[fuzzers] Support parsing failures in regexp-builtins fuzzer

The fuzzer found a couple of cases that exploited comments of the
form:

  function test() {
    const re = /*.../;
    const str = '...*/...';
    let result;
    try { result = re.exec(str); } catch (e) { /* ... */ }
  }

Note that the first line does not contain a regexp literal, it starts
a comment instead. The second line terminates the comment.

This fixes detection of such cases by initializing `result` to null.

TBR=yangguo@chromium.org

Bug: chromium:805970
Change-Id: I5d46db9892e2b4e71cdc2907cebf07a2e33b7a0e
Reviewed-on: https://chromium-review.googlesource.com/894403
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50991}
This commit is contained in:
jgruber 2018-01-31 11:52:52 +01:00 committed by Commit Bot
parent 8361fa5896
commit 0b2edc4097

View File

@ -296,7 +296,7 @@ std::string GenerateSourceString(FuzzerArgs* args, const std::string& test) {
<< flags << ";\n" << flags << ";\n"
<< " re.lastIndex = " << last_index << ";\n" << " re.lastIndex = " << last_index << ";\n"
<< " const str = '" << subject << "';\n" << " const str = '" << subject << "';\n"
<< " let result;\n" << " let result = null;\n"
<< " let exception = null;\n" << " let exception = null;\n"
<< " try {\n" << " try {\n"
<< " result = " << test << "\n" << " result = " << test << "\n"