309375 – StringBuilder in regExpProtoFuncReplace uses CrashOnOverflow instead of RecordOverflow

RESOLVED FIXED309375

StringBuilder in regExpProtoFuncReplace uses CrashOnOverflow instead of RecordOverflow

https://bugs.webkit.org/show_bug.cgi?id=309375

Summary StringBuilder in regExpProtoFuncReplace uses CrashOnOverflow instead of Recor...

anand_srinivasan

Reported 2026-03-06 14:02:06 PST

rdar://171925413 This is a more general version of https://bugs.webkit.org/show_bug.cgi?id=308836 where the accumulatedResult StringBuilder in regExpProtoFuncReplace (runtime/RegExpPrototype.cpp:1049) still uses the default crash-on-overflow policy instead of throwing an out of memory error, which is the correct behavior.

Attachments
Add attachment proposed patch, testcase, etc.

anand_srinivasan

Comment 1 2026-03-06 14:11:52 PST

Pull request: https://github.com/WebKit/WebKit/pull/60088

EWS

Comment 2 2026-03-09 10:17:30 PDT

Committed 308921@main (c6d06eb881b7): <https://commits.webkit.org/308921@main> Reviewed commits have been landed. Closing PR #60088 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2026-03-06 14:02 PST

Modified

2026-03-09 10:17 PDT History

CC List

1 user Show

URL

Keywords InRadar

Depends on

Blocks