273426 2024-04-29 12:44:09 -0700 [JSC] ASSERTION FAILED: pos >= negativePositionOffest in char32_t JSC::Yarr::Interpreter<unsigned char>::InputStream::readChecked(unsigned int) 2024-04-30 22:27:47 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 msaboff msaboff webkit-bug-importer oldest_to_newest 2031967 0 msaboff 2024-04-29 12:44:09 -0700 The following regex causes a crash: /(?<!(ab*?))c/i. DYLD_FRAMEWORK_PATH=./ ./jsC ~/Development/LASER/bugshelf/main-687cffbf9f06590db52690f62dd4b64ac43de4f42bb1b29a34de9d2948683497.js ASSERTION FAILED: pos >= negativePositionOffest ./yarr/YarrInterpreter.cpp(279) : char32_t JSC::Yarr::Interpreter<unsigned char>::InputStream::readChecked(unsigned int) [CharType = unsigned char] 1 0x11c8b0778 WTFCrash 2 0x11eef82a8 WTFCrashWithInfo(int, char const*, char const*, int) 3 0x124b9916c JSC::Yarr::Interpreter<unsigned char>::InputStream::readChecked(unsigned int) 4 0x124b8c8d0 JSC::Yarr::Interpreter<unsigned char>::checkCasedCharacter(JSC::Yarr::ByteTerm&, unsigned int) 5 0x124b84fec JSC::Yarr::Interpreter<unsigned char>::matchDisjunction(JSC::Yarr::ByteDisjunction*, JSC::Yarr::Interpreter<unsigned char>::DisjunctionContext*, bool) 6 0x124b4c70c JSC::Yarr::Interpreter<unsigned char>::interpret() 7 0x124b4231c JSC::Yarr::interpret(JSC::Yarr::BytecodePattern*, WTF::StringView, unsigned int, unsigned int*) 8 0x1215d79f4 int JSC::RegExp::matchInline<WTF::Vector<int, 32ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, (JSC::Yarr::MatchFrom)0>(JSC::JSGlobalObject*, JSC::VM&, WTF::String const&, unsigned int, WTF::Vector<int, 32ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) 9 0x12152b25c JSC::createRegExpMatchesArray(JSC::VM&, JSC::JSGlobalObject*, JSC::JSString*, WTF::String const&, JSC::RegExp*, unsigned int, JSC::MatchResult&) 10 0x121528bc8 JSC::RegExpObject::execInline(JSC::JSGlobalObject*, JSC::JSString*) 11 0x123985884 JSC::RegExpObject::exec(JSC::JSGlobalObject*, JSC::JSString*) The problem is that the function backtrackPatternCasedCharacter() doesn't have the string position checks that backtrackPatternCharacter() has. 2031968 1 msaboff 2024-04-29 12:44:43 -0700 <rdar://127013077> 2032344 2 msaboff 2024-04-30 14:05:58 -0700 Pull request: https://github.com/WebKit/WebKit/pull/27951 2032423 3 ews-feeder 2024-04-30 22:27:46 -0700 Committed 278204@main (a330a52f59a8): <https://commits.webkit.org/278204@main> Reviewed commits have been landed. Closing PR #27951 and removing active labels.