Two RegExp bugs in Internet Explorer 8
['b', undefined, 'b', undefined]
['b', 'b', 'b', '']
'' is the known bug: capturing groups that don't participate in a successful match are set to
'' instead of
undefined. Slightly annoying, but not too bad.
'b' at index 1 is just wrong: The first capturing group was entered, but that branch failed (because the target string didn't start with an
'a'). At this point all captures from this branch should have been reset to their previous state (in this case
'' for IE)). That didn't happen.
End result: we get a successful match, but the captured strings may have completely bogus values.
I think this is pretty funny because I once wrote a toy "regex engine" when I didn't really know anything about byecode or automata or anything. It used "brute force" backtracking based on recursive function calls (no explicit stack). Well, it had that exact bug ... until I noticed and fixed it a few months later. In other words, this is a beginner's mistake in state management/backtracking.
I'm pretty sure Microsoft does some testing before it releases software. Didn't anyone notice this?