The following test crashes (YARR assert) on mozilla-central (tested revision 7054f0e3e70e) when run with options "-j -m". Test was produced by LangFuzz with the regular expression extension: re = new RegExp("([^b]*)+((..)|(\\3))+?Sc*a!(a|ab)(c|bcd)(<*)", "i"); var str = "aNULLxabcd"; str.replace(re, function(s) { return s; }); Optimized shell furthermore crashes dangerously: ==12570== Invalid read of size 2 ==12570== at 0x51F060: JSC::Yarr::Interpreter::checkCharacterClass(JSC::Yarr::CharacterClass*, bool, int) (YarrInterpreter.cpp:212) ==12570== by 0x51F420: JSC::Yarr::Interpreter::matchCharacterClass(JSC::Yarr::ByteTerm&, JSC::Yarr::Interpreter::DisjunctionContext*) (YarrInterpreter.cpp:454) ==12570== by 0x51FD87: JSC::Yarr::Interpreter::matchDisjunction(JSC::Yarr::ByteDisjunction*, JSC::Yarr::Interpreter::DisjunctionContext*, bool, bool) (YarrInterpreter.cpp:1194) ==12570== by 0x51F81F: JSC::Yarr::Interpreter::matchNonZeroDisjunction(JSC::Yarr::ByteDisjunction*, JSC::Yarr::Interpreter::DisjunctionContext*, bool) (YarrInterpreter.cpp:1376) ==12570== by 0x5201AF: JSC::Yarr::Interpreter::matchParentheses(JSC::Yarr::ByteTerm&, JSC::Yarr::Interpreter::DisjunctionContext*) (YarrInterpreter.cpp:881) ==12570== by 0x51FDA7: JSC::Yarr::Interpreter::matchDisjunction(JSC::Yarr::ByteDisjunction*, JSC::Yarr::Interpreter::DisjunctionContext*, bool, bool) (YarrInterpreter.cpp:1202) ==12570== by 0x5202D8: JSC::Yarr::Interpreter::interpret() (YarrInterpreter.cpp:1401) ==12570== by 0x51EB52: JSC::Yarr::interpret(JSC::Yarr::BytecodePattern*, unsigned short const*, unsigned int, unsigned int, int*) (YarrInterpreter.cpp:1901) ==12570== by 0x414BD9: js::RegExp::executeInternal(JSContext*, js::RegExpStatics*, JSString*, unsigned long*, bool, js::Value*) (jsregexpinlines.h:371) ==12570== by 0x4982AE: DoMatch(JSContext*, js::RegExpStatics*, JSString*, RegExpPair const&, bool (*)(JSContext*, js::RegExpStatics*, unsigned long, void*), void*, MatchControlFlags, js::Value*) (jsregexpinlines.h:167) ==12570== by 0x49A0AF: js::str_replace(JSContext*, unsigned int, js::Value*) (jsstr.cpp:2049) ==12570== by 0x51019C: CallCompiler::generateNativeStub() (jscntxtinlines.h:281) ==12570== Address 0x2041039c4 is not stack'd, malloc'd or (recently) free'd ==12570== ==12570== ==12570== Process terminating with default action of signal 11 (SIGSEGV) ==12570== Access not within mapped region at address 0x2041039C4 Bisect shows the same revision as bug 679986 (the YARR import): The first bad revision is: changeset: 70607:cc36a234d0d6 user: David Mandelin <dmandelin@mozilla.com> date: Thu May 12 18:39:47 2011 -0700 summary: Bug 625600: Update Yarr import to WebKit rev 86639, r=cdleary,dvander It seems unlikely to me though that it's the same bug (more likely the import of that WebKit revision pulled in a few bugs). Cloned this from bug 679986 including all tracking flags.

This also affects WebKit trunk. Filed https://bugs.webkit.org/show_bug.cgi?id=67454

@dmandelin: Can you Cc me on the webkit bug? Same email address as used here. Thanks!

I cannot reproduce this anymore since the fix for bug 683838 landed: The first good revision is: changeset: 78388:b9bae20fb35c user: Gavin Barraclough date: Fri Oct 07 17:52:50 2011 -0700 summary: Bug 683838: Fix return logic in backTrackParentheses, r=dmandelin Someone from the JS dev team should verify that these two we're really the same issues and mark this fixed as appropriate. Furthermore, I'm marking this as sg:high because the symptoms look similar to those described in comment 18 of bug 679986. Feel free to adjust the rating if this is not correct.

I can't repro this any more either, so I'm pretty sure it's a dup. The presumed fix was merged to aurora, and I verified this no longer crashes there as well.

I was told s-g bugs are not duped to non-sg bugs but rather resolved as fixed with a depend on the duplicate bug. Shall we still do that here?

Due to the dependencies to reproduce this bug, marking qa-. Chrisitian, could you kindly verify this is fixed on Firefox 9 and 10?

Confirmed to be fixed on Firefox 9 and 10.

Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929