Changeset 72813 in webkit for trunk/JavaScriptCore/yarr/RegexParser.h

Timestamp:

Nov 29, 2010, 10:52:16 AM (15 years ago)

Author:

[email protected]

Message:

Bug 48100 - YARR allows what seems like a bogus character-class range

Reviewed by Sam Weinig.

JavaScriptCore:

Per ECMA-262 character classes containing character ranges containing
character classes are invalid, eg:

/[\d-x]/
/[x-\d]/
/[\d-\d]/

These should throw a syntax error.

• yarr/RegexParser.h:

LayoutTests:

Add/update layout test results.

• fast/js/regexp-overflow-expected.txt:
• fast/js/regexp-ranges-and-escaped-hyphens-expected.txt:
• fast/js/script-tests/regexp-overflow.js:
• fast/js/script-tests/regexp-ranges-and-escaped-hyphens.js:
• fast/regex/invalid-range-in-class-expected.txt: Added.
• fast/regex/invalid-range-in-class.html: Added.
• fast/regex/script-tests/invalid-range-in-class.js: Added.
• fast/regex/test1-expected.txt:
• fast/regex/test4-expected.txt:
• fast/regex/testinput4:

File:

• trunk/JavaScriptCore/yarr/RegexParser.h (modified) (8 diffs)

trunk/JavaScriptCore/yarr/RegexParser.h

@@ -57 +57 @@
         ParenthesesTypeInvalid,
         CharacterClassUnmatched,
+        CharacterClassInvalidRange,
         CharacterClassOutOfOrder,
         EscapeUnterminated,
@@ -76 +77 @@
             : m_delegate(delegate)
             , m_err(err)
-            , m_state(empty)
+            , m_state(Empty)
         {
         }
@@ -91 +92 @@
 
         /*
-         * atomPatternCharacterUnescaped():
+         * atomPatternCharacter():
          *
-         * This method is called directly from parseCharacterClass(), to report a new
-         * pattern character token.  This method differs from atomPatternCharacter(),
-         * which will be called from parseEscape(), since a hypen provided via this
-         * method may be indicating a character range, but a hyphen parsed by
-         * parseEscape() cannot be interpreted as doing so.
+         * This method is called either from parseCharacterClass() (for an unescaped
+         * character in a character class), or from parseEscape(). In the former case
+         * the value true will be passed for the argument 'hyphenIsRange', and in this
+         * mode we will allow a hypen to be treated as indicating a range (i.e. /[a-z]/
+         * is different to /[a\-z]/).
          */
-        void atomPatternCharacterUnescaped(UChar ch)
+        void atomPatternCharacter(UChar ch, bool hyphenIsRange = false)
         {
             switch (m_state) {
-            case empty:
+            case AfterCharacterClass:
+                // Following a builtin character class we need look out for a hyphen.
+                // We're looking for invalid ranges, such as /[\d-x]/ or /[\d-\d]/.
+                // If we see a hyphen following a charater class then unlike usual
+                // we'll report it to the delegate immediately, and put ourself into
+                // a poisoned state. Any following calls to add another character or
+                // character class will result in an error. (A hypen following a
+                // character-class is itself valid, but only  at the end of a regex).
+                if (hyphenIsRange && ch == '-') {
+                    m_delegate.atomCharacterClassAtom('-');
+                    m_state = AfterCharacterClassHyphen;
+                    return;
+                }
+                // Otherwise just fall through - cached character so treat this as Empty.
+
+            case Empty:
                 m_character = ch;
-                m_state = cachedCharacter;
-                break;
-
-            case cachedCharacter:
-                if (ch == '-')
-                    m_state = cachedCharacterHyphen;
+                m_state = CachedCharacter;
+                return;
+
+            case CachedCharacter:
+                if (hyphenIsRange && ch == '-')
+                    m_state = CachedCharacterHyphen;
                 else {
                     m_delegate.atomCharacterClassAtom(m_character);
                     m_character = ch;
                 }
-                break;
-
-            case cachedCharacterHyphen:
-                if (ch >= m_character)
-                    m_delegate.atomCharacterClassRange(m_character, ch);
-                else
+                return;
+
+            case CachedCharacterHyphen:
+                if (ch < m_character) {
                     m_err = CharacterClassOutOfOrder;
-                m_state = empty;
-            }
-        }
-
-        /*
-         * atomPatternCharacter():
-         *
-         * Adds a pattern character, called by parseEscape(), as such will not
-         * interpret a hyphen as indicating a character range.
-         */
-        void atomPatternCharacter(UChar ch)
-        {
-            // Flush if a character is already pending to prevent the
-            // hyphen from begin interpreted as indicating a range.
-            if((ch == '-') && (m_state == cachedCharacter))
-                flush();
-
-            atomPatternCharacterUnescaped(ch);
+                    return;
+                }
+                m_delegate.atomCharacterClassRange(m_character, ch);
+                m_state = Empty;
+                return;
+
+            case AfterCharacterClassHyphen:
+                // Error! We have something like /[\d-x]/.
+                m_err = CharacterClassInvalidRange;
+                return;
+            }
         }
 
@@ -148 +155 @@
         void atomBuiltInCharacterClass(BuiltInCharacterClassID classID, bool invert)
         {
-            flush();
-            m_delegate.atomCharacterClassBuiltIn(classID, invert);
+            switch (m_state) {
+            case CachedCharacter:
+                // Flush the currently cached character, then fall through.
+                m_delegate.atomCharacterClassAtom(m_character);
+
+            case Empty:
+            case AfterCharacterClass:
+                m_state = AfterCharacterClass;
+                m_delegate.atomCharacterClassBuiltIn(classID, invert);
+                return;
+
+            case CachedCharacterHyphen:
+            case AfterCharacterClassHyphen:
+                // Error! If we hit either of these cases, we have an
+                // invalid range that looks something like /[x-\d]/
+                // or /[\d-\d]/.
+                m_err = CharacterClassInvalidRange;
+                return;
+            }
         }
 
@@ -159 +183 @@
         void end()
         {
-            flush();
+            if (m_state == CachedCharacter)
+                m_delegate.atomCharacterClassAtom(m_character);
+            else if (m_state == CachedCharacterHyphen) {
+                m_delegate.atomCharacterClassAtom(m_character);
+                m_delegate.atomCharacterClassAtom('-');
+            }
             m_delegate.atomCharacterClassEnd();
         }
@@ -169 +198 @@
 
     private:
-        void flush()
-        {
-            if (m_state != empty) // either cachedCharacter or cachedCharacterHyphen
-                m_delegate.atomCharacterClassAtom(m_character);
-            if (m_state == cachedCharacterHyphen)
-                m_delegate.atomCharacterClassAtom('-');
-            m_state = empty;
-        }
-    
         Delegate& m_delegate;
         ErrorCode& m_err;
         enum CharacterClassConstructionState {
-            empty,
-            cachedCharacter,
-            cachedCharacterHyphen,
+            Empty,
+            CachedCharacter,
+            CachedCharacterHyphen,
+            AfterCharacterClass,
+            AfterCharacterClassHyphen,
         } m_state;
         UChar m_character;
@@ -429 +451 @@
 
             default:
-                characterClassConstructor.atomPatternCharacterUnescaped(consume());
+                characterClassConstructor.atomPatternCharacter(consume(), true);
             }
 
@@ -658 +680 @@
             "unrecognized character after (?",
             "missing terminating ] for character class",
+            "invalid range in character class",
             "range out of order in character class",
             "\\ at end of pattern"