From 1eb8f7ea3059a338205c302cea0f5a3057f93049 Mon Sep 17 00:00:00 2001
From: Facebook Community Bot <facebook-github-bot@users.noreply.github.com>
Date: Mon, 28 Nov 2022 12:03:03 -0600
Subject: [PATCH] Re-sync with internal repository (#856)

Co-authored-by: Facebook Community Bot <6422482+facebook-github-bot@users.noreply.github.com>
---
 lib/VM/JSObject.cpp                        | 12 ++----------
 lib/VM/JSRegExp.cpp                        |  2 ++
 test/hermes/regress-named-capture-group.js | 22 ++++++++++++++++++++++
 3 files changed, 26 insertions(+), 10 deletions(-)
 create mode 100644 test/hermes/regress-named-capture-group.js

diff --git a/lib/VM/JSObject.cpp b/lib/VM/JSObject.cpp
index 33b00243e19..e494ac64a6b 100644
--- a/lib/VM/JSObject.cpp
+++ b/lib/VM/JSObject.cpp
@@ -118,16 +118,8 @@ PseudoHandle<JSObject> JSObject::create(
     Runtime &runtime,
     Handle<JSObject> parentHandle,
     Handle<HiddenClass> clazz) {
-  auto *cell = runtime.makeAFixed<JSObject>(
-      runtime, parentHandle, clazz, GCPointerBase::NoBarriers());
-  auto obj = JSObjectInit::initToPseudoHandle(runtime, cell);
-
-  obj->clazz_.setNonNull(runtime, *clazz, runtime.getHeap());
-  // If the hidden class has index like property, we need to clear the fast path
-  // flag.
-  if (LLVM_UNLIKELY(
-          obj->clazz_.getNonNull(runtime)->getHasIndexLikeProperties()))
-    obj->flags_.fastIndexProperties = false;
+  PseudoHandle<JSObject> obj = JSObject::create(runtime, clazz);
+  obj->parent_.set(runtime, parentHandle.get(), runtime.getHeap());
   return obj;
 }
 
diff --git a/lib/VM/JSRegExp.cpp b/lib/VM/JSRegExp.cpp
index 24c2649f447..5b63dd01cf4 100644
--- a/lib/VM/JSRegExp.cpp
+++ b/lib/VM/JSRegExp.cpp
@@ -176,6 +176,7 @@ ExecutionStatus JSRegExp::initializeGroupNameMappingObj(
     Handle<JSRegExp> selfHandle,
     std::deque<llvh::SmallVector<char16_t, 5>> &orderedNamedGroups,
     regex::ParsedGroupNamesMapping &parsedMappings) {
+  GCScope gcScope(runtime);
   if (parsedMappings.size() == 0)
     return ExecutionStatus::RETURNED;
 
@@ -184,6 +185,7 @@ ExecutionStatus JSRegExp::initializeGroupNameMappingObj(
 
   MutableHandle<HermesValue> numberHandle{runtime};
   for (const auto &identifier : orderedNamedGroups) {
+    GCScopeMarkerRAII marker{gcScope};
     auto symbolRes =
         runtime.getIdentifierTable().getSymbolHandle(runtime, identifier);
     if (LLVM_UNLIKELY(symbolRes == ExecutionStatus::EXCEPTION)) {
diff --git a/test/hermes/regress-named-capture-group.js b/test/hermes/regress-named-capture-group.js
new file mode 100644
index 00000000000..b2c48d0c6d3
--- /dev/null
+++ b/test/hermes/regress-named-capture-group.js
@@ -0,0 +1,22 @@
+/**
+ * Copyright (c) Meta Platforms, Inc. and affiliates.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+
+// RUN: %hermes -O %s
+
+// Check Regex doesn't crash due to an underlying unitialized propStorage_.
+// There was a bug that the hidden class of the named capture group mapping
+// object would not have a properly initialized propStorage_.
+// Thus, once the number of named groups exceeded the number of direct
+// property slots, it crashed when trying to assign properties to
+// the uninitialized propStorage_.
+
+var s = '';
+for (let i = 0; i < 1000; i++) {
+  s += `(?<foo${i}>a)`;
+}
+var re = new RegExp(s);
+print(re.exec(""))