1015677 - irregexp: hang without slow script dialog while executing regular expression

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Alice0775 White]

+++ This bug was initially created as a clone of Bug #998785 +++

Browser hang up when evaluete the following regular expression.

/<([\w\:]+)((?:[\s\w:=]+|'[^']*'|"[^"]*")*)(?:\/>|>([\d,]*)<\/[^>]+>)/g.test("<rdf:Description rdf:about=\"\"            xmlns:test=\"http://test.com/pdf/1.3/\">2,<t>3,</t></rdf:Description>")

Steps To Reproduce:
1. Open "Error Console" (devtools.errorconsole.enabled = true), OR "Browser Console"
2. Evaluate the above code.

Actual Results:
Browser hang up

Expected Results:
Browser should not hang up.

Comment 1

[Till Schneidereit [:till]]

This isn't related to the Yarr issues: it only happens in builds from after the switch to V8's irregexp engine.

Additionally, executing the same code in the Chrome devtools also causes a hang of the content process, so it seems to happen inside irregexp itself.

Reported upstream at https://code.google.com/p/v8/issues/detail?id=3349.

Comment 2

[Brian Hackett [Laid off!]]

Attachment: check interrupts during backtrack

I guess the ilooping here is an irregexp bug but we shouldn't be hanging.  The attached patch checks the interrupt flag on the runtime when backtracking in irregexp, as is done by v8.

Comment 3

[Brian Hackett [Laid off!]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/9965b32f739b

Comment 4

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/9965b32f739b

Comment 5

[Benjamin Kerensa [:bkerensa]]

I'm guessing this would impact a small segment of users had this not been fixed. I'm comfortable not tracking this.

Comment 6

[Andrew McCreight [:mccr8]]

FWIW, dougt actually hit this problem in the wild, albeit on a site somebody posted as an example of browsers taking up a ridiculous amount of CPU.