158437 2016-06-06 15:28:26 -0700 octal and binary parsing is wrong for some programs 2016-06-06 20:00:40 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Local Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 saam msaboff benjamin fpizlo ggaren gskachkov keith_miller mark.lam msaboff oliver sukolsak webkit-bug-importer ysuzuki oldest_to_newest 1199732 0 saam 2016-06-06 15:28:26 -0700 olliej is the one who found this. eval(“0o19”) crashes in a debug build: ASSERTION FAILED: !isImpureNaN(d) /Volumes/Untitled/WebKit/WebKit/Source/JavaScriptCore/runtime/JSCJSValueInlines.h(475) : JSC::JSValue::JSValue(JSC::JSValue::EncodeAsDoubleTag, double) 1   0x106323dcd WTFCrash 2   0x105486357 JSC::JSValue::JSValue(JSC::JSValue::EncodeAsDoubleTag, double) 3   0x1054862f5 JSC::JSValue::JSValue(JSC::JSValue::EncodeAsDoubleTag, double) 4   0x10567f0dc JSC::JSValue::JSValue(double) 5   0x10567f03f JSC::JSValue::JSValue(double) 6   0x105ffff9d JSC::NumberNode::NumberNode(JSC::JSTokenLocation const&, double) 7   0x105fffed1 JSC::DoubleNode::DoubleNode(JSC::JSTokenLocation const&, double) 8   0x106000447 JSC::DoubleNode::DoubleNode(JSC::JSTokenLocation const&, double) 9   0x106018f5e JSC::ASTBuilder::createDoubleExpr(JSC::JSTokenLocation const&, double) 10  0x10601327a JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parsePrimaryExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) 11  0x1060114b6 JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseMemberExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) 12  0x1060509ea JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseUnaryExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) 13  0x10604ffea JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseBinaryExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) 14  0x10604f419 JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseConditionalExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) 1199742 1 msaboff 2016-06-06 15:51:56 -0700 I don't get this crash with a debug build of ToT (r201731): $ DYLD_FRAMEWORK_PATH=WebKitBuild/Debug WebKitBuild/Debug/jsc >>> eval("0o19") Exception: SyntaxError: Unexpected number '9'. Parse error. 1199772 2 oliver 2016-06-06 16:34:59 -0700 It would appear that this is somehow machine dependent. What joy :) 1199783 3 msaboff 2016-06-06 16:57:10 -0700 Turns out that the issue is reading uninitialized memory. Thus the machine dependent failure. Bad binary literals have the same issue. Patch in the works. 1199812 4 280656 msaboff 2016-06-06 17:59:21 -0700 Created attachment 280656 Patch 1199813 5 webkit-bug-importer 2016-06-06 17:59:53 -0700 <rdar://problem/26663732> 1199838 6 280656 darin 2016-06-06 18:48:18 -0700 Comment on attachment 280656 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=280656&action=review > Source/JavaScriptCore/ChangeLog:9 > + When there is an error parsing an binary or octal literal, we need to clear the returnValue > + of any residual value. Why? 1199849 7 msaboff 2016-06-06 19:38:13 -0700 (In reply to comment #6) > Comment on attachment 280656 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=280656&action=review > > > Source/JavaScriptCore/ChangeLog:9 > > + When there is an error parsing an binary or octal literal, we need to clear the returnValue > > + of any residual value. > > Why? Because returnValue's value is used to determine INTEGER or DOUBLE token type. If the value is a double and an impure NaN we get the crash. The syntax checking is based on having leftover characters and is done after the returnValue has been processed. I'll add some of that detail to the ChangeLog. 1199860 8 msaboff 2016-06-06 20:00:40 -0700 Committed r201737: <http://trac.webkit.org/changeset/201737> 280656 2016-06-06 17:59:21 -0700 2016-06-06 18:30:35 -0700 Patch 158437.patch text/plain 2174 msaboff SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMjAxNzM0KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE4IEBA CisyMDE2LTA2LTA2ICBNaWNoYWVsIFNhYm9mZiAgPG1zYWJvZmZAYXBwbGUuY29tPgorCisgICAg ICAgIG9jdGFsIGFuZCBiaW5hcnkgcGFyc2luZyBpcyB3cm9uZyBmb3Igc29tZSBwcm9ncmFtcwor ICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTU4NDM3CisK KyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgV2hlbiB0aGVy ZSBpcyBhbiBlcnJvciBwYXJzaW5nIGFuIGJpbmFyeSBvciBvY3RhbCBsaXRlcmFsLCB3ZSBuZWVk IHRvIGNsZWFyIHRoZSByZXR1cm5WYWx1ZQorICAgICAgICBvZiBhbnkgcmVzaWR1YWwgdmFsdWUu CisKKyAgICAgICAgKiBwYXJzZXIvTGV4ZXIuY3BwOgorICAgICAgICAoSlNDOjpMZXhlcjxUPjo6 cGFyc2VCaW5hcnkpOgorICAgICAgICAoSlNDOjpMZXhlcjxUPjo6cGFyc2VPY3RhbCk6CisgICAg ICAgICogdGVzdHMvc3RyZXNzL3JlZ3Jlc3MtMTU4NDM3LmpzOiBOZXcgdGVzdC4KKwogMjAxNi0w Ni0wNiAgTWFyayBMYW0gIDxtYXJrLmxhbUBhcHBsZS5jb20+CiAKICAgICAgICAgMzItYml0IEpT QyBzdHJlc3MgdGVzdCBmYWlsaW5nOiBzdHJlc3MvcmVjdXJzaXZlLXRyeS1jYXRjaC5qcy5mdGwt bm8tY2ppdC12YWxpZGF0ZS1zYW1wbGluZy1wcm9maWxlcgpJbmRleDogU291cmNlL0phdmFTY3Jp cHRDb3JlL3BhcnNlci9MZXhlci5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRD b3JlL3BhcnNlci9MZXhlci5jcHAJKHJldmlzaW9uIDIwMTczMSkKKysrIFNvdXJjZS9KYXZhU2Ny aXB0Q29yZS9wYXJzZXIvTGV4ZXIuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC0xNTY4LDggKzE1Njgs MTAgQEAgQUxXQVlTX0lOTElORSBib29sIExleGVyPFQ+OjpwYXJzZUJpbmFyeQogICAgICAgICBz aGlmdCgpOwogICAgIH0KIAotICAgIGlmIChpc0FTQ0lJRGlnaXQobV9jdXJyZW50KSkKKyAgICBp ZiAoaXNBU0NJSURpZ2l0KG1fY3VycmVudCkpIHsKKyAgICAgICAgcmV0dXJuVmFsdWUgPSAwOwog ICAgICAgICByZXR1cm4gZmFsc2U7CisgICAgfQogCiAgICAgcmV0dXJuVmFsdWUgPSBwYXJzZUlu dE92ZXJmbG93KG1fYnVmZmVyOC5kYXRhKCksIG1fYnVmZmVyOC5zaXplKCksIDIpOwogICAgIHJl dHVybiB0cnVlOwpAQCAtMTYwNiw4ICsxNjA4LDEwIEBAIEFMV0FZU19JTkxJTkUgYm9vbCBMZXhl cjxUPjo6cGFyc2VPY3RhbCgKICAgICAgICAgc2hpZnQoKTsKICAgICB9CiAKLSAgICBpZiAoaXNB U0NJSURpZ2l0KG1fY3VycmVudCkpCisgICAgaWYgKGlzQVNDSUlEaWdpdChtX2N1cnJlbnQpKSB7 CisgICAgICAgIHJldHVyblZhbHVlID0gMDsKICAgICAgICAgcmV0dXJuIGZhbHNlOworICAgIH0K IAogICAgIHJldHVyblZhbHVlID0gcGFyc2VJbnRPdmVyZmxvdyhtX2J1ZmZlcjguZGF0YSgpLCBt X2J1ZmZlcjguc2l6ZSgpLCA4KTsKICAgICByZXR1cm4gdHJ1ZTsKSW5kZXg6IFNvdXJjZS9KYXZh U2NyaXB0Q29yZS90ZXN0cy9zdHJlc3MvcmVncmVzcy0xNTg0MzcuanMKPT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0g U291cmNlL0phdmFTY3JpcHRDb3JlL3Rlc3RzL3N0cmVzcy9yZWdyZXNzLTE1ODQzNy5qcwkocmV2 aXNpb24gMCkKKysrIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS90ZXN0cy9zdHJlc3MvcmVncmVzcy0x NTg0MzcuanMJKHdvcmtpbmcgY29weSkKQEAgLTAsMCArMSwxMSBAQAorLy8gVGhpcyB0ZXN0IHNo b3VsZCBub3QgY3Jhc2guCisKK3RyeSB7CisgICAgbGV0IHggPSBldmFsKCIwbzE5Iik7Cit9IGNh dGNoKGUpIHsKK30KKwordHJ5IHsKKyAgICBsZXQgeCA9IGV2YWwoIjBiMTkiKTsKK30gY2F0Y2go ZSkgeworfQo=