fix(assail): char-boundary-aware advance in Isabelle cartouche skip (regression from #49) (#65)

hyperpolymath · claude · web-flow · commit 8ced37ba37be · 2026-05-27T04:42:18.000Z
## Summary `skip_cartouche_end` advanced its byte index by 1 in the no-open / no-close branch, which puts `j` inside a multi-byte UTF-8 sequence when the cartouche body contains non-ASCII (`¬`, `∀`, `⟹`, `🎉`, etc.). The next iteration's `haystack[j..].starts_with(open)` then panics: ``` thread 'main' panicked at src/assail/analyzer.rs:5648:20: start byte index 89 is not a char boundary; it is inside '¬' (bytes 88..90) ``` ## Discovery `./target/release/panic-attack assail /home/hyperpolymath/developer/repos/echidna` from the 2026-05-26 estate reconnaissance crashed on a real `.thy` file inside echidna: ``` text \<open> Double negation elimination: ¬¬A is equivalent to A. ... \<close> ``` Subsetting echidna to `src/` worked around it; this is the proper fix. ## Fix In the no-open / no-close branch, advance by `len_utf8()` of the current char rather than 1 byte. `chars().next()` is guaranteed non-empty there because `j < haystack.len()`. ## Tests Two new regression tests in `assail::analyzer::tests`: - `isabelle_cartouche_with_non_ascii_does_not_panic` — sampled body from the actual crash (`¬¬A`, `∀x`, `⟹`). - `isabelle_cartouche_emoji_grapheme_clusters` — 4-byte UTF-8 (🎉) exercises the full multi-byte range, including the path that 2/3-byte chars wouldn't catch. ## Test plan - [x] `cargo test --lib assail::analyzer::tests::isabelle` — **10/10 pass** (8 existing + 2 new). - [x] `cargo build --release` clean. - [x] Reproducer: `./target/release/panic-attack assail /home/hyperpolymath/developer/repos/echidna` now completes cleanly with **44 weak points** (was: panic). - [ ] CI on this PR. Regression from #49 (Isabelle prose-stripper added in 2026-05-26). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/src/assail/analyzer.rs b/src/assail/analyzer.rs
@@ -5641,6 +5641,11 @@ fn skip_antiquotation_end(haystack: &str, start: usize) -> usize {
 
 /// Given a position just past the first `\<open>` (depth = 1), scan forward and
 /// return the byte index just past the matching `\<close>`. Nesting-aware.
+///
+/// The byte-advance branch steps by `char.len_utf8()` rather than 1 so the
+/// next iteration's `haystack[j..]` slice lands on a UTF-8 char boundary —
+/// Isabelle prose routinely contains non-ASCII (e.g. `¬`, `∀`, `⟹`) inside
+/// `text \<open>...\<close>` blocks.
 fn skip_cartouche_end(haystack: &str, after_open: usize, open: &str, close: &str) -> usize {
     let mut depth: i32 = 1;
     let mut j = after_open;
@@ -5652,7 +5657,13 @@ fn skip_cartouche_end(haystack: &str, after_open: usize, open: &str, close: &str
             depth -= 1;
             j += close.len();
         } else {
-            j += 1;
+            // Step by char width to keep `j` on a UTF-8 boundary. `chars()`
+            // is guaranteed non-empty here because `j < haystack.len()`.
+            j += haystack[j..]
+                .chars()
+                .next()
+                .map(|c| c.len_utf8())
+                .unwrap_or(1);
         }
     }
     j
@@ -5924,6 +5935,34 @@ mod tests {
         );
     }
 
+    #[test]
+    fn isabelle_cartouche_with_non_ascii_does_not_panic() {
+        // Regression: prior to the char-boundary fix in skip_cartouche_end,
+        // any non-ASCII byte inside a `\<open>...\<close>` block panicked
+        // with "byte index N is not a char boundary" because the helper
+        // advanced by 1 byte at a time through multi-byte UTF-8 sequences.
+        // This content is shortened from a real echidna .thy file that
+        // triggered the panic on a full-tree assail scan.
+        let src = "text \\<open>\n  Double negation: ¬¬A ≡ A.\n  ∀x. ¬(P x) ⟹ True\n\\<close>\nlemma foo: True by simp";
+        let stripped = strip_isabelle_prose(src);
+        assert!(
+            !stripped.contains("¬¬"),
+            "cartouche body containing non-ASCII not stripped: {stripped:?}"
+        );
+        assert!(stripped.contains("lemma foo"));
+    }
+
+    #[test]
+    fn isabelle_cartouche_emoji_grapheme_clusters() {
+        // 4-byte UTF-8 sequences (U+1F389 🎉) inside a cartouche also
+        // exercise the char-boundary path. A surrogate-pair-style multi-
+        // byte char being skipped by 1-byte advances is the same bug.
+        let src = "section \\<open>release notes 🎉 — celebrate!\\<close>\nlemma g: True by simp";
+        let stripped = strip_isabelle_prose(src);
+        assert!(!stripped.contains("🎉"), "got: {stripped:?}");
+        assert!(stripped.contains("lemma g"));
+    }
+
     #[test]
     fn isabelle_nested_cartouches() {
         // \<open> can nest. A cartouche containing another cartouche
