Panic using regex split on a unicode string

[mstoykov]

"000\xfd00000000000000".split(/((?:0*)+?(?:.*)+?)?/g
Panics with:

panic: runtime error: slice bounds out of range [19:2] [recovered]
        panic: runtime error: slice bounds out of range [19:2] [recovered]
        panic: runtime error: slice bounds out of range [19:2] [recovered]
        panic: runtime error: slice bounds out of range [19:2]

goroutine 1 [running]:
github.com/mstoykov/goja-regexp2-fuzzing.Fuzz.func1.1.1(0xc00001c880, 0x35)
        github.com/mstoykov/goja-regexp2-fuzzing/regexp.go:33 +0x207
panic(0x77fb00, 0xc0000152a0)
        runtime/panic.go:969 +0x166
github.com/dop251/goja.(*Runtime).RunProgram.func1(0xc0001cdd18)
        github.com/dop251/goja/runtime.go:1185 +0x98
panic(0x77fb00, 0xc0000152a0)
        runtime/panic.go:969 +0x166
github.com/dop251/goja.(*vm).try.func1(0xc000180000, 0x0, 0xc0001cdbd8, 0x0, 0x0, 0x0, 0xc0001cdc60)
        github.com/dop251/goja/vm.go:407 +0x647
panic(0x77fb00, 0xc0000152a0)
        runtime/panic.go:969 +0x166
github.com/dop251/goja.unicodeString.substring(0xc000016600, 0x13, 0x13, 0x12, 0x1, 0xc0001beb60, 0x829380)
        github.com/dop251/goja/string_unicode.go:407 +0x225
github.com/dop251/goja.(*Runtime).regexpproto_stdSplitter(0xc000010580, 0x828fc0, 0xc0001c2ff0, 0xc0001beac0, 0x2, 0x2, 0x828f01, 0xc0001beac0)
        github.com/dop251/goja/builtin_regexp.go:906 +0xc3f
github.com/dop251/goja.(*Runtime).stringproto_split(0xc000010580, 0x829380, 0xc0001be9c0, 0xc0000fb760, 0x1, 0x4, 0x412951, 0x120)
        github.com/dop251/goja/builtin_string.go:725 +0x6ca
github.com/dop251/goja.(*vm)._nativeCall(0xc000180000, 0xc00018e840, 0x1)
        github.com/dop251/goja/vm.go:1818 +0x2d7
github.com/dop251/goja.call.exec(0xc000000001, 0xc000180000)
        github.com/dop251/goja/vm.go:1790 +0xb8f
github.com/dop251/goja.(*vm).run(0xc000180000)
        github.com/dop251/goja/vm.go:307 +0x9d
github.com/dop251/goja.(*vm).try(0xc000180000, 0xc0001cdc68, 0x0)
        github.com/dop251/goja/vm.go:413 +0x163
github.com/dop251/goja.(*vm).runTry(0xc000180000, 0x0)
        github.com/dop251/goja/vm.go:418 +0x4e
github.com/dop251/goja.(*Runtime).RunProgram(0xc000010580, 0xc0000fb680, 0x0, 0x0, 0x0, 0x0)
        github.com/dop251/goja/runtime.go:1196 +0x20b
github.com/dop251/goja.(*Runtime).RunScript(0xc000010580, 0x0, 0x0, 0xc00001c880, 0x35, 0xc00001c880, 0x35, 0x820380, 0xc0001be980)
        github.com/dop251/goja/runtime.go:1175 +0x9d
github.com/dop251/goja.(*Runtime).RunString(...)
        github.com/dop251/goja/runtime.go:1164

This is with the latest versions of both goja and regexp2, but it happens with the previous versions as well. It does not happen with an ASCII string.

"000\xfd00000000000000".split(/((?:0*)+?(?:0*)+?)?/g) panics with panic: runtime error: slice bounds out of range [4:2].

[mstoykov]

Maybe connected (although with ASCII strings so 🤷‍♂️ ) we had this panic but we can't reproduce it or find out what made it and unfortunately, the stacktrace is ... cut :( . This was with beb0a9a and we have some doubts it was due to the latest cache changes then, but my investigation didn't help and this is the primary reason for me ... fuzzing regexes in goja :D

panic: runtime error: slice bounds out of range [:6] with length 2 [recovered]
	panic: runtime error: slice bounds out of range [:6] with length 2 [recovered]
	panic: runtime error: slice bounds out of range [:6] with length 2 [recovered]
	panic: runtime error: slice bounds out of range [:6] with length 2

goroutine 54 [running]:
github.com/dop251/goja.AssertFunction.func1.1(0xc008bcbaf8)
	/home/alpine/go/src/github.com/loadimpact/k6/vendor/github.com/dop251/goja/runtime.go:1967 +0x98
panic(0xed0360, 0xc01f71b420)
	/usr/local/go/src/runtime/panic.go:969 +0x166
github.com/dop251/goja.(*vm).try.func1(0xc00142bdc0, 0x0, 0xc008bcb9b8, 0x0, 0x0, 0x0, 0xc008bcba40)
	/home/alpine/go/src/github.com/loadimpact/k6/vendor/github.com/dop251/goja/vm.go:407 +0x647
panic(0xed0360, 0xc01f71b420)
	/usr/local/go/src/runtime/panic.go:969 +0x166
github.com/dop251/goja.(*vm).try.func1(0xc00142bdc0, 0x4, 0xc008bcb618, 0x16, 0x0, 0x0, 0xc008bcb6a0)
	/home/alpine/go/src/github.com/loadimpact/k6/vendor/github.com/dop251/goja/vm.go:407 +0x647
panic(0xed0360, 0xc01f71b420)
	/usr/local/go/src/runtime/panic.go:969 +0x166
github.com/dop251/goja.asciiString.substring(...)
	/home/alpine/go/src/github.com/loadimpact/k6/vendor/github.com/dop251/goja/string_ascii.go:268
github.com/dop251/goja.(*regexpObject).execResultToArray(0xc00b041200, 0x11d0500, 0xc00d372130, 0xc01f71b400, 0x4, 0x4, 0x4, 0xc00d372130)
	/home/alpine/go/src/github.com/loadimpact/k6/vendor/github.com/dop251/goja/regexp.go:485 +0x139
github.com/dop251/goja.(*regexpObject).exec(0xc00b041200, 0x11d0500, 0xc00d372130, 0x0, 0x0)
	/home/alpine/go/src/github.com/loadimpact/k6/vendor/github.com/dop251/goja/regexp.go:538 +0x8a
github.com/dop251/goja.(*Runtime).regexpproto_exec(0xc001600dc0, 0x11cc9e0, 0xc02408fec0, 0xc00fb89f20, 0x1, 0x44, 0x412deb, 0x1)
	/home/alpine/go/src/github.com/loadimpact/k6/vendor/github.com/dop251/goja/builtin_regexp.go:389 +0xe9

[dop251]

Raised dlclark/regexp2#34. I think it's very likely that the second panic has the same cause.