[Webkit-unassigned] [Bug 256832] New: Assertion Failure: m_setOp == CharacterClassSetOp::Default || m_setOp == setOp in JavaScriptCore/yarr/YarrPattern.cpp
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue May 16 05:00:02 PDT 2023
https://bugs.webkit.org/show_bug.cgi?id=256832
Bug ID: 256832
Summary: Assertion Failure: m_setOp ==
CharacterClassSetOp::Default || m_setOp == setOp in
JavaScriptCore/yarr/YarrPattern.cpp
Product: WebKit
Version: WebKit Local Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: ChristineWillice at gmail.com
==========test.js=========
RegExp(/[ac][--c]/, "v");
==========================
Run args in Debug Mode:
./jsc test.js
Assertion Failure: m_setOp == CharacterClassSetOp::Default || m_setOp == setOp in JavaScriptCore/yarr/YarrPattern.cpp
```YarrPatter.cpp
void combiningSetOp(CharacterClassSetOp setOp)
{
ASSERT(m_setOp == CharacterClassSetOp::Default || m_setOp == setOp); // m_setOp: Union, setOp: Subtraction -> Assertion Failure
m_setOp = setOp;
}
```
two [] represents two ClassSet in RegExp.
JSC use the same classSetConstructor for two ClassSet
The setOp of the first classSet is Union, the setOp of the second classSet is Subtraction
When set setOp of the second classset, JSC do not allow setOp is Union, but because classSetConstructor is the same, so current setop is Union, so assertion failure.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230516/86bd82bd/attachment-0001.htm>
More information about the webkit-unassigned
mailing list