Test case:

var i = 0;
oomTest(function() {
    for (var j = 0; j < 20; ++j) {
        var r = RegExp(`(?<_${(i++).toString(32)}a>)`);
        try { var e = r.exec("a"); } catch {}
        if (e && e.groups === undefined) print("bad groups");
        try { var e = r.exec("a"); } catch {}
        if (e && e.groups === undefined) print("bad groups");
    }
});

Expected:

• Doesn't print "bad groups"

Actual:

• Prints "bad groups"

This happens after OOM in RegExpShared::initializeNamedCaptures: RegExpShared::kind_ is already set to RegExpShared::Kind::RegExp by the earlier call to RegExpShared::useRegExpMatch, so we don't try to recompile the pattern to compute the groups for the second exec call.

Iain, could take a look at this bug.

If we throw an OOM in initializeNamedCaptures for a RegExpShared, we will set kind to RegExp, but not initialize the named captures data. If we recover from the OOM and then execute the same regexp, the cached RegExpShared will not be reparsed, and we won't create named captures for it.

The fix is to reorder CompilePattern so that we only change the state of the RegExpShared after all of the initialization has succeeded. initializeNamedCaptures already avoids this problem by saving the updates until the end.

Depends on D76956

Backed out for build bustages on bug1640479.js.

Push with failure: https://treeherder.mozilla.org/#/jobs?repo=autoland&selectedTaskRun=eqf7pwPnR6KNb1KwfYmqPw-0&resultStatus=testfailed%2Cbusted%2Cexception&revision=53f03c928ac64c7e4878fa57577de660fcc21ad2

Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=303990415&repo=autoland&lineNumber=45367

Backout: https://hg.mozilla.org/integration/autoland/rev/9a6631a07b7552cd81314c955c38d1f1f2276dee

Forgot to make the testcase conditional on oomTest being defined.

https://hg.mozilla.org/mozilla-central/rev/13469bdc290b