fuzz: compiling '\P{any}' panics by tripping an assertion in the compiler #722

BurntSushi · 2020-10-19T13:06:52Z

Specifically, this one:

Line 419 in a7ef5f4

assert!(!ranges.is_empty());

Normally, regexes like [^\w\W] with empty classes are banned at translation time. But it looks like \P{any} (which is empty) slipped through. So we should just improve the ban to cover that case.

However, empty character classes are occasionally useful constructs for injecting a "fail" sub-pattern into a regex, typically in the context of cases where regexes are generated. Indeed, the NFA compiler in regex-automata handles this case fine:

$ regex-cli debug nfa thompson '\P{any}' -B
      parse time:  48.809µs
  translate time:  17.48µs
compile nfa time:  18.638µs
   pattern count:  1

thompson::NFA(
>000000: alt(2, 1)
 000001: \x00-\xff => 0
^000002: sparse()
 000003: MATCH(0)
)

Where it's impossible to ever move past state 2. Arguably, it might be nicer if it were an explicit "fail" instruction, but an empty sparse instruction (a state with no outgoing transitions) serves the purpose as well.

So once #656 is done, we should be able to relax this restriction.

This bug was found by OSS-Fuzz.

The text was updated successfully, but these errors were encountered:

BurntSushi added the bug label Oct 19, 2020

BurntSushi closed this in 6fdb6e1 Nov 1, 2020

dependabot bot mentioned this issue Mar 15, 2021

Bump regex from 1.3.6 to 1.4.5 jbhannah/lodge#88

Open

rust-lang / regex

fuzz: compiling '\P{any}' panics by tripping an assertion in the compiler #722

fuzz: compiling '\P{any}' panics by tripping an assertion in the compiler #722

BurntSushi commented Oct 19, 2020 •

edited

rust-lang / regex

fuzz: compiling '\P{any}' panics by tripping an assertion in the compiler #722

fuzz: compiling '\P{any}' panics by tripping an assertion in the compiler #722

Comments

BurntSushi commented Oct 19, 2020 • edited

BurntSushi commented Oct 19, 2020 •

edited