Bug 106160

Summary: "ASSERTION FAILED: exprStatement" in Function constructor call
Product: WebKit Reporter: André Bargull <andre.bargull>
Component: JavaScriptCoreAssignee: Keith Miller <keith_miller>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, caitp, erights, fpizlo, ggaren, keith_miller, oliver, saam
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

André Bargull
Reported 2013-01-04 18:37:29 PST
test case: --- Function("){});(function(", "") --- stack trace: --- ASSERTION FAILED: exprStatement /home/svdi/git/webkit/Source/JavaScriptCore/runtime/CodeCache.cpp(158) : JSC::UnlinkedFunctionExecutable* JSC::CodeCache::getFunctionExecutableFromGlobalCode(JSC::JSGlobalData&, const JSC::Identifier&, const JSC::SourceCode&, JSC::ParserError&) 1 0x7ffff768ab60 /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(_ZN3JSC9CodeCache35getFunctionExecutableFromGlobalCodeERNS_12JSGlobalDataERKNS_10IdentifierERKNS_10SourceCodeERNS_11ParserErrorE+0x1b2) [0x7ffff768ab60] 2 0x7ffff742a903 /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(_ZN3JSC26UnlinkedFunctionExecutable14fromGlobalCodeERKNS_10IdentifierEPNS_9ExecStateEPNS_8DebuggerERKNS_10SourceCodeEPPNS_8JSObjectE+0x6b) [0x7ffff742a903] 3 0x7ffff76a26b6 /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(_ZN3JSC18FunctionExecutable14fromGlobalCodeERKNS_10IdentifierEPNS_9ExecStateEPNS_8DebuggerERKNS_10SourceCodeEPPNS_8JSObjectE+0x46) [0x7ffff76a26b6] 4 0x7ffff76a66b0 /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(_ZN3JSC41constructFunctionSkippingEvalEnabledCheckEPNS_9ExecStateEPNS_14JSGlobalObjectERKNS_7ArgListERKNS_10IdentifierERKN3WTF6StringERKNSA_12TextPositionE+0x3de) [0x7ffff76a66b0] 5 0x7ffff76a62d0 /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(_ZN3JSC17constructFunctionEPNS_9ExecStateEPNS_14JSGlobalObjectERKNS_7ArgListERKNS_10IdentifierERKN3WTF6StringERKNSA_12TextPositionE+0x8b) [0x7ffff76a62d0] 6 0x7ffff76a67d5 /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(_ZN3JSC17constructFunctionEPNS_9ExecStateEPNS_14JSGlobalObjectERKNS_7ArgListE+0x6a) [0x7ffff76a67d5] 7 0x7ffff76a6204 /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(+0x82d204) [0x7ffff76a6204] 8 0x7ffff75fdaa1 /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(+0x784aa1) [0x7ffff75fdaa1] 9 0x7ffff76009d7 /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(_ZN3JSC5LLInt9setUpCallEPNS_9ExecStateEPNS_11InstructionENS_22CodeSpecializationKindENS_7JSValueEPNS_17LLIntCallLinkInfoE+0x6b) [0x7ffff76009d7] 10 0x7ffff7600f3f /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(_ZN3JSC5LLInt11genericCallEPNS_9ExecStateEPNS_11InstructionENS_22CodeSpecializationKindE+0x10a) [0x7ffff7600f3f] 11 0x7ffff75fe00e /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(+0x78500e) [0x7ffff75fe00e] 12 0x7ffff7605376 /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(+0x78c376) [0x7ffff7605376] Program received signal SIGSEGV, Segmentation fault. 0x00007ffff768ab6a in JSC::CodeCache::getFunctionExecutableFromGlobalCode (this=0x7fffb24db010, globalData=..., name=..., source=..., error=...) at /home/svdi/git/webkit/Source/JavaScriptCore/runtime/CodeCache.cpp:158 158 ASSERT(exprStatement); ---
Attachments
Patch (3.43 KB, patch)
2014-10-01 16:49 PDT, Oliver Hunt 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
André Bargull
Comment 1 2013-01-05 04:58:07 PST
Three more test cases Function("", "});(function(){") => ASSERTION FAILED: exprStatement Function("//", "//") => shouldn't throw SyntaxError, but currently does Function("/*", "*/){") => should throw SyntaxError, but currently doesn't
Oliver Hunt
Comment 2 2013-01-07 14:07:18 PST
(In reply to comment #1) > Three more test cases > > Function("", "});(function(){") > => ASSERTION FAILED: exprStatement > > Function("//", "//") > => shouldn't throw SyntaxError, but currently does > > Function("/*", "*/){") > => should throw SyntaxError, but currently doesn't O_o Craziness.
Mark S. Miller
Comment 3 2013-03-08 20:07:58 PST
See also https://code.google.com/p/v8/issues/detail?id=2470 and https://code.google.com/p/google-caja/issues/detail?id=1616 On platforms still suffering from this bug, SES must engage in an expensive workaround.
Geoffrey Garen
Comment 4 2013-03-11 12:58:24 PDT
What's SES?
Mark S. Miller
Comment 5 2013-03-11 13:59:15 PDT
(In reply to comment #4) > What's SES? Secure EcmaScript. The most compact accurate description is probably section 2.3 of http://static.googleusercontent.com/external_content/untrusted_dlcp/research.google.com/en/us/pubs/archive/40673.pdf Some details at https://code.google.com/p/google-caja/wiki/SES Implementation at https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/ , which also runs standalone. It does not depend on the rest of Caja. Talks explaining the point at http://www.youtube.com/watch?v=w9hHHvhZ_HY (part 1) http://www.youtube.com/watch?v=oBqeDYETXME (part 2) If you watch both of these parts, you can skip about the first 10 minutes of part 2.
Geoffrey Garen
Comment 6 2013-03-11 14:15:29 PDT
Who are SES's primary clients?
Mark S. Miller
Comment 7 2013-03-11 15:04:40 PDT
(In reply to comment #6) > Who are SES's primary clients? Google Sites and Google Apps Script.
Geoffrey Garen
Comment 8 2013-03-11 15:31:06 PDT
<rdar://problem/13395335>
Mark S. Miller
Comment 9 2013-06-13 08:41:30 PDT
(In reply to comment #8) > <rdar://problem/13395335> What does "rdar" mean? Does this (or the InRadar keyword above) mean that there's a fix for this in progress? Can we expect this to be fixed soon?
Geoffrey Garen
Comment 10 2013-06-13 10:31:56 PDT
It means that this bug has been copied into Apple's internal bug database, named "Radar".
Mark S. Miller
Comment 11 2014-05-11 11:11:52 PDT
What is the status of this issue?
Mark S. Miller
Comment 12 2014-08-14 14:18:59 PDT
Is https://bugs.webkit.org/show_bug.cgi?id=131137 a duplicate of this?
Oliver Hunt
Comment 13 2014-10-01 16:49:24 PDT
Created attachment 239066 [details] Patch
Brent Fulgham
Comment 14 2016-06-09 16:44:44 PDT
I tried this test case on current WebKit and I get a syntax error: "SyntaxError: Unexpected token ')'" Are there still cases where JSC crashes? Please reopen with a current failure case if you believe this is still happening with the current JavaScriptCore engine.
Oliver Hunt
Comment 15 2016-06-09 16:48:34 PDT
(In reply to comment #14) > I tried this test case on current WebKit and I get a syntax error: > > "SyntaxError: Unexpected token ')'" > > Are there still cases where JSC crashes? > > Please reopen with a current failure case if you believe this is still > happening with the current JavaScriptCore engine. Has it stopped asserting now?
Brent Fulgham
Comment 16 2016-06-09 16:55:33 PDT
(In reply to comment #15) > (In reply to comment #14) > > I tried this test case on current WebKit and I get a syntax error: > > > > "SyntaxError: Unexpected token ')'" > > > > Are there still cases where JSC crashes? > > > > Please reopen with a current failure case if you believe this is still > > happening with the current JavaScriptCore engine. > > Has it stopped asserting now? Running a debug build of WebKit, I see no asserts when executing this code. Just the syntax error.
Mark S. Miller
Comment 17 2016-06-09 18:02:55 PDT
I still see the problem on Safari, Safari Technology Preview, and Webkit Nightly when visiting https://rawgit.com/tvcutsem/es-lab/master/src/ses/contract.html The relevant test report reads: 71) Repaired: Function constructor does not verify syntax. The test case producing this is currently at https://github.com/tvcutsem/es-lab/blob/master/src/ses/repairES5.js#L3244 The test code in question is Function('/*', '*/){'); which on the Webkit Nightly console produces function anonymous(/*) { */){ }
André Bargull
Comment 18 2016-06-15 10:22:21 PDT
(In reply to comment #14) > Are there still cases where JSC crashes? > > Please reopen with a current failure case if you believe this is still > happening with the current JavaScriptCore engine. New test case: --- Function("}}; 1 * {a:{"); --- Reports this assertion failure: --- ASSERTION FAILED: statement --- Stack trace: --- #0 0x00007ffff6de7098 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:317 #1 0x00007ffff6af2072 in JSC::CodeCache::getFunctionExecutableFromGlobalCode (this=0x7ffff0def000, vm=..., name=..., source=..., error=...) at ../../Source/JavaScriptCore/runtime/CodeCache.cpp:184 #2 0x00007ffff63b93e7 in JSC::UnlinkedFunctionExecutable::fromGlobalCode (name=..., exec=..., source=..., exception=@0x7fffffffc6a0: 0x0, overrideLineNumber=-1) at ../../Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp:178 #3 0x00007ffff6b5ccfc in JSC::FunctionExecutable::fromGlobalCode (name=..., exec=..., source=..., exception=@0x7fffffffc6a0: 0x0, overrideLineNumber=-1) at ../../Source/JavaScriptCore/runtime/Executable.cpp:728 #4 0x00007ffff6b60f4f in JSC::constructFunctionSkippingEvalEnabledCheck (exec=0x7fffffffcb20, globalObject=0x7fffaf1e7900, args=..., functionName=..., sourceURL=..., position=..., overrideLineNumber=-1, functionConstructionMode=JSC::FunctionConstructionMode::Function, newTarget=...) at ../../Source/JavaScriptCore/runtime/FunctionConstructor.cpp:121 #5 0x00007ffff6b609fa in JSC::constructFunction (exec=0x7fffffffcb20, globalObject=0x7fffaf1e7900, args=..., functionName=..., sourceURL=..., position=..., functionConstructionMode=JSC::FunctionConstructionMode::Function, newTarget=...) at ../../Source/JavaScriptCore/runtime/FunctionConstructor.cpp:86 #6 0x00007ffff6b611ea in JSC::constructFunction (exec=0x7fffffffcb20, globalObject=0x7fffaf1e7900, args=..., functionConstructionMode=JSC::FunctionConstructionMode::Function, newTarget=...) at ../../Source/JavaScriptCore/runtime/FunctionConstructor.cpp:137 #7 0x00007ffff6b60900 in JSC::callFunctionConstructor (exec=0x7fffffffcb20) at ../../Source/JavaScriptCore/runtime/FunctionConstructor.cpp:71 ... ---
Michael Catanzaro
Comment 19 2016-10-21 05:13:47 PDT
*** Bug 163748 has been marked as a duplicate of this bug. ***
Caitlin Potter (:caitp)
Comment 20 2016-10-21 06:45:49 PDT
I've added another version of the fix. I guess if this has been opened for so long, maybe nobody really cares about this crash, but it's not too much effort to fix it. The smaller patch ought to land, whichever that is.
Saam Barati
Comment 21 2016-10-28 02:49:14 PDT
(In reply to comment #20) > I've added another version of the fix. I guess if this has been opened for > so long, maybe nobody really cares about this crash, but it's not too much > effort to fix it. The smaller patch ought to land, whichever that is. I definitely care about fixing this. Can you upload your patch from the other bug here?
Caitlin Potter (:caitp)
Comment 22 2016-10-28 05:55:36 PDT
(In reply to comment #21) > (In reply to comment #20) > > I've added another version of the fix. I guess if this has been opened for > > so long, maybe nobody really cares about this crash, but it's not too much > > effort to fix it. The smaller patch ought to land, whichever that is. > > I definitely care about fixing this. Can you upload your patch from the > other bug here? The other fix has landed already (https://trac.webkit.org/changeset/207684)
Note You need to log in before you can comment on or make changes to this bug.