RESOLVED FIXED 282200
ASAN_TRAP | Yarr::CharacterClassConstructor::unicodeOpSorted due to out of order Unicode Case Folding 
https://bugs.webkit.org/show_bug.cgi?id=282200
Summary ASAN_TRAP | Yarr::CharacterClassConstructor::unicodeOpSorted due to out of or...
Michael Saboff
Reported 2024-10-28 13:33:05 PDT
We get an ASAN Crash Log on main: ASSERTION FAILED: ch >= chunkLo ./yarr/YarrPattern.cpp(807) : void JSC::Yarr::CharacterClassConstructor::unicodeOpSorted(const Vector<char32_t> &, const Vector<CharacterRange> &) 1 0x129209648 JSC::Yarr::CharacterClassConstructor::unicodeOpSorted(WTF::Vector<char32_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::Vector<JSC::Yarr::CharacterRange, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&) 2 0x129206de4 JSC::Yarr::CharacterClassConstructor::performSetOpWithMatches(WTF::Vector<char32_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::Vector<JSC::Yarr::CharacterRange, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::Vector<char32_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::Vector<JSC::Yarr::CharacterRange, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&) 3 0x12922f330 JSC::Yarr::CharacterClassConstructor::atomClassStringDisjunction(WTF::Vector<WTF::Vector<char32_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) 4 0x12922eae8 JSC::Yarr::YarrPatternConstructor::atomClassStringDisjunction(WTF::Vector<WTF::Vector<char32_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) 5 0x12922e1cc JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, unsigned char>::ClassStringDisjunctionParserDelegate::end() 6 0x12922890c JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, unsigned char>::parseClassStringDisjunction(bool&) 7 0x129225234 JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, unsigned char>::TokenType JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, unsigned char>::parseEscape<(JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, unsigned char>::ParseEscapeMode)2, JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, unsigned char>::ClassSetParserDelegate>(JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, unsigned char>::ClassSetParserDelegate&) 8 0x12920027c JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, unsigned char>::parseClassSetEscape(JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, unsigned char>::ClassSetParserDelegate&) 9 0x1291e6bec JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, unsigned char>::parseClassSet() 10 0x1291e1b6c JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, unsigned char>::parseTokens() 11 0x1291dec24 JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, unsigned char>::parse() 12 0x12905b3f0 JSC::Yarr::ErrorCode JSC::Yarr::parse<JSC::Yarr::YarrPatternConstructor>(JSC::Yarr::YarrPatternConstructor&, WTF::StringView, JSC::Yarr::CompileMode, unsigned int, bool) ... This happens with the two test cases added in https://bugs.webkit.org/show_bug.cgi?id=279780.
Attachments
Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2024-10-28 13:33:29 PDT
<rdar://138178588>
Michael Saboff
Comment 2 2024-10-28 13:45:17 PDT
Pull request: https://github.com/apple/WebKit/pull/2118
Michael Saboff
Comment 3 2024-10-28 16:13:25 PDT
Pull request: https://github.com/WebKit/WebKit/pull/35831
EWS
Comment 4 2024-10-28 23:01:12 PDT
Committed 285819@main (548b60525e35): <https://commits.webkit.org/285819@main> Reviewed commits have been landed. Closing PR #35831 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.