Bug 241107

Summary:	ASSERTION FAILED: regExp->isValid() LLIntSlowPaths.cpp(625)
Product:	WebKit	Reporter:	Michael Saboff <msaboff>
Component:	JavaScriptCore	Assignee:	Michael Saboff <msaboff>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

Description Michael Saboff 2022-05-30 11:31:05 PDT

If there is an error when parsing a regular expression, we don't emit a NewRegExp bytecode.  Instead we create a syntax error.  The case here is that the regexp parses fine, but fails when we try to generate JIT code or try to compile to YARR bytecode.  Although this code generation fails, we cache the RegExp.  On subsequent use of the same RegExp, we retrieve the cached RegExp and assert that it is "valid".  This validity test is not necessary as the matching code properly handles the case where we can't generate code for a RegExp and turns it into a ParseError.  Therefore we can remove these debug asserts of a valid RegExp when retrieving from the cache.

Comment 1 Michael Saboff 2022-05-30 11:31:19 PDT

<rdar://93369481>

Comment 2 Michael Saboff 2022-05-30 12:00:43 PDT

Here is a test case:

function testRegExp()
{
    /((a{100000000})*b{2100000000})+/.test("b");
}

function test(testRE)
{
    for (let i = 0; i < 5000; ++i) {
        try {
            testRE();
        } catch {};
    }
}

test(testRegExp);

Comment 3 Michael Saboff 2022-05-30 12:19:52 PDT

Pull request: https://github.com/WebKit/WebKit/pull/1163

Comment 4 EWS 2022-05-31 14:23:39 PDT

Committed r295066 (251161@main): <https://commits.webkit.org/251161@main>

Reviewed commits have been landed. Closing PR #1163 and removing active labels.