249812 – REGRESSION(258195@main) ASSERTION FAILED: subpattern in JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::clearSubpatternStart

Bug 249812 - REGRESSION(258195@main) ASSERTION FAILED: subpattern in JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::clearSubpatternStart

Summary: REGRESSION(258195@main) ASSERTION FAILED: subpattern in JSC::Yarr::YarrGenera...

Status:	RESOLVED DUPLICATE of bug 249855

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2022-12-22 14:15 PST by Fujii Hironori
Modified:	2022-12-23 16:05 PST (History)
CC List:	3 users (show)

See Also:

Attachments
test case (112 bytes, text/html) 2022-12-23 14:15 PST, Fujii Hironori	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Fujii Hironori 2022-12-22 14:15:05 PST

ASSERTION FAILED: subpattern in JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::clearSubpatternStart

WinCairo 258195@main Debug MiniBrowser reports an assertion failure by loading the following web pages.

https://www.asahi.com/
https://www.yomiuri.co.jp/
https://www3.nhk.or.jp/news/
https://www.nikkei.com/

ASSERTION FAILED: subpattern
C:\home\webkit\gc\Source\JavaScriptCore\yarr/YarrJIT.cpp(771) : JSC::Yarr::YarrGenerator<struct JSC::Yarr::YarrJITDefaultRegisters>::clearSubpatternStart
1   00007FFB1355248B WTFCrash
2   00007FFAEB1F204E WTFCrashWithInfo
3   00007FFAECE3B39D JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::clearSubpatternStart
4   00007FFAECE458DA JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::generate
5   00007FFAECE3CB65 JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::compile
6   00007FFAECD8A86A JSC::Yarr::jitCompile
7   00007FFAECBB2984 JSC::RegExp::compile
8   00007FFAEBBB2A20 JSC::RegExp::compileIfNecessary
9   00007FFAECBCFA8C JSC::RegExp::matchInline<WTF::Vector<int,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>,0>
10  00007FFAECBB1A6C JSC::RegExp::match
11  00007FFAECC5F400 JSC::RegExpGlobalData::performMatch
12  00007FFAECC3F622 JSC::replaceUsingRegExpSearch
13  00007FFAECC4097A JSC::replaceUsingRegExpSearch
14  00007FFAECC61A33 JSC::replace
15  00007FFAECC2D894 operationStringProtoFuncReplaceGeneric
16  0000018600108DF7 (null)

Comment 1 Fujii Hironori 2022-12-22 23:25:49 PST

Regressed by 258195@main (bug#249330)

Comment 2 Fujii Hironori 2022-12-23 12:58:23 PST

I confirmed this is reproducible with Mac Debug MiniBrowser.

Comment 3 Radar WebKit Bug Importer 2022-12-23 13:28:44 PST

<rdar://problem/103674725>

Comment 4 Fujii Hironori 2022-12-23 14:15:15 PST

Created attachment 464185 [details]
test case

Comment 5 Mark Lam 2022-12-23 16:05:30 PST

Yusuke reverted the offending patch in 258310@main (b396fd875ee3): <https://commits.webkit.org/258310@main> (see https://bugs.webkit.org/show_bug.cgi?id=249855).

*** This bug has been marked as a duplicate of bug 249855 ***