[regexp] Additional checks to flush out fuzzer crash

Crashes are still happening despite tentative fixes, but unfortunately without a local repro. This adds a couple of additional checks to help flush out the root cause. TBR=yangguo@chromium.org Bug: chromium:754422 Change-Id: Ib3c8a2e0271fc724a4351ce6aec8298cf520a20a Reviewed-on: https://chromium-review.googlesource.com/640691Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#47684}

[regexp] Additional checks to flush out fuzzer crash
Crashes are still happening despite tentative fixes, but unfortunately without a local repro. This adds a couple of additional checks to help flush out the root cause. TBR=yangguo@chromium.org Bug: chromium:754422 Change-Id: Ib3c8a2e0271fc724a4351ce6aec8298cf520a20a Reviewed-on: https://chromium-review.googlesource.com/640691Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#47684}
7770b1d1 · jgruber · Commit Bot · 779bb1b1 · 7770b1d1 · 7770b1d1
Commit 7770b1d1 authored Aug 29, 2017 by jgruber Committed by Commit Bot Aug 29, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 1 deletion

jsregexp.cc src/regexp/jsregexp.cc +2 -1

regexp.cc test/fuzzer/regexp.cc +4 -0

No files found.
--- a/src/regexp/jsregexp.cc
+++ b/src/regexp/jsregexp.cc
@@ -121,7 +121,8 @@ MaybeHandle<Object> RegExpImpl::Compile(Handle<JSRegExp> re,
  PostponeInterruptsScope postpone(isolate);
  RegExpCompileData parse_result;
  FlatStringReader reader(isolate, pattern);
-  if (!RegExpParser::ParseRegExp(re->GetIsolate(), &zone, &reader, flags,
+  DCHECK(!isolate->has_pending_exception());
+  if (!RegExpParser::ParseRegExp(isolate, &zone, &reader, flags,
                                 &parse_result)) {
    // Throw an exception if we fail to parse the pattern.
    return ThrowRegExpException(re, pattern, parse_result.error);

--- a/test/fuzzer/regexp.cc
+++ b/test/fuzzer/regexp.cc
@@ -39,6 +39,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
  i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(isolate);
  i::Factory* factory = i_isolate->factory();

+  CHECK(!i_isolate->has_pending_exception());
  if (size > INT_MAX) return 0;
  i::MaybeHandle<i::String> maybe_source = factory->NewStringFromOneByte(
      i::Vector<const uint8_t>(data, static_cast<int>(size)));
@@ -55,6 +56,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
  const uint8_t one_byte_array[6] = {'f', 'o', 'o', 'b', 'a', 'r'};
  const i::uc16 two_byte_array[6] = {'f', 0xD83D, 0xDCA9, 'b', 'a', 0x2603};

+  CHECK(!i_isolate->has_pending_exception());
  i::Handle<i::RegExpMatchInfo> results_array = factory->NewRegExpMatchInfo();
  i::Handle<i::String> one_byte =
      factory->NewStringFromOneByte(i::Vector<const uint8_t>(one_byte_array, 6))
@@ -65,6 +67,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {

  i::Handle<i::JSRegExp> regexp;
  {
+    CHECK(!i_isolate->has_pending_exception());
    v8::TryCatch try_catch(isolate);
    // Create a string so that we can calculate a hash from the input data.
    std::string str = std::string(reinterpret_cast<const char*>(data), size);
@@ -82,5 +85,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
  Test(isolate, regexp, source, results_array);
  isolate->RequestGarbageCollectionForTesting(
      v8::Isolate::kFullGarbageCollection);
+  CHECK(!i_isolate->has_pending_exception());
  return 0;
 }