RESOLVED FIXED275528
SEGV YarrJIT.h:350:28 
https://bugs.webkit.org/show_bug.cgi?id=275528
Summary SEGV YarrJIT.h:350:28
katoshi1337
Reported 2024-06-15 07:00:22 PDT
Step: ./jsc ./poc.js ASAN: ==40829==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x562a749076de (pc 0x7fbad4c28159 bp 0x7ffc6f134250 sp 0x7ffc6f1341b8 T40829) ==40829==The signal is caused by a READ memory access. #0 0x7fbad4c28159 (<unknown module>) #1 0x562875470c61 in JSC::Yarr::YarrCodeBlock::execute(std::span<char16_t const, 18446744073709551615ul>, unsigned int, int*, JSC::Yarr::MatchingContextHolder*) /home/fuzzer/webkit_fuzzing/WebKit-main/Source/JavaScriptCore/yarr/YarrJIT.h:350:28 #2 0x562875470c61 in int JSC::RegExp::matchInline<WTF::Vector<int, 32ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, (JSC::Yarr::MatchFrom)0>(JSC::JSGlobalObject*, JSC::VM&, WTF::String const&, unsigned int, WTF::Vector<int, 32ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) /home/fuzzer/webkit_fuzzing/WebKit-main/Source/JavaScriptCore/runtime/RegExpInlines.h:144:43 UndefinedBehaviorSanitizer can not provide additional info. SUMMARY: UndefinedBehaviorSanitizer: SEGV (<unknown module>)
Attachments
poc.js (deleted)
2024-06-15 07:00 PDT, katoshi1337 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2024-06-15 07:00:33 PDT
<rdar://problem/129910892>
katoshi1337
Comment 2 2024-06-15 07:02:49 PDT
poc.js: ``` /[a]/iu.test("₠a"); const v4 = /[a]/iu; v4.test("₠A"); /[A]/iu.test("₠a"); /[A]/iu.test("₠A"); const v13 = /[\u00e5]/i; v13.test("Å"); /[\u212b]/dyiu.test("Å"); /[\u212b]/i.test("å"); const v21 = ("Å").toLowerCase(); v21 == "å"; ("Å").toLowerCase(); v21 == "å"; ("Å").toUpperCase(); "Å" == "å"; const v32 = /\u00e5/iu; v32.test("Å"); /\u00e5/iu.test("Å"); /\u00e5/iu.test("å"); v4.test("Å"); /\u00c5/iu.test("Å"); /\u00c5/iu.test("Å"); /\u00c5/iu.test("å"); /\u212b/iu.test("Å"); v4.test("Å"); /\u{10400}/i.test("𐐨"); /\ud801\udc00/iu.test("𐐨"); v13.test("𐐀"); /[\ud801\udc28]/iu.test("𐐀"); ["A𐐀"]; v32.test("ἅι"); /(.)\1\1/iu.exec("A𐐀abc"); /(.)\1/iu.exec("𑢪𑣊"); /^\u017F/iu.exec(); /^\u017F/iu; gc(); print(1111) ```
Michael Saboff
Comment 3 2024-06-26 15:03:03 PDT
Pull request: https://github.com/apple/WebKit/pull/1343
Michael Saboff
Comment 4 2024-07-01 14:28:16 PDT
*** Bug 276046 has been marked as a duplicate of this bug. ***
Michael Saboff
Comment 5 2024-07-01 14:36:45 PDT
Pull request: https://github.com/WebKit/WebKit/pull/30360
EWS
Comment 6 2024-07-01 19:14:37 PDT
Committed 280563@main (8802eec90fd4): <https://commits.webkit.org/280563@main> Reviewed commits have been landed. Closing PR #30360 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.