From 0b2edc409742feb9f5531f8db637cc3d27766ae7 Mon Sep 17 00:00:00 2001
From: jgruber <jgruber@chromium.org>
Date: Wed, 31 Jan 2018 11:52:52 +0100
Subject: [PATCH] [fuzzers] Support parsing failures in regexp-builtins fuzzer

The fuzzer found a couple of cases that exploited comments of the
form:

  function test() {
    const re = /*.../;
    const str = '...*/...';
    let result;
    try { result = re.exec(str); } catch (e) { /* ... */ }
  }

Note that the first line does not contain a regexp literal, it starts
a comment instead. The second line terminates the comment.

This fixes detection of such cases by initializing `result` to null.

TBR=yangguo@chromium.org

Bug: chromium:805970
Change-Id: I5d46db9892e2b4e71cdc2907cebf07a2e33b7a0e
Reviewed-on: https://chromium-review.googlesource.com/894403
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50991}
---
 test/fuzzer/regexp-builtins.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/fuzzer/regexp-builtins.cc b/test/fuzzer/regexp-builtins.cc
index f92cbd240b..2075f7a4db 100644
--- a/test/fuzzer/regexp-builtins.cc
+++ b/test/fuzzer/regexp-builtins.cc
@@ -296,7 +296,7 @@ std::string GenerateSourceString(FuzzerArgs* args, const std::string& test) {
                          << flags << ";\n"
      << "  re.lastIndex = " << last_index << ";\n"
      << "  const str = '" << subject << "';\n"
-     << "  let result;\n"
+     << "  let result = null;\n"
      << "  let exception = null;\n"
      << "  try {\n"
      << "    result = " << test << "\n"