount). I don't think it's fine to crash.
Assignee | ||
Comment 12•25 years ago
|
||
Yes, I agree. But,
a). I was simply curious to see if my latest changes (which I'd made for
clean-up purposes, not as a fix for this bug) had any impact on the bug, since
it's pure speculation on my part that it's a stack crash issue.
b). The js engine doesn't catch stack failures in other circumstances - relying
on the OS to do something 'sensible'. (I'm not defending this !)
Comment 13•25 years ago
|
||
This bug is still happening. Beard and I hacked around in jsregexp.c last
night, adding a call to check the mac StackSpace() function in greedyRecurse()
(diff below). This fixes the crash, but the patch needs a bit of work before
its Right, perhaps a "match failed" flag in the match state structure, or an
extra "failed" param in the greedyRecurse() function.
Marking js1.5
Index: jsregexp.c
===================================================================
RCS file: /cvsroot/mozilla/js/src/jsregexp.c,v
retrieving revision 3.19
diff -c -2 -r3.19 jsregexp.c
*** jsregexp.c 1999/12/22 21:57:08 3.19
--- jsregexp.c 2000/01/12 02:24:53
***************
*** 57,60 ****
--- 57,64 ----
#include "jsstr.h"
+ #ifdef XP_MAC
+ #include <MacMemory.h>
+ #endif
+
#if JS_HAS_REGEXPS
***************
*** 1321,1324 ****
--- 1325,1335 ----
const jschar *kidMatch;
const jschar *match;
+
+ #ifdef XP_MAC
+ if (StackSpace() < 16384) {
+ JS_ReportOutOfMemory (grState->state->context);
+ return NULL;
+ }
+ #endif
kidMatch = matchRENodes(grState->state, grState->kid, grState->next, cp);
Assignee | ||
Updated•25 years ago
|
Target Milestone: M13 → M14
Assignee | ||
Comment 14•25 years ago
|
||
Not going to make M13 for these.
Comment 15•25 years ago
|
||
Updating QA Contact.
Assignee | ||
Comment 17•25 years ago
|
||
Checked in patch + set & test early out in greedyRecurse() when state->ok goes
false.
Status: REOPENED → RESOLVED
Closed: 25 years ago → 25 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•