goja icon indicating copy to clipboard operation
goja copied to clipboard

Published 20 hours ago verified publisher icon dop251

Panic using regex split on a unicode string

Open mstoykov opened this issue 4 years ago • 2 comments

"000\xfd00000000000000".split(/((?:0*)+?(?:.*)+?)?/g Panics with:

panic: runtime error: slice bounds out of range [19:2] [recovered]
        panic: runtime error: slice bounds out of range [19:2] [recovered]
        panic: runtime error: slice bounds out of range [19:2] [recovered]
        panic: runtime error: slice bounds out of range [19:2]

goroutine 1 [running]:
github.com/mstoykov/goja-regexp2-fuzzing.Fuzz.func1.1.1(0xc00001c880, 0x35)
        github.com/mstoykov/goja-regexp2-fuzzing/regexp.go:33 +0x207
panic(0x77fb00, 0xc0000152a0)
        runtime/panic.go:969 +0x166
github.com/dop251/goja.(*Runtime).RunProgram.func1(0xc0001cdd18)
        github.com/dop251/goja/runtime.go:1185 +0x98
panic(0x77fb00, 0xc0000152a0)
        runtime/panic.go:969 +0x166
github.com/dop251/goja.(*vm).try.func1(0xc000180000, 0x0, 0xc0001cdbd8, 0x0, 0x0, 0x0, 0xc0001cdc60)
        github.com/dop251/goja/vm.go:407 +0x647
panic(0x77fb00, 0xc0000152a0)
        runtime/panic.go:969 +0x166
github.com/dop251/goja.unicodeString.substring(0xc000016600, 0x13, 0x13, 0x12, 0x1, 0xc0001beb60, 0x829380)
        github.com/dop251/goja/string_unicode.go:407 +0x225
github.com/dop251/goja.(*Runtime).regexpproto_stdSplitter(0xc000010580, 0x828fc0, 0xc0001c2ff0, 0xc0001beac0, 0x2, 0x2, 0x828f01, 0xc0001beac0)
        github.com/dop251/goja/builtin_regexp.go:906 +0xc3f
github.com/dop251/goja.(*Runtime).stringproto_split(0xc000010580, 0x829380, 0xc0001be9c0, 0xc0000fb760, 0x1, 0x4, 0x412951, 0x120)
        github.com/dop251/goja/builtin_string.go:725 +0x6ca
github.com/dop251/goja.(*vm)._nativeCall(0xc000180000, 0xc00018e840, 0x1)
        github.com/dop251/goja/vm.go:1818 +0x2d7
github.com/dop251/goja.call.exec(0xc000000001, 0xc000180000)
        github.com/dop251/goja/vm.go:1790 +0xb8f
github.com/dop251/goja.(*vm).run(0xc000180000)
        github.com/dop251/goja/vm.go:307 +0x9d
github.com/dop251/goja.(*vm).try(0xc000180000, 0xc0001cdc68, 0x0)
        github.com/dop251/goja/vm.go:413 +0x163
github.com/dop251/goja.(*vm).runTry(0xc000180000, 0x0)
        github.com/dop251/goja/vm.go:418 +0x4e
github.com/dop251/goja.(*Runtime).RunProgram(0xc000010580, 0xc0000fb680, 0x0, 0x0, 0x0, 0x0)
        github.com/dop251/goja/runtime.go:1196 +0x20b
github.com/dop251/goja.(*Runtime).RunScript(0xc000010580, 0x0, 0x0, 0xc00001c880, 0x35, 0xc00001c880, 0x35, 0x820380, 0xc0001be980)
        github.com/dop251/goja/runtime.go:1175 +0x9d
github.com/dop251/goja.(*Runtime).RunString(...)
        github.com/dop251/goja/runtime.go:1164

This is with the latest versions of both goja and regexp2, but it happens with the previous versions as well. It does not happen with an ASCII string.

"000\xfd00000000000000".split(/((?:0*)+?(?:0*)+?)?/g) panics with panic: runtime error: slice bounds out of range [4:2].

mstoykov avatar Oct 08 '20 07:10 mstoykov

Maybe connected (although with ASCII strings so :man_shrugging: ) we had this panic but we can't reproduce it or find out what made it and unfortunately, the stacktrace is ... cut :( . This was with beb0a9a01fbc and we have some doubts it was due to the latest cache changes then, but my investigation didn't help and this is the primary reason for me ... fuzzing regexes in goja :D

panic: runtime error: slice bounds out of range [:6] with length 2 [recovered]
	panic: runtime error: slice bounds out of range [:6] with length 2 [recovered]
	panic: runtime error: slice bounds out of range [:6] with length 2 [recovered]
	panic: runtime error: slice bounds out of range [:6] with length 2

goroutine 54 [running]:
github.com/dop251/goja.AssertFunction.func1.1(0xc008bcbaf8)
	/home/alpine/go/src/github.com/loadimpact/k6/vendor/github.com/dop251/goja/runtime.go:1967 +0x98
panic(0xed0360, 0xc01f71b420)
	/usr/local/go/src/runtime/panic.go:969 +0x166
github.com/dop251/goja.(*vm).try.func1(0xc00142bdc0, 0x0, 0xc008bcb9b8, 0x0, 0x0, 0x0, 0xc008bcba40)
	/home/alpine/go/src/github.com/loadimpact/k6/vendor/github.com/dop251/goja/vm.go:407 +0x647
panic(0xed0360, 0xc01f71b420)
	/usr/local/go/src/runtime/panic.go:969 +0x166
github.com/dop251/goja.(*vm).try.func1(0xc00142bdc0, 0x4, 0xc008bcb618, 0x16, 0x0, 0x0, 0xc008bcb6a0)
	/home/alpine/go/src/github.com/loadimpact/k6/vendor/github.com/dop251/goja/vm.go:407 +0x647
panic(0xed0360, 0xc01f71b420)
	/usr/local/go/src/runtime/panic.go:969 +0x166
github.com/dop251/goja.asciiString.substring(...)
	/home/alpine/go/src/github.com/loadimpact/k6/vendor/github.com/dop251/goja/string_ascii.go:268
github.com/dop251/goja.(*regexpObject).execResultToArray(0xc00b041200, 0x11d0500, 0xc00d372130, 0xc01f71b400, 0x4, 0x4, 0x4, 0xc00d372130)
	/home/alpine/go/src/github.com/loadimpact/k6/vendor/github.com/dop251/goja/regexp.go:485 +0x139
github.com/dop251/goja.(*regexpObject).exec(0xc00b041200, 0x11d0500, 0xc00d372130, 0x0, 0x0)
	/home/alpine/go/src/github.com/loadimpact/k6/vendor/github.com/dop251/goja/regexp.go:538 +0x8a
github.com/dop251/goja.(*Runtime).regexpproto_exec(0xc001600dc0, 0x11cc9e0, 0xc02408fec0, 0xc00fb89f20, 0x1, 0x44, 0x412deb, 0x1)
	/home/alpine/go/src/github.com/loadimpact/k6/vendor/github.com/dop251/goja/builtin_regexp.go:389 +0xe9

mstoykov avatar Oct 08 '20 07:10 mstoykov

Raised https://github.com/dlclark/regexp2/issues/34. I think it's very likely that the second panic has the same cause.

dop251 avatar Oct 12 '20 16:10 dop251