Regex: VERIFICATION FAILED: id >= OpCodeId::First && id <= OpCodeId::Last

[warpdesign]

Summary

When opening https://leboncoin.fr in the latest build, the tab crashes with the attached call stack:

VERIFICATION FAILED: id >= OpCodeId::First && id <= OpCodeId::Last at /Users/nicolas/Documents/Dev/ladybird/Libraries/LibRegex/RegexByteCode.h:854

Operating system

macOS

Steps to reproduce

1. Open https://leboncoin.fr

Expected behavior

Page should be loaded with crashing.

Actual behavior

The page crashes.

URL for a reduced test case

https://leboncoin.fr

HTML/SVG/etc. source for a reduced test case

<html>
    <body>
        <script type="text/javascript">
            new RegExp('^(\d{4}|[+-]\d{6})(?:-?(\d{2})(?:-?(\d{2}))?)?(?:[ T]?(\d{2}):?(\d{2})(?::?(\d{2})(?:[,.](\d{1,}))?)?(?:(Z)|([+-])(\d{2})(?::?(\d{2}))?)?)?$')
        </script>
    </body>
</html>

Log output and (if possible) backtrace

VERIFICATION FAILED: id >= OpCodeId::First && id <= OpCodeId::Last at /Users/nicolas/Documents/Dev/ladybird/Libraries/LibRegex/RegexByteCode.h:854
0   liblagom-ak.0.0.0.dylib             0x000000010352a6d0 ak_trap + 56
1   liblagom-ak.0.0.0.dylib             0x000000010352a9e4 ak_assertion_failed + 0
2   liblagom-regex.0.0.0.dylib          0x00000001073a6194 regex::Regex<regex::ECMA262Parser>::attempt_rewrite_loops_as_atomic_groups(AK::Vector<regex::Detail::Block, 0ul> const&) + 2296
3   liblagom-regex.0.0.0.dylib          0x00000001073a50f0 regex::Regex<regex::ECMA262Parser>::run_optimization_passes() + 100
4   liblagom-regex.0.0.0.dylib          0x000000010739b600 regex::Regex<regex::ECMA262Parser>::Regex(regex::Parser::Result, AK::ByteString, regex::RegexOptions<regex::ECMAScriptFlags>) + 172
5   liblagom-js.0.0.0.dylib             0x00000001037c1250 JS::Bytecode::new_regexp(JS::VM&, JS::Bytecode::ParsedRegex const&, AK::ByteString const&, AK::ByteString const&) + 152
6   liblagom-js.0.0.0.dylib             0x00000001037a63fc JS::Bytecode::Interpreter::run_bytecode(unsigned long) + 32840
7   liblagom-js.0.0.0.dylib             0x000000010379e0dc JS::Bytecode::Interpreter::run_executable(JS::Bytecode::Executable&, AK::Optional<unsigned long>, JS::Value) + 408
8   liblagom-js.0.0.0.dylib             0x000000010389b6a8 JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body() + 420
9   liblagom-js.0.0.0.dylib             0x000000010389adec JS::ECMAScriptFunctionObject::internal_call(JS::Value, AK::Span<JS::Value const>) + 328
10  liblagom-js.0.0.0.dylib             0x00000001038af4a4 JS::FunctionPrototype::call(JS::VM&) + 272
11  liblagom-js.0.0.0.dylib             0x0000000103757970 AK::Function<JS::ThrowCompletionOr<void> (JS::Declaration const&)>::operator()(JS::Declaration const&) const + 80
12  liblagom-js.0.0.0.dylib             0x000000010391d3d8 JS::NativeFunction::internal_call(JS::Value, AK::Span<JS::Value const>) + 388
13  liblagom-js.0.0.0.dylib             0x00000001037a0628 JS::Bytecode::Interpreter::run_bytecode(unsigned long) + 8820
14  liblagom-js.0.0.0.dylib             0x000000010379e0dc JS::Bytecode::Interpreter::run_executable(JS::Bytecode::Executable&, AK::Optional<unsigned long>, JS::Value) + 408
15  liblagom-js.0.0.0.dylib             0x000000010389b6a8 JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body() + 420
16  liblagom-js.0.0.0.dylib             0x000000010389adec JS::ECMAScriptFunctionObject::internal_call(JS::Value, AK::Span<JS::Value const>) + 328
17  liblagom-js.0.0.0.dylib             0x00000001037a0628 JS::Bytecode::Interpreter::run_bytecode(unsigned long) + 8820
18  liblagom-js.0.0.0.dylib             0x000000010379e0dc JS::Bytecode::Interpreter::run_executable(JS::Bytecode::Executable&, AK::Optional<unsigned long>, JS::Value) + 408
19  liblagom-js.0.0.0.dylib             0x000000010389b6a8 JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body() + 420
20  liblagom-js.0.0.0.dylib             0x000000010389adec JS::ECMAScriptFunctionObject::internal_call(JS::Value, AK::Span<JS::Value const>) + 328
21  liblagom-js.0.0.0.dylib             0x00000001038af4a4 JS::FunctionPrototype::call(JS::VM&) + 272
22  liblagom-js.0.0.0.dylib             0x0000000103757970 AK::Function<JS::ThrowCompletionOr<void> (JS::Declaration const&)>::operator()(JS::Declaration const&) const + 80
23  liblagom-js.0.0.0.dylib             0x000000010391d3d8 JS::NativeFunction::internal_call(JS::Value, AK::Span<JS::Value const>) + 388
24  liblagom-js.0.0.0.dylib             0x00000001037a0628 JS::Bytecode::Interpreter::run_bytecode(unsigned long) + 8820
25  liblagom-js.0.0.0.dylib             0x000000010379e0dc JS::Bytecode::Interpreter::run_executable(JS::Bytecode::Executable&, AK::Optional<unsigned long>, JS::Value) + 408
26  liblagom-js.0.0.0.dylib             0x000000010389b6a8 JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body() + 420
27  liblagom-js.0.0.0.dylib             0x000000010389adec JS::ECMAScriptFunctionObject::internal_call(JS::Value, AK::Span<JS::Value const>) + 328
28  liblagom-js.0.0.0.dylib             0x00000001037a0628 JS::Bytecode::Interpreter::run_bytecode(unsigned long) + 8820
29  liblagom-js.0.0.0.dylib             0x000000010379e0dc JS::Bytecode::Interpreter::run_executable(JS::Bytecode::Executable&, AK::Optional<unsigned long>, JS::Value) + 408
30  liblagom-js.0.0.0.dylib             0x000000010389b6a8 JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body() + 420
31  liblagom-js.0.0.0.dylib             0x000000010389adec JS::ECMAScriptFunctionObject::internal_call(JS::Value, AK::Span<JS::Value const>) + 328
32  liblagom-js.0.0.0.dylib             0x00000001037a0628 JS::Bytecode::Interpreter::run_bytecode(unsigned long) + 8820
33  liblagom-js.0.0.0.dylib             0x000000010379e0dc JS::Bytecode::Interpreter::run_executable(JS::Bytecode::Executable&, AK::Optional<unsigned long>, JS::Value) + 408
34  liblagom-js.0.0.0.dylib             0x000000010389b6a8 JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body() + 420
35  liblagom-js.0.0.0.dylib             0x000000010389adec JS::ECMAScriptFunctionObject::internal_call(JS::Value, AK::Span<JS::Value const>) + 328
36  liblagom-web.0.0.0.dylib            0x0000000104ca6bfc AK::Function<JS::ThrowCompletionOr<JS::Value> (JS::JobCallback&, JS::Value, AK::Span<JS::Value const>)>::CallableWrapper<Web::Bindings::initialize_main_thread_vm(Web::HTML::EventLoop::Type)::$_3>::call(JS::JobCallback&, JS::Value, AK::Span<JS::Value const>) + 128
37  liblagom-js.0.0.0.dylib             0x0000000103757970 AK::Function<JS::ThrowCompletionOr<void> (JS::Declaration const&)>::operator()(JS::Declaration const&) const + 80
38  liblagom-js.0.0.0.dylib             0x000000010394021c AK::Function<JS::ThrowCompletionOr<JS::Value> ()>::CallableWrapper<JS::create_promise_reaction_job(JS::VM&, JS::PromiseReaction&, JS::Value)::$_0>::call() + 76
39  liblagom-web.0.0.0.dylib            0x0000000104ca7400 AK::Function<JS::ThrowCompletionOr<void> (AK::String const&, AK::String const&)>::operator()(AK::String const&, AK::String const&) const + 80
40  liblagom-web.0.0.0.dylib            0x0000000104ca72b4 AK::Function<void ()>::CallableWrapper<Web::Bindings::initialize_main_thread_vm(Web::HTML::EventLoop::Type)::$_5::operator()(GC::Ref<GC::Function<JS::ThrowCompletionOr<JS::Value> ()>>, JS::Realm*) const::'lambda'()>::call() + 168
41  liblagom-web.0.0.0.dylib            0x0000000104c7e8c0 AK::Function<void (AK::Span<unsigned char>)>::operator()(AK::Span<unsigned char>) const + 76
42  liblagom-web.0.0.0.dylib            0x0000000104f62500 Web::HTML::EventLoop::perform_a_microtask_checkpoint() + 56
43  liblagom-web.0.0.0.dylib            0x00000001050459f4 Web::HTML::ClassicScript::run(Web::HTML::ClassicScript::RethrowErrors, GC::Ptr<JS::Environment>) + 232
44  liblagom-web.0.0.0.dylib            0x0000000104fd3d10 Web::HTML::HTMLScriptElement::execute_script() + 544
45  liblagom-web.0.0.0.dylib            0x000000010501b898 Web::HTML::HTMLParser::the_end(GC::Ref<Web::DOM::Document>, GC::Ptr<Web::HTML::HTMLParser>) + 372
46  liblagom-web.0.0.0.dylib            0x000000010501b628 Web::HTML::HTMLParser::run(URL::URL const&, Web::HTML::HTMLTokenizer::StopAtInsertionPoint) + 244
47  liblagom-web.0.0.0.dylib            0x0000000104e700d0 AK::Function<void ()>::CallableWrapper<Web::load_html_document(Web::HTML::NavigationParams const&)::$_0::operator()(AK::Detail::ByteBuffer<32ul>) const::'lambda'()>::call() + 128
48  liblagom-web.0.0.0.dylib            0x0000000104c7e8c0 AK::Function<void (AK::Span<unsigned char>)>::operator()(AK::Span<unsigned char>) const + 76
49  liblagom-core.0.0.0.dylib           0x00000001032b7994 AK::Function<void (AK::Error&)>::operator()(AK::Error&) const + 76
50  liblagom-core.0.0.0.dylib           0x00000001032c79a0 Core::ThreadEventQueue::process() + 328
51  liblagom-core.0.0.0.dylib           0x00000001032cb714 Core::EventLoopImplementationUnix::exec() + 44
52  liblagom-core.0.0.0.dylib           0x00000001032b4a4c Core::EventLoop::exec() + 72
53  WebContent                          0x00000001028d46ec serenity_main(Main::Arguments) + 4292
54  WebContent                          0x00000001029713cc main + 196

Screenshots or screen recordings

No response

Build flags or config settings

No response

Contribute a patch?

• I’ll contribute a patch for this myself.

[warpdesign]

I added a reduced test case.