Gracefully handle StringBuffer overflow in RegExp replace operator by asworkjsc · Pull Request #59595 · WebKit/WebKit

asworkjsc · 2026-02-27T19:42:11Z

`e3c1c12`

Gracefully handle StringBuffer overflow in RegExp replace operator
https://bugs.webkit.org/show_bug.cgi?id=308836
rdar://171058069

Reviewed by Marcus Plutowski.

When the RegExp replace operator is called, if the output string
overflows the maximum legal length of a javascript string it is
supposed to throw an out-of-memory error, rather than triggering a
controlled crash.

Test: JSTests/stress/string-regexp-replace-oom.js

* JSTests/stress/string-regexp-replace-oom.js: Added.
(Object.__proto__.__proto__.Symbol.replace):
(catch):
* Source/JavaScriptCore/runtime/RegExpPrototype.cpp:
(JSC::getSubstitution):

Canonical link: https://commits.webkit.org/308478@main

b1f4c50

Misc	iOS, visionOS, tvOS & watchOS	macOS	Linux	Windows	Apple Internal
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	~~🛠 win~~	✅ 🛠 ios-apple
	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	✅ 🧪 wpe-wk2	~~🧪 win-tests~~	✅ 🛠 mac-apple
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🧪 api-wpe		✅ 🛠 vision-apple
	✅ 🧪 ios-wk2-wpt	✅ 🧪 api-mac-debug	✅ 🛠 gtk3-libwebrtc
✅ 🛠 🧪 jsc	✅ 🧪 api-ios	~~🧪 mac-wk1~~	✅ 🛠 gtk
✅ 🛠 🧪 jsc-debug-arm64	✅ 🛠 ios-safer-cpp	✅ 🧪 mac-wk2	✅ 🧪 gtk-wk2
	✅ 🛠 vision	✅ 🧪 mac-AS-debug-wk2	✅ 🧪 api-gtk
✅ 🛠 🧪 merge	~~🛠 vision-sim~~	✅ 🧪 mac-wk2-stress	~~🛠 playstation~~
	~~🧪 vision-wk2~~	✅ 🧪 mac-intel-wk2	✅ 🛠 jsc-armv7
	✅ 🛠 tv	✅ 🛠 mac-safer-cpp	✅ 🧪 jsc-armv7-tests
	✅ 🛠 tv-sim
	✅ 🛠 watch
	✅ 🛠 watch-sim

webkit-early-warning-system · 2026-02-27T19:42:19Z

EWS run on previous version of this PR (hash 5335073)

Details

Misc	iOS, visionOS, tvOS & watchOS	macOS	Linux	Windows	Apple Internal
✅ 🧪 style	~~🛠 ios~~	~~🛠 mac~~	~~🛠 wpe~~	~~🛠 win~~	⏳ 🛠 ios-apple
	~~🛠 ios-sim~~	✅ 🛠 mac-AS-debug	~~🧪 wpe-wk2~~	~~🧪 win-tests~~	⏳ 🛠 mac-apple
✅ 🧪 webkitperl	~~🧪 ios-wk2~~	~~🧪 api-mac~~	~~🧪 api-wpe~~		⏳ 🛠 vision-apple
	~~🧪 ios-wk2-wpt~~	~~🧪 api-mac-debug~~	~~🛠 gtk3-libwebrtc~~
~~🛠 🧪 jsc~~	~~🧪 api-ios~~	~~🧪 mac-wk1~~	~~🛠 gtk~~
~~🛠 🧪 jsc-debug-arm64~~	~~🛠 ios-safer-cpp~~	~~🧪 mac-wk2~~	~~🧪 gtk-wk2~~
	~~🛠 vision~~	~~🧪 mac-AS-debug-wk2~~	~~🧪 api-gtk~~
	~~🛠 vision-sim~~	~~🧪 mac-wk2-stress~~	~~🛠 playstation~~
	⏳ 🧪 vision-wk2	~~🧪 mac-intel-wk2~~	~~🛠 jsc-armv7~~
	~~🛠 tv~~	~~🛠 mac-safer-cpp~~	~~🧪 jsc-armv7-tests~~
	~~🛠 tv-sim~~
	~~🛠 watch~~
	~~🛠 watch-sim~~

webkit-early-warning-system · 2026-02-27T20:00:59Z

EWS run on previous version of this PR (hash dd37085)

Details

Misc	iOS, visionOS, tvOS & watchOS	macOS	Linux	Windows	Apple Internal
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	✅ 🛠 win	✅ 🛠 ios-apple
	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	✅ 🧪 wpe-wk2	✅ 🧪 win-tests	✅ 🛠 mac-apple
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🧪 api-wpe		✅ 🛠 vision-apple
	✅ 🧪 ios-wk2-wpt	✅ 🧪 api-mac-debug	✅ 🛠 gtk3-libwebrtc
✅ 🛠 🧪 jsc	✅ 🧪 api-ios	~~🧪 mac-wk1~~	✅ 🛠 gtk
✅ 🛠 🧪 jsc-debug-arm64	✅ 🛠 ios-safer-cpp	✅ 🧪 mac-wk2	✅ 🧪 gtk-wk2
	✅ 🛠 vision	✅ 🧪 mac-AS-debug-wk2	✅ 🧪 api-gtk
~~🛠 🧪 merge~~	✅ 🛠 vision-sim	✅ 🧪 mac-wk2-stress	~~🛠 playstation~~
	✅ 🧪 vision-wk2	✅ 🧪 mac-intel-wk2	✅ 🛠 jsc-armv7
	✅ 🛠 tv	✅ 🛠 mac-safer-cpp	❌ 🧪 jsc-armv7-tests
	✅ 🛠 tv-sim
	✅ 🛠 watch
	✅ 🛠 watch-sim

webkit-early-warning-system · 2026-03-02T18:01:22Z

EWS run on current version of this PR (hash b1f4c50)

Details

Misc	iOS, visionOS, tvOS & watchOS	macOS	Linux	Windows	Apple Internal
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	~~🛠 win~~	✅ 🛠 ios-apple
	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	✅ 🧪 wpe-wk2	~~🧪 win-tests~~	✅ 🛠 mac-apple
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🧪 api-wpe		✅ 🛠 vision-apple
	✅ 🧪 ios-wk2-wpt	✅ 🧪 api-mac-debug	✅ 🛠 gtk3-libwebrtc
✅ 🛠 🧪 jsc	✅ 🧪 api-ios	~~🧪 mac-wk1~~	✅ 🛠 gtk
✅ 🛠 🧪 jsc-debug-arm64	✅ 🛠 ios-safer-cpp	✅ 🧪 mac-wk2	✅ 🧪 gtk-wk2
	✅ 🛠 vision	✅ 🧪 mac-AS-debug-wk2	✅ 🧪 api-gtk
✅ 🛠 🧪 merge	~~🛠 vision-sim~~	✅ 🧪 mac-wk2-stress	~~🛠 playstation~~
	~~🧪 vision-wk2~~	✅ 🧪 mac-intel-wk2	✅ 🛠 jsc-armv7
	✅ 🛠 tv	✅ 🛠 mac-safer-cpp	✅ 🧪 jsc-armv7-tests
	✅ 🛠 tv-sim
	✅ 🛠 watch
	✅ 🛠 watch-sim

https://bugs.webkit.org/show_bug.cgi?id=308836 rdar://171058069 Reviewed by Marcus Plutowski. When the RegExp replace operator is called, if the output string overflows the maximum legal length of a javascript string it is supposed to throw an out-of-memory error, rather than triggering a controlled crash. Test: JSTests/stress/string-regexp-replace-oom.js * JSTests/stress/string-regexp-replace-oom.js: Added. (Object.__proto__.__proto__.Symbol.replace): (catch): * Source/JavaScriptCore/runtime/RegExpPrototype.cpp: (JSC::getSubstitution): Canonical link: https://commits.webkit.org/308478@main

webkit-commit-queue · 2026-03-02T20:08:56Z

Committed 308478@main (e3c1c12): https://commits.webkit.org/308478@main

Reviewed commits have been landed. Closing PR #59595 and removing active labels.

asworkjsc requested a review from a team as a code owner February 27, 2026 19:42

asworkjsc self-assigned this Feb 27, 2026

asworkjsc added the New Bugs Unclassified bugs are placed in this component until the correct component can be determined. label Feb 27, 2026

asworkjsc force-pushed the rdar-171058069 branch from 5335073 to dd37085 Compare February 27, 2026 20:00

Achierius approved these changes Feb 27, 2026

View reviewed changes

hyjorc1 added merge-queue Applied to send a pull request to merge-queue and removed merge-queue Applied to send a pull request to merge-queue labels Mar 2, 2026

ast-hugger added merge-queue Applied to send a pull request to merge-queue and removed merge-queue Applied to send a pull request to merge-queue labels Mar 2, 2026

asworkjsc force-pushed the rdar-171058069 branch from dd37085 to b1f4c50 Compare March 2, 2026 18:01

asworkjsc added JavaScriptCore For bugs in JavaScriptCore, the JS engine used by WebKit, other than kxmlcore issues. and removed New Bugs Unclassified bugs are placed in this component until the correct component can be determined. labels Mar 2, 2026

ast-hugger added the merge-queue Applied to send a pull request to merge-queue label Mar 2, 2026

webkit-commit-queue force-pushed the rdar-171058069 branch from b1f4c50 to e3c1c12 Compare March 2, 2026 20:08

webkit-commit-queue merged commit e3c1c12 into WebKit:main Mar 2, 2026

webkit-commit-queue removed the merge-queue Applied to send a pull request to merge-queue label Mar 2, 2026

asworkjsc deleted the rdar-171058069 branch March 2, 2026 20:42

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Gracefully handle StringBuffer overflow in RegExp replace operator#59595

Gracefully handle StringBuffer overflow in RegExp replace operator#59595
webkit-commit-queue merged 1 commit intoWebKit:mainfrom
asworkjsc:rdar-171058069

asworkjsc commented Feb 27, 2026 •

edited by webkit-early-warning-system

Loading

Uh oh!

webkit-early-warning-system commented Feb 27, 2026 •

edited

Loading

Uh oh!

webkit-early-warning-system commented Feb 27, 2026 •

edited

Loading

Uh oh!

webkit-early-warning-system commented Mar 2, 2026 •

edited

Loading

Uh oh!

webkit-commit-queue commented Mar 2, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

Conversation

asworkjsc commented Feb 27, 2026 • edited by webkit-early-warning-system Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

e3c1c12

Uh oh!

webkit-early-warning-system commented Feb 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

webkit-early-warning-system commented Feb 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

webkit-early-warning-system commented Mar 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

webkit-commit-queue commented Mar 2, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

asworkjsc commented Feb 27, 2026 •

edited by webkit-early-warning-system

Loading

`e3c1c12`

webkit-early-warning-system commented Feb 27, 2026 •

edited

Loading

webkit-early-warning-system commented Feb 27, 2026 •

edited

Loading

webkit-early-warning-system commented Mar 2, 2026 •

edited

Loading