106160 2013-01-04 18:37:29 -0800 "ASSERTION FAILED: exprStatement" in Function constructor call 2016-10-28 05:55:36 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 andre.bargull keith_miller bfulgham caitp erights fpizlo ggaren keith_miller oliver saam oldest_to_newest 800810 0 andre.bargull 2013-01-04 18:37:29 -0800 test case: --- Function("){});(function(", "") --- stack trace: --- ASSERTION FAILED: exprStatement /home/svdi/git/webkit/Source/JavaScriptCore/runtime/CodeCache.cpp(158) : JSC::UnlinkedFunctionExecutable* JSC::CodeCache::getFunctionExecutableFromGlobalCode(JSC::JSGlobalData&, const JSC::Identifier&, const JSC::SourceCode&, JSC::ParserError&) 1 0x7ffff768ab60 /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(_ZN3JSC9CodeCache35getFunctionExecutableFromGlobalCodeERNS_12JSGlobalDataERKNS_10IdentifierERKNS_10SourceCodeERNS_11ParserErrorE+0x1b2) [0x7ffff768ab60] 2 0x7ffff742a903 /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(_ZN3JSC26UnlinkedFunctionExecutable14fromGlobalCodeERKNS_10IdentifierEPNS_9ExecStateEPNS_8DebuggerERKNS_10SourceCodeEPPNS_8JSObjectE+0x6b) [0x7ffff742a903] 3 0x7ffff76a26b6 /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(_ZN3JSC18FunctionExecutable14fromGlobalCodeERKNS_10IdentifierEPNS_9ExecStateEPNS_8DebuggerERKNS_10SourceCodeEPPNS_8JSObjectE+0x46) [0x7ffff76a26b6] 4 0x7ffff76a66b0 /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(_ZN3JSC41constructFunctionSkippingEvalEnabledCheckEPNS_9ExecStateEPNS_14JSGlobalObjectERKNS_7ArgListERKNS_10IdentifierERKN3WTF6StringERKNSA_12TextPositionE+0x3de) [0x7ffff76a66b0] 5 0x7ffff76a62d0 /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(_ZN3JSC17constructFunctionEPNS_9ExecStateEPNS_14JSGlobalObjectERKNS_7ArgListERKNS_10IdentifierERKN3WTF6StringERKNSA_12TextPositionE+0x8b) [0x7ffff76a62d0] 6 0x7ffff76a67d5 /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(_ZN3JSC17constructFunctionEPNS_9ExecStateEPNS_14JSGlobalObjectERKNS_7ArgListE+0x6a) [0x7ffff76a67d5] 7 0x7ffff76a6204 /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(+0x82d204) [0x7ffff76a6204] 8 0x7ffff75fdaa1 /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(+0x784aa1) [0x7ffff75fdaa1] 9 0x7ffff76009d7 /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(_ZN3JSC5LLInt9setUpCallEPNS_9ExecStateEPNS_11InstructionENS_22CodeSpecializationKindENS_7JSValueEPNS_17LLIntCallLinkInfoE+0x6b) [0x7ffff76009d7] 10 0x7ffff7600f3f /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(_ZN3JSC5LLInt11genericCallEPNS_9ExecStateEPNS_11InstructionENS_22CodeSpecializationKindE+0x10a) [0x7ffff7600f3f] 11 0x7ffff75fe00e /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(+0x78500e) [0x7ffff75fe00e] 12 0x7ffff7605376 /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(+0x78c376) [0x7ffff7605376] Program received signal SIGSEGV, Segmentation fault. 0x00007ffff768ab6a in JSC::CodeCache::getFunctionExecutableFromGlobalCode (this=0x7fffb24db010, globalData=..., name=..., source=..., error=...) at /home/svdi/git/webkit/Source/JavaScriptCore/runtime/CodeCache.cpp:158 158 ASSERT(exprStatement); --- 800903 1 andre.bargull 2013-01-05 04:58:07 -0800 Three more test cases Function("", "});(function(){") => ASSERTION FAILED: exprStatement Function("//", "//") => shouldn't throw SyntaxError, but currently does Function("/*", "*/){") => should throw SyntaxError, but currently doesn't 801634 2 oliver 2013-01-07 14:07:18 -0800 (In reply to comment #1) > Three more test cases > > Function("", "});(function(){") > => ASSERTION FAILED: exprStatement > > Function("//", "//") > => shouldn't throw SyntaxError, but currently does > > Function("/*", "*/){") > => should throw SyntaxError, but currently doesn't O_o Craziness. 851688 3 erights 2013-03-08 20:07:58 -0800 See also https://code.google.com/p/v8/issues/detail?id=2470 and https://code.google.com/p/google-caja/issues/detail?id=1616 On platforms still suffering from this bug, SES must engage in an expensive workaround. 852614 4 ggaren 2013-03-11 12:58:24 -0700 What's SES? 852690 5 erights 2013-03-11 13:59:15 -0700 (In reply to comment #4) > What's SES? Secure EcmaScript. The most compact accurate description is probably section 2.3 of http://static.googleusercontent.com/external_content/untrusted_dlcp/research.google.com/en/us/pubs/archive/40673.pdf Some details at https://code.google.com/p/google-caja/wiki/SES Implementation at https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/ , which also runs standalone. It does not depend on the rest of Caja. Talks explaining the point at http://www.youtube.com/watch?v=w9hHHvhZ_HY (part 1) http://www.youtube.com/watch?v=oBqeDYETXME (part 2) If you watch both of these parts, you can skip about the first 10 minutes of part 2. 852717 6 ggaren 2013-03-11 14:15:29 -0700 Who are SES's primary clients? 852768 7 erights 2013-03-11 15:04:40 -0700 (In reply to comment #6) > Who are SES's primary clients? Google Sites and Google Apps Script. 852791 8 ggaren 2013-03-11 15:31:06 -0700 <rdar://problem/13395335> 900048 9 erights 2013-06-13 08:41:30 -0700 (In reply to comment #8) > <rdar://problem/13395335> What does "rdar" mean? Does this (or the InRadar keyword above) mean that there's a fix for this in progress? Can we expect this to be fixed soon? 900188 10 ggaren 2013-06-13 10:31:56 -0700 It means that this bug has been copied into Apple's internal bug database, named "Radar". 1008430 11 erights 2014-05-11 11:11:52 -0700 What is the status of this issue? 1029213 12 erights 2014-08-14 14:18:59 -0700 Is https://bugs.webkit.org/show_bug.cgi?id=131137 a duplicate of this? 1038715 13 239066 oliver 2014-10-01 16:49:24 -0700 Created attachment 239066 Patch 1201050 14 bfulgham 2016-06-09 16:44:44 -0700 I tried this test case on current WebKit and I get a syntax error: "SyntaxError: Unexpected token ')'" Are there still cases where JSC crashes? Please reopen with a current failure case if you believe this is still happening with the current JavaScriptCore engine. 1201056 15 oliver 2016-06-09 16:48:34 -0700 (In reply to comment #14) > I tried this test case on current WebKit and I get a syntax error: > > "SyntaxError: Unexpected token ')'" > > Are there still cases where JSC crashes? > > Please reopen with a current failure case if you believe this is still > happening with the current JavaScriptCore engine. Has it stopped asserting now? 1201059 16 bfulgham 2016-06-09 16:55:33 -0700 (In reply to comment #15) > (In reply to comment #14) > > I tried this test case on current WebKit and I get a syntax error: > > > > "SyntaxError: Unexpected token ')'" > > > > Are there still cases where JSC crashes? > > > > Please reopen with a current failure case if you believe this is still > > happening with the current JavaScriptCore engine. > > Has it stopped asserting now? Running a debug build of WebKit, I see no asserts when executing this code. Just the syntax error. 1201071 17 erights 2016-06-09 18:02:55 -0700 I still see the problem on Safari, Safari Technology Preview, and Webkit Nightly when visiting https://rawgit.com/tvcutsem/es-lab/master/src/ses/contract.html The relevant test report reads: 71) Repaired: Function constructor does not verify syntax. The test case producing this is currently at https://github.com/tvcutsem/es-lab/blob/master/src/ses/repairES5.js#L3244 The test code in question is Function('/*', '*/){'); which on the Webkit Nightly console produces function anonymous(/*) { */){ } 1202608 18 andre.bargull 2016-06-15 10:22:21 -0700 (In reply to comment #14) > Are there still cases where JSC crashes? > > Please reopen with a current failure case if you believe this is still > happening with the current JavaScriptCore engine. New test case: --- Function("}}; 1 * {a:{"); --- Reports this assertion failure: --- ASSERTION FAILED: statement --- Stack trace: --- #0 0x00007ffff6de7098 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:317 #1 0x00007ffff6af2072 in JSC::CodeCache::getFunctionExecutableFromGlobalCode (this=0x7ffff0def000, vm=..., name=..., source=..., error=...) at ../../Source/JavaScriptCore/runtime/CodeCache.cpp:184 #2 0x00007ffff63b93e7 in JSC::UnlinkedFunctionExecutable::fromGlobalCode (name=..., exec=..., source=..., exception=@0x7fffffffc6a0: 0x0, overrideLineNumber=-1) at ../../Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp:178 #3 0x00007ffff6b5ccfc in JSC::FunctionExecutable::fromGlobalCode (name=..., exec=..., source=..., exception=@0x7fffffffc6a0: 0x0, overrideLineNumber=-1) at ../../Source/JavaScriptCore/runtime/Executable.cpp:728 #4 0x00007ffff6b60f4f in JSC::constructFunctionSkippingEvalEnabledCheck (exec=0x7fffffffcb20, globalObject=0x7fffaf1e7900, args=..., functionName=..., sourceURL=..., position=..., overrideLineNumber=-1, functionConstructionMode=JSC::FunctionConstructionMode::Function, newTarget=...) at ../../Source/JavaScriptCore/runtime/FunctionConstructor.cpp:121 #5 0x00007ffff6b609fa in JSC::constructFunction (exec=0x7fffffffcb20, globalObject=0x7fffaf1e7900, args=..., functionName=..., sourceURL=..., position=..., functionConstructionMode=JSC::FunctionConstructionMode::Function, newTarget=...) at ../../Source/JavaScriptCore/runtime/FunctionConstructor.cpp:86 #6 0x00007ffff6b611ea in JSC::constructFunction (exec=0x7fffffffcb20, globalObject=0x7fffaf1e7900, args=..., functionConstructionMode=JSC::FunctionConstructionMode::Function, newTarget=...) at ../../Source/JavaScriptCore/runtime/FunctionConstructor.cpp:137 #7 0x00007ffff6b60900 in JSC::callFunctionConstructor (exec=0x7fffffffcb20) at ../../Source/JavaScriptCore/runtime/FunctionConstructor.cpp:71 ... --- 1242850 19 mcatanzaro 2016-10-21 05:13:47 -0700 *** Bug 163748 has been marked as a duplicate of this bug. *** 1242863 20 caitp 2016-10-21 06:45:49 -0700 I've added another version of the fix. I guess if this has been opened for so long, maybe nobody really cares about this crash, but it's not too much effort to fix it. The smaller patch ought to land, whichever that is. 1245508 21 saam 2016-10-28 02:49:14 -0700 (In reply to comment #20) > I've added another version of the fix. I guess if this has been opened for > so long, maybe nobody really cares about this crash, but it's not too much > effort to fix it. The smaller patch ought to land, whichever that is. I definitely care about fixing this. Can you upload your patch from the other bug here? 1245559 22 caitp 2016-10-28 05:55:36 -0700 (In reply to comment #21) > (In reply to comment #20) > > I've added another version of the fix. I guess if this has been opened for > > so long, maybe nobody really cares about this crash, but it's not too much > > effort to fix it. The smaller patch ought to land, whichever that is. > > I definitely care about fixing this. Can you upload your patch from the > other bug here? The other fix has landed already (https://trac.webkit.org/changeset/207684) 239066 2014-10-01 16:49:24 -0700 2014-10-01 16:50:45 -0700 Patch bug-106160-20141001164924.patch text/plain 3517 oliver U3VidmVyc2lvbiBSZXZpc2lvbjogMTc0MTU2CmRpZmYgLS1naXQgYS9Tb3VyY2UvSmF2YVNjcmlw dENvcmUvQ2hhbmdlTG9nIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwppbmRleCA1 YTU0YzdhZDA3MGVkNDc5NDlkYmVjMjcyYWMyYjliYjY1MGU1YTU3Li5kNWJjYzNlMmM5YTllOTYy ZjNhYWFlZGYzMDdhZGJmZGQxZDE1NDc2IDEwMDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENv cmUvQ2hhbmdlTG9nCisrKyBiL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKQEAgLTEs MyArMSwxOSBAQAorMjAxNC0xMC0wMSAgT2xpdmVyIEh1bnQgIDxvbGl2ZXJAYXBwbGUuY29tPgor CisgICAgICAgICJBU1NFUlRJT04gRkFJTEVEOiBleHByU3RhdGVtZW50IiBpbiBGdW5jdGlvbiBj b25zdHJ1Y3RvciBjYWxsCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVn LmNnaT9pZD0xMDYxNjAKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKwor ICAgICAgICBTd2l0Y2ggZnJvbSBSRUxFQVNFX0FTU0VSVHMgaW50byBydW50aW1lIHN5bnRheCBl cnJvcnMgaW4gdGhlIEZ1bmN0aW9uCisgICAgICAgIGNvbnN0cnVjdG9yLiAgSSBjYW4gb25seSB3 b3JrIG91dCBhIHdheSB0byB0cmlnZ2VyIG9uZSBvZiB0aGVzZSwgYnV0IGluCisgICAgICAgIHRo ZSBpbnRlcmVzdHMgb2YgY29uc2lzdGVuY3kgSSd2ZSByZXBsYWNlZCBhbGwgdGhlIG9mIHRoZSBh c3NlcnRpb25zIHdpdGgKKyAgICAgICAgc3ludGF4IGVycm9ycy4gVGhpcyBnZW5lcmFsbHkgbWVh bnMgY29uc2lzdGVudCBmYWlsdXJlIG1vZGUgYWNyb3NzIGFueQorICAgICAgICBnYXJiYWdlIHRo YXQgd2UncmUgcGFzc2VkLgorCisgICAgICAgICogcnVudGltZS9Db2RlQ2FjaGUuY3BwOgorICAg ICAgICAoSlNDOjpDb2RlQ2FjaGU6OmdldEZ1bmN0aW9uRXhlY3V0YWJsZUZyb21HbG9iYWxDb2Rl KToKKwogMjAxNC0wOS0zMCAgQnJpYW4gSi4gQnVyZyAgPGJ1cmdAY3Mud2FzaGluZ3Rvbi5lZHU+ CiAKICAgICAgICAgV2ViIEluc3BlY3RvcjogRXJyb3JTdHJpbmcgc2hvdWxkIGJlIHBhc3NlZCBi eSByZWZlcmVuY2UKZGlmZiAtLWdpdCBhL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9ydW50aW1lL0Nv ZGVDYWNoZS5jcHAgYi9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvcnVudGltZS9Db2RlQ2FjaGUuY3Bw CmluZGV4IGYzN2Y2ZmUyN2VlNDVhNjNlMjE4N2JiNjAxYTJlZDAxNWE5YmNhYzMuLjlkMGRlMDFk YzJhNDExYThlMTE4OTcyODQ5ZWJlZDU2MjlkN2E4ZTkgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9KYXZh U2NyaXB0Q29yZS9ydW50aW1lL0NvZGVDYWNoZS5jcHAKKysrIGIvU291cmNlL0phdmFTY3JpcHRD b3JlL3J1bnRpbWUvQ29kZUNhY2hlLmNwcApAQCAtMTUxLDE3ICsxNTEsNDMgQEAgVW5saW5rZWRG dW5jdGlvbkV4ZWN1dGFibGUqIENvZGVDYWNoZTo6Z2V0RnVuY3Rpb25FeGVjdXRhYmxlRnJvbUds b2JhbENvZGUoVk0mIHYKIAogICAgIC8vIFRoaXMgZnVuY3Rpb24gYXNzdW1lcyBhbiBpbnB1dCBz dHJpbmcgdGhhdCB3b3VsZCByZXN1bHQgaW4gYSBzaW5nbGUgYW5vbnltb3VzIGZ1bmN0aW9uIGV4 cHJlc3Npb24uCiAgICAgU3RhdGVtZW50Tm9kZSogZXhwclN0YXRlbWVudCA9IHByb2dyYW0tPnNp bmdsZVN0YXRlbWVudCgpOwotICAgIFJFTEVBU0VfQVNTRVJUKGV4cHJTdGF0ZW1lbnQpOwotICAg IFJFTEVBU0VfQVNTRVJUKGV4cHJTdGF0ZW1lbnQtPmlzRXhwclN0YXRlbWVudCgpKTsKKyAgICBp ZiAoIWV4cHJTdGF0ZW1lbnQpIHsKKyAgICAgICAgZXJyb3IubV9tZXNzYWdlID0gQVNDSUlMaXRl cmFsKCJJbnZhbGlkIHRyYWlsaW5nIHN0YXRlbWVudHMgcGFzc2VkIHRvIEZ1bmN0aW9uIGNvbnN0 cnVjdG9yIik7CisgICAgICAgIGVycm9yLm1fdHlwZSA9IFBhcnNlckVycm9yOjpTeW50YXhFcnJv cjsKKyAgICAgICAgcmV0dXJuIG51bGxwdHI7CisgICAgfQorCisgICAgaWYgKCFleHByU3RhdGVt ZW50LT5pc0V4cHJTdGF0ZW1lbnQoKSkgeworICAgICAgICBlcnJvci5tX21lc3NhZ2UgPSBBU0NJ SUxpdGVyYWwoIkludmFsaWQgc3ludGF4IHBhc3NlZCB0byBGdW5jdGlvbiBjb25zdHJ1Y3RvciIp OworICAgICAgICBlcnJvci5tX3R5cGUgPSBQYXJzZXJFcnJvcjo6U3ludGF4RXJyb3I7CisgICAg ICAgIHJldHVybiBudWxscHRyOworICAgIH0KKwogICAgIEV4cHJlc3Npb25Ob2RlKiBmdW5jRXhw ciA9IHN0YXRpY19jYXN0PEV4cHJTdGF0ZW1lbnROb2RlKj4oZXhwclN0YXRlbWVudCktPmV4cHIo KTsKICAgICBSRUxFQVNFX0FTU0VSVChmdW5jRXhwcik7CiAgICAgUkVMRUFTRV9BU1NFUlQoZnVu Y0V4cHItPmlzRnVuY0V4cHJOb2RlKCkpOworICAgIGlmICghZnVuY0V4cHIgfHwgIWZ1bmNFeHBy LT5pc0Z1bmNFeHByTm9kZSgpKSB7CisgICAgICAgIGVycm9yLm1fbWVzc2FnZSA9IEFTQ0lJTGl0 ZXJhbCgiSW52YWxpZCBzeW50YXggcGFzc2VkIHRvIEZ1bmN0aW9uIGNvbnN0cnVjdG9yIik7Cisg ICAgICAgIGVycm9yLm1fdHlwZSA9IFBhcnNlckVycm9yOjpTeW50YXhFcnJvcjsKKyAgICAgICAg cmV0dXJuIG51bGxwdHI7CisgICAgfQorCiAgICAgRnVuY3Rpb25Cb2R5Tm9kZSogYm9keSA9IHN0 YXRpY19jYXN0PEZ1bmNFeHByTm9kZSo+KGZ1bmNFeHByKS0+Ym9keSgpOwogICAgIFJFTEVBU0Vf QVNTRVJUKCFwcm9ncmFtLT5oYXNDYXB0dXJlZFZhcmlhYmxlcygpKTsKKyAgICBpZiAocHJvZ3Jh bS0+aGFzQ2FwdHVyZWRWYXJpYWJsZXMoKSkgeworICAgICAgICBlcnJvci5tX21lc3NhZ2UgPSBB U0NJSUxpdGVyYWwoIkludmFsaWQgc3ludGF4IHBhc3NlZCB0byBGdW5jdGlvbiBjb25zdHJ1Y3Rv ciIpOworICAgICAgICBlcnJvci5tX3R5cGUgPSBQYXJzZXJFcnJvcjo6U3ludGF4RXJyb3I7Cisg ICAgICAgIHJldHVybiBudWxscHRyOworICAgIH0KICAgICAKICAgICBib2R5LT5zZXRFbmRQb3Np dGlvbihwb3NpdGlvbkJlZm9yZUxhc3ROZXdsaW5lKTsKICAgICBSRUxFQVNFX0FTU0VSVChib2R5 KTsKICAgICBSRUxFQVNFX0FTU0VSVChib2R5LT5pZGVudCgpLmlzTnVsbCgpKTsKKyAgICBpZiAo IWJvZHkgfHwgIWJvZHktPmlkZW50KCkuaXNOdWxsKCkpIHsKKyAgICAgICAgZXJyb3IubV9tZXNz YWdlID0gQVNDSUlMaXRlcmFsKCJJbnZhbGlkIHN5bnRheCBwYXNzZWQgdG8gRnVuY3Rpb24gY29u c3RydWN0b3IiKTsKKyAgICAgICAgZXJyb3IubV90eXBlID0gUGFyc2VyRXJyb3I6OlN5bnRheEVy cm9yOworICAgICAgICByZXR1cm4gbnVsbHB0cjsKKyAgICB9CiAKICAgICBVbmxpbmtlZEZ1bmN0 aW9uRXhlY3V0YWJsZSogZnVuY3Rpb25FeGVjdXRhYmxlID0gVW5saW5rZWRGdW5jdGlvbkV4ZWN1 dGFibGU6OmNyZWF0ZSgmdm0sIHNvdXJjZSwgYm9keSwgVW5saW5rZWROb3JtYWxGdW5jdGlvbik7 CiAgICAgZnVuY3Rpb25FeGVjdXRhYmxlLT5tX25hbWVWYWx1ZS5zZXQodm0sIGZ1bmN0aW9uRXhl Y3V0YWJsZSwganNTdHJpbmcoJnZtLCBuYW1lLnN0cmluZygpKSk7Cg==