Fix assertion in 're_insert_simple_iterator' (#2209)

It is a followup fix after #2169. It also fixes a memory leak.
This fixes #2198 and fixes #2204

JerryScript-DCO-1.0-Signed-off-by: László Langó llango.u-szeged@partner.samsung.com

jerry-core/parser/regexp/re-compiler.c

@@ -52,8 +52,13 @@ re_append_char_class (void *re_ctx_p, /**< RegExp compiler context */
 
 /**
  * Insert simple atom iterator
+ *
+ * @return empty ecma value - if inserted successfully
+ *         error ecma value - otherwise
+ *
+ *         Returned value must be freed with ecma_free_value
  */
-static void
+static ecma_value_t
 re_insert_simple_iterator (re_compiler_ctx_t *re_ctx_p, /**< RegExp compiler context */
                            uint32_t new_atom_start_offset) /**< atom start offset */
 {
@@ -63,7 +68,15 @@ re_insert_simple_iterator (re_compiler_ctx_t *re_ctx_p, /**< RegExp compiler con
 
   qmin = re_ctx_p->current_token.qmin;
   qmax = re_ctx_p->current_token.qmax;
-  JERRY_ASSERT (qmin <= qmax);
+
+  if (qmin == 1 && qmax == 1)
+  {
+    return ECMA_VALUE_EMPTY;
+  }
+  else if (qmin > qmax)
+  {
+    return ecma_raise_syntax_error (ECMA_ERR_MSG ("RegExp quantifier error: qmin > qmax."));
+  }
 
   /* TODO: optimize bytecode length. Store 0 rather than INF */
 
@@ -83,6 +96,8 @@ re_insert_simple_iterator (re_compiler_ctx_t *re_ctx_p, /**< RegExp compiler con
   {
     re_insert_opcode (re_ctx_p->bytecode_ctx_p, offset, RE_OP_NON_GREEDY_ITERATOR);
   }
+
+  return ECMA_VALUE_EMPTY;
 } /* re_insert_simple_iterator */
 
 /**
@@ -271,10 +286,7 @@ re_parse_alternative (re_compiler_ctx_t *re_ctx_p, /**< RegExp compiler context
         re_append_char (bc_ctx_p, re_canonicalize ((ecma_char_t) re_ctx_p->current_token.value,
                                                    re_ctx_p->flags & RE_FLAG_IGNORE_CASE));
 
-        if ((re_ctx_p->current_token.qmin != 1) || (re_ctx_p->current_token.qmax != 1))
+        ret_value = re_insert_simple_iterator (re_ctx_p, new_atom_start_offset);
-        {
-          re_insert_simple_iterator (re_ctx_p, new_atom_start_offset);
-        }
         break;
       }
       case RE_TOK_PERIOD:
@@ -282,10 +294,7 @@ re_parse_alternative (re_compiler_ctx_t *re_ctx_p, /**< RegExp compiler context
         JERRY_TRACE_MSG ("Compile a period\n");
         re_append_opcode (bc_ctx_p, RE_OP_PERIOD);
 
-        if ((re_ctx_p->current_token.qmin != 1) || (re_ctx_p->current_token.qmax != 1))
+        ret_value = re_insert_simple_iterator (re_ctx_p, new_atom_start_offset);
-        {
-          re_insert_simple_iterator (re_ctx_p, new_atom_start_offset);
-        }
         break;
       }
       case RE_TOK_ALTERNATIVE:
@@ -387,21 +396,17 @@ re_parse_alternative (re_compiler_ctx_t *re_ctx_p, /**< RegExp compiler context
                                                        : RE_OP_CHAR_CLASS);
         uint32_t offset = re_get_bytecode_length (re_ctx_p->bytecode_ctx_p);
 
-        ECMA_TRY_CATCH (empty_value,
+        ret_value = re_parse_char_class (re_ctx_p->parser_ctx_p,
-                        re_parse_char_class (re_ctx_p->parser_ctx_p,
+                                         re_append_char_class,
-                                             re_append_char_class,
+                                         re_ctx_p,
-                                             re_ctx_p,
+                                         &(re_ctx_p->current_token));
-                                             &(re_ctx_p->current_token)),
-                        ret_value);
-        re_insert_u32 (bc_ctx_p, offset, re_ctx_p->parser_ctx_p->num_of_classes);
 
-        if ((re_ctx_p->current_token.qmin != 1) || (re_ctx_p->current_token.qmax != 1))
+        if (!ECMA_IS_VALUE_ERROR (ret_value))
         {
-          re_insert_simple_iterator (re_ctx_p, new_atom_start_offset);
+          re_insert_u32 (bc_ctx_p, offset, re_ctx_p->parser_ctx_p->num_of_classes);
+          ret_value = re_insert_simple_iterator (re_ctx_p, new_atom_start_offset);
         }
 
-        ECMA_FINALIZE (empty_value);
-
         break;
       }
       case RE_TOK_END_GROUP:

jerry-core/parser/regexp/re-parser.c

@@ -16,6 +16,7 @@
 #include "ecma-exceptions.h"
 #include "ecma-globals.h"
 #include "ecma-try-catch-macro.h"
+#include "jcontext.h"
 #include "jrt-libc-includes.h"
 #include "lit-char-helpers.h"
 #include "re-compiler.h"
@@ -242,11 +243,6 @@ re_parse_iterator (re_parser_ctx_t *parser_ctx_p, /**< RegExp parser context */
 
   JERRY_ASSERT (ecma_is_value_empty (ret_value));
 
-  if (re_token_p->qmin > re_token_p->qmax)
-  {
-    ret_value = ecma_raise_syntax_error (ECMA_ERR_MSG ("RegExp quantifier error: qmin > qmax."));
-  }
-
   return ret_value;
 } /* re_parse_iterator */
 
@@ -893,11 +889,15 @@ re_parse_next_token (re_parser_ctx_t *parser_ctx_p, /**< RegExp parser context *
       const lit_utf8_byte_t *input_curr_p = parser_ctx_p->input_curr_p;
 
       lit_utf8_decr (&parser_ctx_p->input_curr_p);
-      if (ecma_is_value_empty (re_parse_iterator (parser_ctx_p, out_token_p)))
+      ret_value = re_parse_iterator (parser_ctx_p, out_token_p);
+      if (ecma_is_value_empty (ret_value))
       {
         return ecma_raise_syntax_error (ECMA_ERR_MSG ("Invalid RegExp token."));
       }
 
+      JERRY_ASSERT (ECMA_IS_VALUE_ERROR (ret_value));
+      ecma_free_value (JERRY_CONTEXT (error_value));
+
       parser_ctx_p->input_curr_p = input_curr_p;
 
       out_token_p->type = RE_TOK_CHAR;

tests/jerry/regression-test-issue-2198.js

@@ -0,0 +1,17 @@
+// Copyright JS Foundation and other contributors, http://js.foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+var id_0 = Object.prototype.toString ; 
+Object.prototype.toString = function ( ) { return "SHIFTED" } ; 
+RegExp ( '#1: __str = new String({}); typeof __str === "object". Actual: typeof __str ===');

tests/jerry/regression-test-issue-2204.js

@@ -0,0 +1,34 @@
+// Copyright JS Foundation and other contributors, http://js.foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+try {
+  new RegExp("\{{91406,456}");
+  assert(false);
+} catch(e) {
+  assert(e instanceof SyntaxError)
+}
+
+try {
+  new RegExp("\{91406,456}");
+  assert(false);
+} catch(e) {
+  assert(e instanceof SyntaxError)
+}
+
+try {
+  new RegExp("\({91406,456}");
+  assert(false);
+} catch(e) {
+  assert(e instanceof SyntaxError)
+}