Bug 282200
| Summary: | ASAN_TRAP | Yarr::CharacterClassConstructor::unicodeOpSorted due to out of order Unicode Case Folding | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Michael Saboff <msaboff> |
| Component: | JavaScriptCore | Assignee: | Michael Saboff <msaboff> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | bfulgham, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Michael Saboff
We get an ASAN Crash Log on main:
ASSERTION FAILED: ch >= chunkLo
./yarr/YarrPattern.cpp(807) : void JSC::Yarr::CharacterClassConstructor::unicodeOpSorted(const Vector<char32_t> &, const Vector<CharacterRange> &)
1 0x129209648 JSC::Yarr::CharacterClassConstructor::unicodeOpSorted(WTF::Vector<char32_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::Vector<JSC::Yarr::CharacterRange, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&)
2 0x129206de4 JSC::Yarr::CharacterClassConstructor::performSetOpWithMatches(WTF::Vector<char32_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::Vector<JSC::Yarr::CharacterRange, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::Vector<char32_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::Vector<JSC::Yarr::CharacterRange, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&)
3 0x12922f330 JSC::Yarr::CharacterClassConstructor::atomClassStringDisjunction(WTF::Vector<WTF::Vector<char32_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&)
4 0x12922eae8 JSC::Yarr::YarrPatternConstructor::atomClassStringDisjunction(WTF::Vector<WTF::Vector<char32_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&)
5 0x12922e1cc JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, unsigned char>::ClassStringDisjunctionParserDelegate::end()
6 0x12922890c JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, unsigned char>::parseClassStringDisjunction(bool&)
7 0x129225234 JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, unsigned char>::TokenType JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, unsigned char>::parseEscape<(JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, unsigned char>::ParseEscapeMode)2, JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, unsigned char>::ClassSetParserDelegate>(JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, unsigned char>::ClassSetParserDelegate&)
8 0x12920027c JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, unsigned char>::parseClassSetEscape(JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, unsigned char>::ClassSetParserDelegate&)
9 0x1291e6bec JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, unsigned char>::parseClassSet()
10 0x1291e1b6c JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, unsigned char>::parseTokens()
11 0x1291dec24 JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, unsigned char>::parse()
12 0x12905b3f0 JSC::Yarr::ErrorCode JSC::Yarr::parse<JSC::Yarr::YarrPatternConstructor>(JSC::Yarr::YarrPatternConstructor&, WTF::StringView, JSC::Yarr::CompileMode, unsigned int, bool)
...
This happens with the two test cases added in https://bugs.webkit.org/show_bug.cgi?id=279780.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Michael Saboff
<rdar://138178588>
Michael Saboff
Pull request: https://github.com/apple/WebKit/pull/2118
Michael Saboff
Pull request: https://github.com/WebKit/WebKit/pull/35831
EWS
Committed 285819@main (548b60525e35): <https://commits.webkit.org/285819@main>
Reviewed commits have been landed. Closing PR #35831 and removing active labels.