User-Agent: Mozilla/4.0 (compatible; non MSIE 5.0;) Build Identifier: 2002053012 The crash occurs when following is called from urlbar: javascript: alert( 'ah.info'.search(/(\.(?!com|org)|\/)/) ); Reproducible: Always Steps to Reproduce: 1. copy the expression to urlbar and press enter Actual Results: crash Expected Results: not to crash :-)

Reassigning to JS Engine. I crash on the following regexp in the standalone JS shell: js> var re = /(?!a|b)|c/; js> re(''); <<<------------------------------ CRASH STACK TRACE: matchRENodes(MatchState * 0x0012e154, RENode * 0x00306300, RENode * 0x00306240, const unsigned short * 0x003051e0) line 1692 + 8 bytes matchRENodes(MatchState * 0x0012e154, RENode * 0x003062e0, RENode * 0x00000000, const unsigned short * 0x003051e0) line 1818 + 27 bytes matchRENodes(MatchState * 0x0012e154, RENode * 0x003062c0, RENode * 0x00000000, const unsigned short * 0x003051e0) line 1697 + 24 bytes MatchRegExp(MatchState * 0x0012e154, RENode * 0x003062c0, const unsigned short * 0x003051e0) line 2017 + 19 bytes js_ExecuteRegExp(JSContext * 0x00301d60, JSRegExp * 0x00306220, JSString * 0x002fb8b8, unsigned int * 0x0012e1e4, int 0, long * 0x0012e308) line 2086 + 20 bytes regexp_exec_sub(JSContext * 0x00301d60, JSObject * 0x002fb8b0, unsigned int 1, long * 0x0042106c, int 0, long * 0x0012e308) line 2736 + 29 bytes regexp_exec(JSContext * 0x00301d60, JSObject * 0x002fb8b0, unsigned int 1, long * 0x0042106c, long * 0x0012e308) line 2749 + 27 bytes regexp_call(JSContext * 0x00301d60, JSObject * 0x002fb340, unsigned int 1, long * 0x0042106c, long * 0x0012e308) line 2488 + 31 bytes js_Call(JSContext * 0x00301d60, JSObject * 0x002fb340, unsigned int 1, long * 0x0042106c, long * 0x0012e308) line 3199 + 26 bytes js_Invoke(JSContext * 0x00301d60, unsigned int 1, unsigned int 0) line 839 + 23 bytes js_Interpret(JSContext * 0x00301d60, long * 0x0012fed8) line 2803 + 15 bytes js_Execute(JSContext * 0x00301d60, JSObject * 0x002fb340, JSScript * 0x00306170, JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012fed8) line 1020 + 13 bytes JS_ExecuteScript(JSContext * 0x00301d60, JSObject * 0x002fb340, JSScript * 0x00306170, long * 0x0012fed8) line 3277 + 25 bytes Process(JSContext * 0x00301d60, JSObject * 0x002fb340, char * 0x00000000) line 369 + 22 bytes ProcessArgs(JSContext * 0x00301d60, JSObject * 0x002fb340, char * * 0x00300014, int 0) line 508 + 17 bytes main(int 0, char * * 0x00300014) line 2108 + 21 bytes JS! mainCRTStartup + 227 bytes KERNEL32! 77f1b9ea() Note both the ? and ! symbols are necessary in order for me to crash. I don't know if this will be fixed by the RegExp rewrite in bug 85721. I would guess "Yes", since both the reporter's example and mine work perfectly in Rhino, where the rewrite has already been committed: [ ] java org.mozilla.javascript.tools.shell.Main Rhino 1.5 release 4 0000 00 00 (in progress) js> 'ah.info'.search(/(\.(?!com|org)|\/)/); 2 js> var re = /(!a|b)|c/; js> re(''); null I will let Roger decide whether this is a duplicate of bug 85721 -

QA note: there is test coverage for the ?! operator in the large files: mozilla/js/tests/ecma_3/RegExp/perlstress-001.js mozilla/js/tests/ecma_3/RegExp/regress-85721.js Nevertheless, I will add the examples from this bug in a new regression testcase -

Testcase added to JS testsuite: mozilla/js/tests/ecma_3/RegExp/regress-187133.js Currently passing in Rhino, but crashing in SpiderMonkey in both the debug and optimized shell. Note the typo at the end of Comment #1 above: /(!a|b)|c/ should be /(?!a|b)|c/ as at the beginning of the comment.

By the definitions on <http://bugzilla.mozilla.org/bug_status.html#severity> and <http://bugzilla.mozilla.org/enter_bug.cgi?format=guided>, crashing and dataloss bugs are of critical or possibly higher severity. Only changing open bugs to minimize unnecessary spam. Keywords to trigger this would be crash, topcrash, topcrash+, zt4newcrash, dataloss.

the rewrite from bug 85721 fixes this.

Probably fixed with bug 85721. /be