275528 2024-06-15 07:00:22 -0700 SEGV YarrJIT.h:350:28 2024-07-01 19:14:38 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 katoshi1337 msaboff bfulgham msaboff webkit-bug-importer oldest_to_newest 2041519 0 katoshi1337 2024-06-15 07:00:22 -0700 Step: ./jsc ./poc.js ASAN: ==40829==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x562a749076de (pc 0x7fbad4c28159 bp 0x7ffc6f134250 sp 0x7ffc6f1341b8 T40829) ==40829==The signal is caused by a READ memory access. #0 0x7fbad4c28159 (<unknown module>) #1 0x562875470c61 in JSC::Yarr::YarrCodeBlock::execute(std::span<char16_t const, 18446744073709551615ul>, unsigned int, int*, JSC::Yarr::MatchingContextHolder*) /home/fuzzer/webkit_fuzzing/WebKit-main/Source/JavaScriptCore/yarr/YarrJIT.h:350:28 #2 0x562875470c61 in int JSC::RegExp::matchInline<WTF::Vector<int, 32ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, (JSC::Yarr::MatchFrom)0>(JSC::JSGlobalObject*, JSC::VM&, WTF::String const&, unsigned int, WTF::Vector<int, 32ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) /home/fuzzer/webkit_fuzzing/WebKit-main/Source/JavaScriptCore/runtime/RegExpInlines.h:144:43 UndefinedBehaviorSanitizer can not provide additional info. SUMMARY: UndefinedBehaviorSanitizer: SEGV (<unknown module>) 2041520 1 webkit-bug-importer 2024-06-15 07:00:33 -0700 <rdar://problem/129910892> 2041521 2 katoshi1337 2024-06-15 07:02:49 -0700 poc.js: ``` /[a]/iu.test("₠a"); const v4 = /[a]/iu; v4.test("₠A"); /[A]/iu.test("₠a"); /[A]/iu.test("₠A"); const v13 = /[\u00e5]/i; v13.test("Å"); /[\u212b]/dyiu.test("Å"); /[\u212b]/i.test("å"); const v21 = ("Å").toLowerCase(); v21 == "å"; ("Å").toLowerCase(); v21 == "å"; ("Å").toUpperCase(); "Å" == "å"; const v32 = /\u00e5/iu; v32.test("Å"); /\u00e5/iu.test("Å"); /\u00e5/iu.test("å"); v4.test("Å"); /\u00c5/iu.test("Å"); /\u00c5/iu.test("Å"); /\u00c5/iu.test("å"); /\u212b/iu.test("Å"); v4.test("Å"); /\u{10400}/i.test("𐐨"); /\ud801\udc00/iu.test("𐐨"); v13.test("𐐀"); /[\ud801\udc28]/iu.test("𐐀"); ["Ａ𐐀"]; v32.test("ἅι"); /(.)\1\1/iu.exec("Ａ𐐀abc"); /(.)\1/iu.exec("𑢪𑣊"); /^\u017F/iu.exec(); /^\u017F/iu; gc(); print(1111) ``` 2043286 3 msaboff 2024-06-26 15:03:03 -0700 Pull request: https://github.com/apple/WebKit/pull/1343 2044053 4 msaboff 2024-07-01 14:28:16 -0700 *** Bug 276046 has been marked as a duplicate of this bug. *** 2044055 5 msaboff 2024-07-01 14:36:45 -0700 Pull request: https://github.com/WebKit/WebKit/pull/30360 2044116 6 ews-feeder 2024-07-01 19:14:37 -0700 Committed 280563@main (8802eec90fd4): <https://commits.webkit.org/280563@main> Reviewed commits have been landed. Closing PR #30360 and removing active labels. 471686 2024-06-15 07:00:22 -0700 2024-06-15 07:00:22 -0700 poc.js file_275528.txt text/plain 0 katoshi1337