Closed Bug 1663243 Opened 4 years ago Closed 4 years ago

replace() using RegEx shorthand \S causes browser tab to hang

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Version:
80 Branch
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1391654

People

(Reporter: backeschwein, Unassigned)

References

Details

Attachments

(1 file)

Aufnahme #8.mp4
236.44 KB, video/mp4
Details
Attached video Aufnahme #8.mp4

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36

Steps to reproduce:

Using replace() with the RegEx shorthand \S causes the browser tab to hang. Please use following code:

<script>
let content = "Foo [mono,mark:white]bar[/mark,mono].";
content = content.replace(/[(\S+)?](.?)[/([a-z]+)*?]/gi, '');

document.write('Result: ');
document.write(content);

</script>

Actual results:

Browser tab hangs.

Expected results:

Output of the result.

Because of markdown, the testcase is rendered wrongly.

<script>
let content = "Foo [mono,mark:white]bar[/mark,mono].";
content = content.replace(/\[(\S+)*?](.*?)\[\/([a-z]+)*?]/gi, '');

document.write('Result: ');
document.write(content);
</script>

What do you mean by 'markdown'?

This comment field supports Markdown styling, and code should be inside triple backquotes.
https://guides.github.com/features/mastering-markdown/

part of the code in comment #0 is styled as italic, because of asterisk

I see, thanks for fixing it for me, I was not aware of it.

\S isn't key part of this issue, but any pattern that matches to all characters in the content can cause this issue.

This seems to cause catastrophic backtracking because of nesting + and *?.
The same happens on chrome, but not on Safari.

For now, I'd suggest simplifying the pattern to something simpler and more deterministic.

Status: UNCONFIRMED → NEW
Component: Untriaged → JavaScript Engine
Ever confirmed: true
Product: Firefox → Core

Yes, this is also present in Chrome, I reported it:
https://bugs.chromium.org/p/chromium/issues/detail?id=1125234

Severity: -- → S3
Priority: -- → P3

https://bugs.chromium.org/p/chromium/issues/detail?id=1125234#c11

We are currently looking into non-backtracking engine to solve these kinds of issues, see https://crbug.com/v8/10765.

See Also: → https://bugs.chromium.org/p/v8/issues/detail?id=10765

Closing as a dup of bug 1391654 per comment #5.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: