The crashing RegExp is: /([-!#$%&'*+\/=?^`{|}~]|\w)(([-!#$%&'*+\/=?^`{|}~]|\w)|(\.([-!#$%&'*+\/=?^`{|}~]|\w)))*@\w(\w|([-.]\w))*\.\w{2,4}/.exec(”https://mail.yahoo.com/); A reduced test case is: /(?:(?: |a)|\.a)* a*/.exec("/a.aaa”); The issue is that we are trying to backtrack in a nested alternative after the containing saved parenthesis context has been released. The backtracking of normal alternatives is done by jumping to an address stored on the stack. At this point my guess is that we are doing extra backtracking.
<rdar://problem/35986606>
Created attachment 329393 [details] Patch
Comment on attachment 329393 [details] Patch r=me
Comment on attachment 329393 [details] Patch Clearing flags on attachment: 329393 Committed r225930: <https://trac.webkit.org/changeset/225930>
All reviewed patches have been landed. Closing bug.