Thanks for filing the issue!

Able to reproduce the issue on reported chrome version 70.0.3528.4 and on the latest 70.0.3530.0 using Windows 10, Ubuntu 17.10 and Mac 10.13.1.

Bisect Information:
--------------------
Good Build: 70.0.3502.0
Bad Build:  70.0.3503.0

You are probably looking for a change made after 578126 (known good), but no later than 578127 (first known bad).
CHANGELOG URL
https://chromium.googlesource.com/v8/v8/+log/4c27ac5c..ee658ba8
Suspecting: https://chromium.googlesource.com/v8/v8/+/da9386ae2d0416ac883cd1ce343a0ca3eac43519
Review URL: https://chromium-review.googlesource.com/1148281

@Toon Verwaest: Please help in assigning it to right owner if this is not related to your change.
Note: Couldn't assign to Rodrigo Bruno, hence assigning it to one of the reviewers. Adding RB-Stable as this seems to be a recent regression, please remove if not required.

Friendly ping to get an update on this issue as it is marked RBS.
Thanks..!

Any updates on this issue? We're getting worried, since it breaks business logic

Friendly ping! Could you please provide any update on this issue as it has been marked as a stable blocker.

Thank You!

Gentle ping! Could you please provide any update on this issue as it has been marked as a stable blocker.

Thank You!

ulan, ptal

[bulk edit] - This issue is marked as a stable blocker for M70. We are two weeks away from M70 Stable. Please take a look urgently!

I think Rodrigo's CL is uncovering an existing bug.

The problem is one-byte/two-byte string confusion. In the posted repro case, we have two strings: url and urlPath.

Initial state:
url: two-byte-thin-string => two-byte-internalized-string
urlPath: two-byte-sliced-string => url

The XMLHttpRequest externalizes the url and turns the *two byte* internalizes string into a *one byte* external internalized string because it checks that all characters in the string are one byte [1].
So we have url: two-byte-thin-string => one-byte-external-internalized-string

The urlPath.match(/.*/) now thinks that the result is a two-byte string but uses the one byte backing store, so the result length is divided by 2.

[1]: https://cs.chromium.org/chromium/src/third_party/blink/renderer/platform/bindings/string_resource.cc?rcl=d41120d33ba8b51814a8305238bd903f42ee5b73&l=109


A quick fix would be to replace  v8_string->ContainsOnlyOneByte() with v8_string->IsOneByte().

But there seems to be a fundamental issue with one-byte/two-byte confusion for thin, cons, sliced strings. 

Yang and I found a bug in String::Is{One,Two}ByteRepresentationUnderneath that did not account for thin strings and did only one level of indirection.

The fix is in flight: https://chromium-review.googlesource.com/c/v8/v8/+/1256771

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/530121037919721dd59577b9ddc848149def7eae

commit 530121037919721dd59577b9ddc848149def7eae
Author: Ulan Degenbaev <ulan@chromium.org>
Date: Tue Oct 02 14:46:04 2018

Fix String::Is{One,Two}ByteRepresentationUnderneath for thin strings.

Bug:  chromium:876759 
Change-Id: I9ea3c84b477e03f96cbef79a4a0b546a53a674ce
Reviewed-on: https://chromium-review.googlesource.com/1256771
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56339}
[modify] https://crrev.com/530121037919721dd59577b9ddc848149def7eae/src/objects/string-inl.h
[modify] https://crrev.com/530121037919721dd59577b9ddc848149def7eae/test/cctest/test-strings.cc

This bug requires manual review: We are only 13 days from stable.
Please contact the milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), geohsu@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Let's wait on canary data...

The NextAction date has arrived: 2018-10-03

How does it look in canary?

No regex related crashes in

https://crash.corp.google.com/browse?q=product_name%3D%27Chrome%27+AND+product.version%3D%2771.0.3571.0%27+AND+expanded_custom_data.ChromeCrashProto.channel%3D%27canary%27+AND+expanded_custom_data.ChromeCrashProto.ptype%3D%27renderer%27#-productname:1000,actionablemagicsignature:130,magicsignature:50,-magicsignature2:50,-stablesignature:50,magicsignaturesorted:50

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b6b1d5874d480be6b2969c65dfc947c41ee8bdac

commit b6b1d5874d480be6b2969c65dfc947c41ee8bdac
Author: Ulan Degenbaev <ulan@chromium.org>
Date: Mon Oct 08 13:46:01 2018

Merged: Fix String::Is{One,Two}ByteRepresentationUnderneath for thin strings.

Revision: 530121037919721dd59577b9ddc848149def7eae

BUG= chromium:876759 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=mlippautz@chromium.org

Change-Id: I45ecb6d7343e708f0e80c385546768a11be24170
Reviewed-on: https://chromium-review.googlesource.com/c/1268019
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/branch-heads/7.0@{#53}
Cr-Branched-From: 6e2adae6f7f8e891cfd01f3280482b20590427a6-refs/heads/7.0.276@{#1}
Cr-Branched-From: bc08a8624cbbea7a2d30071472bc73ad9544eadf-refs/heads/master@{#55424}
[modify] https://crrev.com/b6b1d5874d480be6b2969c65dfc947c41ee8bdac/src/objects/string-inl.h
[modify] https://crrev.com/b6b1d5874d480be6b2969c65dfc947c41ee8bdac/test/cctest/test-strings.cc

Closing this out now as it's merged to 70.

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot