Merge pull request chakra-core#6857 from rhuanjl/FixCharTrieClone

ppenzin · web-flow · commit a9850e298240 · 2022-11-01T22:33:39.000-07:00
Fix CharTrie::CloneFrom CharTrie::CloneFrom uses recursion to clone a CharTrie tree. Currently this can overflow the native stack producing an uncatchable hard crash. Fix by inserting a PROBE_STACK call that checks sufficient stack space is left and throws a catchable JS exception if not. Fix chakra-core#6835
diff --git a/lib/Parser/CharTrie.cpp b/lib/Parser/CharTrie.cpp
@@ -1,5 +1,6 @@
 //-------------------------------------------------------------------------------------------------------
 // Copyright (C) Microsoft. All rights reserved.
+// Copyright (c) ChakraCore Project Contributors. All rights reserved.
 // Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
 //-------------------------------------------------------------------------------------------------------
 #include "ParserPch.h"
@@ -199,16 +200,17 @@ namespace UnifiedRegex
 #endif
     }
 
-    void RuntimeCharTrie::CloneFrom(ArenaAllocator* allocator, const CharTrie& other)
+    void RuntimeCharTrie::CloneFrom(Js::ScriptContext* scriptContext, ArenaAllocator* allocator, const CharTrie& other)
     {
+        PROBE_STACK_NO_DISPOSE(scriptContext, Js::Constants::MinStackRegex);
         count = other.count;
         if (count > 0)
         {
             children = AnewArray(allocator, RuntimeCharTrieEntry, count);
             for (int i = 0; i < count; i++)
             {
                 children[i].c = other.children[i].c;
-                children[i].node.CloneFrom(allocator,  other.children[i].node);
+                children[i].node.CloneFrom(scriptContext, allocator,  other.children[i].node);
             }
         }
         else
diff --git a/lib/Parser/CharTrie.h b/lib/Parser/CharTrie.h
@@ -1,5 +1,6 @@
 //-------------------------------------------------------------------------------------------------------
 // Copyright (C) Microsoft. All rights reserved.
+// Copyright (c) ChakraCore Project Contributors. All rights reserved.
 // Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
 //-------------------------------------------------------------------------------------------------------
 #pragma once
@@ -65,7 +66,7 @@ namespace UnifiedRegex
     public:
         inline RuntimeCharTrie() : count(0), children(0) {}
         void FreeBody(ArenaAllocator* allocator);
-        void CloneFrom(ArenaAllocator* allocator, const CharTrie& other);
+        void CloneFrom(Js::ScriptContext* scriptContext, ArenaAllocator* allocator, const CharTrie& other);
 
         bool Match
             ( const Char* const input
diff --git a/lib/Parser/RegexCompileTime.cpp b/lib/Parser/RegexCompileTime.cpp
@@ -1,5 +1,6 @@
 //-------------------------------------------------------------------------------------------------------
 // Copyright (C) Microsoft. All rights reserved.
+// Copyright (c) ChakraCore Project Contributors. All rights reserved.
 // Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
 //-------------------------------------------------------------------------------------------------------
 #include "ParserPch.h"
@@ -2538,7 +2539,7 @@ namespace UnifiedRegex
                     {
                         // Root of trie will live in compile-time allocator, but body will be in run-time allocator
                         runtimeTrie = Anew(compiler.ctAllocator, RuntimeCharTrie);
-                        runtimeTrie->CloneFrom(compiler.rtAllocator, trie);
+                        runtimeTrie->CloneFrom(compiler.scriptContext, compiler.rtAllocator, trie);
                         scheme = Trie;
                     }
                     return;
diff --git a/test/Regex/regexCharTrieStack.js b/test/Regex/regexCharTrieStack.js
@@ -0,0 +1,54 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft. All rights reserved.
+// Copyright (c) ChakraCore Project Contributors. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+
+var testString = "tacgattttatcgcgactagttaatcatcatagcaagtaaaatttgaattatgtcattat\
+catgctccattaacaggttatttaattgatactgacgaaattttttcacaatgggttttc\
+tagaatttaatatcagtaattgaagccttcataggggtcctactagtatcctacacgacg\
+caggtccgcagtatcctggagggacgtgttactgattaaaagggtcaaaggaatgaaggc\
+tcacaatgttacctgcttcaccatagtgagccgatgagttttacattagtactaaatccc\
+aaatcatactttacgatgaggcttgctagcgctaaagagaatacatacaccaccacatag\
+aattgttagcgatgatatcaaatagactcctggaagtgtcagggggaaactgttcaatat\
+ttcgtccacaggactgaccaggcatggaaaagactgacgttggaaactataccatctcac\
+gcccgacgcttcactaattgatgatccaaaaaatatagcccggattcctgattagcaaag\
+ggttcacagagaaagatattatcgacgtatatcccaaaaaacagacgtaatgtgcatctt\
+cgaatcgggatgaatacttgtatcataaaaatgtgacctctagtatacaggttaatgtta\
+ctcacccacgtatttggtctaattatgttttatttagtgacaatccaatagataaccggt\
+cctattaagggctatatttttagcgaccacgcgtttaaacaaaggattgtatgtagatgg\
+gcttgatataagatttcggatgtatgggttttataatcgttggagagctcaatcatgagc\
+taatacatggatttcgctacctcaccgagagaccttgcatgaagaattctaaccaaaagt\
+ttaataggccggattggattgagttaattaagaccttgttcagtcatagtaaaaaccctt\n\
+aaattttaccgattgacaaagtgagcagtcgcaataccctatgcgaaacgcctcgatagt\n\
+gactaggtatacaaggtttttgagttcctttgaaatagttaactaatttaaaattaatta\n\
+acgacatggaaatcacagaacctaatgctttgtaggagttatttatgctgtttactgcct\n\
+ctacaaccctaataaagcagtcctaagaatgaaacgcatcttttagttcagaaagtggta\n\
+tccagggtggtcaatttaataaattcaacatcgggtctcaggatattcggtcatataatt\n\
+tattaagggctcttcgagtcttactctgagtgaaattggaaacagtcatccttttcgttg\n\
+tgaggcatcttacaccgctatcgatatacaatgcattccaccgcggtgtcccgtacacaa\n\
+ggaaacttgttaccttggggatataagaaaactcacacgtctcattattaaactgagtac\n\
+tggaacgcacctcggatctgttgcactggattaaaatccgattatttttaaaaatattca\n\
+gtgctagagcatatcaggtctacttttttatctggtatgtaaagcccacggagcgatagt\n\
+gagatccttacgactcaacgaaaagttataacataactcccgttagccaaagcccaatcc\n\
+\n";
+testString = testString + testString + testString;
+testString = testString + testString + testString;
+testString = testString + testString + testString;
+testString = testString + testString + testString;
+var seqs = [/a|tttaccct/ig];
+
+Array.prototype.push.call(seqs, false, Array.prototype.concat.call(seqs, seqs, testString));
+try {
+  for (i in seqs) {
+    testString.match(seqs[i]);
+  }
+  print ("Test should produce Stack over flow but didn't, case may need amending")
+}
+catch(e) {
+  if (e == "Error: Out of stack space") {
+    print ("pass")
+  } else {
+    print ("Wrong error thrown, expected \"Error: Out of stack space\" but recieved \"" + e + "\"");
+  }
+}
diff --git a/test/Regex/rlexe.xml b/test/Regex/rlexe.xml
@@ -247,4 +247,9 @@
       <compile-flags>-args summary -endargs</compile-flags>
     </default>
   </test>
+  <test>
+    <default>
+      <files>regexCharTrieStack.js</files>
+    </default>
+  </test>
 </regress-exe>

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,6 @@`
`1`	`1`	`//-------------------------------------------------------------------------------------------------------`
`2`	`2`	`// Copyright (C) Microsoft. All rights reserved.`
	`3`	`+// Copyright (c) ChakraCore Project Contributors. All rights reserved.`
`3`	`4`	`// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.`
`4`	`5`	`//-------------------------------------------------------------------------------------------------------`
`5`	`6`	`#include "ParserPch.h"`
`@@ -199,16 +200,17 @@ namespace UnifiedRegex`
`199`	`200`	`#endif`
`200`	`201`	`}`
`201`	`202`
`202`		`- void RuntimeCharTrie::CloneFrom(ArenaAllocator* allocator, const CharTrie& other)`
	`203`	`+ void RuntimeCharTrie::CloneFrom(Js::ScriptContext* scriptContext, ArenaAllocator* allocator, const CharTrie& other)`
`203`	`204`	`{`
	`205`	`+ PROBE_STACK_NO_DISPOSE(scriptContext, Js::Constants::MinStackRegex);`
`204`	`206`	`count = other.count;`
`205`	`207`	`if (count > 0)`
`206`	`208`	`{`
`207`	`209`	`children = AnewArray(allocator, RuntimeCharTrieEntry, count);`
`208`	`210`	`for (int i = 0; i < count; i++)`
`209`	`211`	`{`
`210`	`212`	`children[i].c = other.children[i].c;`
`211`		`- children[i].node.CloneFrom(allocator, other.children[i].node);`
	`213`	`+ children[i].node.CloneFrom(scriptContext, allocator, other.children[i].node);`
`212`	`214`	`}`
`213`	`215`	`}`
`214`	`216`	`else`