Bug 106160

Summary: "ASSERTION FAILED: exprStatement" in Function constructor call
Product: WebKit Reporter: André Bargull <andre.bargull>
Component: JavaScriptCoreAssignee: Keith Miller <keith_miller>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, caitp, erights, fpizlo, ggaren, keith_miller, oliver, saam
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Description André Bargull 2013-01-04 18:37:29 PST 
test case:
---
Function("){});(function(", "")
---

stack trace:
---
ASSERTION FAILED: exprStatement
/home/svdi/git/webkit/Source/JavaScriptCore/runtime/CodeCache.cpp(158) : JSC::UnlinkedFunctionExecutable* JSC::CodeCache::getFunctionExecutableFromGlobalCode(JSC::JSGlobalData&, const JSC::Identifier&, const JSC::SourceCode&, JSC::ParserError&)
1   0x7ffff768ab60 /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(_ZN3JSC9CodeCache35getFunctionExecutableFromGlobalCodeERNS_12JSGlobalDataERKNS_10IdentifierERKNS_10SourceCodeERNS_11ParserErrorE+0x1b2) [0x7ffff768ab60]
2   0x7ffff742a903 /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(_ZN3JSC26UnlinkedFunctionExecutable14fromGlobalCodeERKNS_10IdentifierEPNS_9ExecStateEPNS_8DebuggerERKNS_10SourceCodeEPPNS_8JSObjectE+0x6b) [0x7ffff742a903]
3   0x7ffff76a26b6 /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(_ZN3JSC18FunctionExecutable14fromGlobalCodeERKNS_10IdentifierEPNS_9ExecStateEPNS_8DebuggerERKNS_10SourceCodeEPPNS_8JSObjectE+0x46) [0x7ffff76a26b6]
4   0x7ffff76a66b0 /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(_ZN3JSC41constructFunctionSkippingEvalEnabledCheckEPNS_9ExecStateEPNS_14JSGlobalObjectERKNS_7ArgListERKNS_10IdentifierERKN3WTF6StringERKNSA_12TextPositionE+0x3de) [0x7ffff76a66b0]
5   0x7ffff76a62d0 /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(_ZN3JSC17constructFunctionEPNS_9ExecStateEPNS_14JSGlobalObjectERKNS_7ArgListERKNS_10IdentifierERKN3WTF6StringERKNSA_12TextPositionE+0x8b) [0x7ffff76a62d0]
6   0x7ffff76a67d5 /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(_ZN3JSC17constructFunctionEPNS_9ExecStateEPNS_14JSGlobalObjectERKNS_7ArgListE+0x6a) [0x7ffff76a67d5]
7   0x7ffff76a6204 /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(+0x82d204) [0x7ffff76a6204]
8   0x7ffff75fdaa1 /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(+0x784aa1) [0x7ffff75fdaa1]
9   0x7ffff76009d7 /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(_ZN3JSC5LLInt9setUpCallEPNS_9ExecStateEPNS_11InstructionENS_22CodeSpecializationKindENS_7JSValueEPNS_17LLIntCallLinkInfoE+0x6b) [0x7ffff76009d7]
10  0x7ffff7600f3f /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(_ZN3JSC5LLInt11genericCallEPNS_9ExecStateEPNS_11InstructionENS_22CodeSpecializationKindE+0x10a) [0x7ffff7600f3f]
11  0x7ffff75fe00e /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(+0x78500e) [0x7ffff75fe00e]
12  0x7ffff7605376 /home/svdi/git/webkit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1(+0x78c376) [0x7ffff7605376]

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff768ab6a in JSC::CodeCache::getFunctionExecutableFromGlobalCode (this=0x7fffb24db010, globalData=..., name=..., source=..., error=...)
    at /home/svdi/git/webkit/Source/JavaScriptCore/runtime/CodeCache.cpp:158
158	    ASSERT(exprStatement);

---
Comment 1 André Bargull 2013-01-05 04:58:07 PST 
Three more test cases

Function("", "});(function(){")
=> ASSERTION FAILED: exprStatement

Function("//", "//")
=> shouldn't throw SyntaxError, but currently does

Function("/*", "*/){")
=> should throw SyntaxError, but currently doesn't
Comment 2 Oliver Hunt 2013-01-07 14:07:18 PST 
(In reply to comment #1)
> Three more test cases
> 
> Function("", "});(function(){")
> => ASSERTION FAILED: exprStatement
> 
> Function("//", "//")
> => shouldn't throw SyntaxError, but currently does
> 
> Function("/*", "*/){")
> => should throw SyntaxError, but currently doesn't

O_o

Craziness.
Comment 3 Mark S. Miller 2013-03-08 20:07:58 PST 
See also https://code.google.com/p/v8/issues/detail?id=2470 and https://code.google.com/p/google-caja/issues/detail?id=1616

On platforms still suffering from this bug, SES must engage in an expensive workaround.
Comment 4 Geoffrey Garen 2013-03-11 12:58:24 PDT 
What's SES?
Comment 5 Mark S. Miller 2013-03-11 13:59:15 PDT 
(In reply to comment #4)
> What's SES?

Secure EcmaScript. The most compact accurate description is probably section 2.3 of http://static.googleusercontent.com/external_content/untrusted_dlcp/research.google.com/en/us/pubs/archive/40673.pdf
Some details at https://code.google.com/p/google-caja/wiki/SES
Implementation at https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/ , which also runs standalone. It does not depend on the rest of Caja.

Talks explaining the point at
http://www.youtube.com/watch?v=w9hHHvhZ_HY (part 1)
http://www.youtube.com/watch?v=oBqeDYETXME (part 2)

If you watch both of these parts, you can skip about the first 10 minutes of part 2.
Comment 6 Geoffrey Garen 2013-03-11 14:15:29 PDT 
Who are SES's primary clients?
Comment 7 Mark S. Miller 2013-03-11 15:04:40 PDT 
(In reply to comment #6)
> Who are SES's primary clients?

Google Sites and Google Apps Script.
Comment 8 Geoffrey Garen 2013-03-11 15:31:06 PDT 
<rdar://problem/13395335>
Comment 9 Mark S. Miller 2013-06-13 08:41:30 PDT 
(In reply to comment #8)
> <rdar://problem/13395335>

What does "rdar" mean? Does this (or the InRadar keyword above) mean that there's a fix for this in progress? Can we expect this to be fixed soon?
Comment 10 Geoffrey Garen 2013-06-13 10:31:56 PDT 
It means that this bug has been copied into Apple's internal bug database, named "Radar".
Comment 11 Mark S. Miller 2014-05-11 11:11:52 PDT 
What is the status of this issue?
Comment 12 Mark S. Miller 2014-08-14 14:18:59 PDT 
Is https://bugs.webkit.org/show_bug.cgi?id=131137 a duplicate of this?
Comment 13 Oliver Hunt 2014-10-01 16:49:24 PDT 
Created attachment 239066 [details]
Patch
Comment 14 Brent Fulgham 2016-06-09 16:44:44 PDT 
I tried this test case on current WebKit and I get a syntax error:

"SyntaxError: Unexpected token ')'"

Are there still cases where JSC crashes?

Please reopen with a current failure case if you believe this is still happening with the current JavaScriptCore engine.
Comment 15 Oliver Hunt 2016-06-09 16:48:34 PDT 
(In reply to comment #14)
> I tried this test case on current WebKit and I get a syntax error:
> 
> "SyntaxError: Unexpected token ')'"
> 
> Are there still cases where JSC crashes?
> 
> Please reopen with a current failure case if you believe this is still
> happening with the current JavaScriptCore engine.

Has it stopped asserting now?
Comment 16 Brent Fulgham 2016-06-09 16:55:33 PDT 
(In reply to comment #15)
> (In reply to comment #14)
> > I tried this test case on current WebKit and I get a syntax error:
> > 
> > "SyntaxError: Unexpected token ')'"
> > 
> > Are there still cases where JSC crashes?
> > 
> > Please reopen with a current failure case if you believe this is still
> > happening with the current JavaScriptCore engine.
> 
> Has it stopped asserting now?

Running a debug build of WebKit, I see no asserts when executing this code. Just the syntax error.
Comment 17 Mark S. Miller 2016-06-09 18:02:55 PDT 
I still see the problem on Safari, Safari Technology Preview, and Webkit Nightly when visiting
https://rawgit.com/tvcutsem/es-lab/master/src/ses/contract.html
 
The relevant test report reads:

71) Repaired: Function constructor does not verify syntax.

The test case producing this is currently at
https://github.com/tvcutsem/es-lab/blob/master/src/ses/repairES5.js#L3244

The test code in question is

Function('/*', '*/){');

which on the Webkit Nightly console produces

function anonymous(/*) {
*/){
}
Comment 18 André Bargull 2016-06-15 10:22:21 PDT 
(In reply to comment #14)
> Are there still cases where JSC crashes?
> 
> Please reopen with a current failure case if you believe this is still
> happening with the current JavaScriptCore engine.


New test case:
---
Function("}}; 1 * {a:{");
---

Reports this assertion failure:
---
ASSERTION FAILED: statement
---

Stack trace:
---
#0  0x00007ffff6de7098 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:317
#1  0x00007ffff6af2072 in JSC::CodeCache::getFunctionExecutableFromGlobalCode (this=0x7ffff0def000, vm=..., name=..., source=..., error=...)
    at ../../Source/JavaScriptCore/runtime/CodeCache.cpp:184
#2  0x00007ffff63b93e7 in JSC::UnlinkedFunctionExecutable::fromGlobalCode (name=..., exec=..., source=..., exception=@0x7fffffffc6a0: 0x0, overrideLineNumber=-1)
    at ../../Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp:178
#3  0x00007ffff6b5ccfc in JSC::FunctionExecutable::fromGlobalCode (name=..., exec=..., source=..., exception=@0x7fffffffc6a0: 0x0, overrideLineNumber=-1)
    at ../../Source/JavaScriptCore/runtime/Executable.cpp:728
#4  0x00007ffff6b60f4f in JSC::constructFunctionSkippingEvalEnabledCheck (exec=0x7fffffffcb20, globalObject=0x7fffaf1e7900, args=..., functionName=..., sourceURL=..., 
    position=..., overrideLineNumber=-1, functionConstructionMode=JSC::FunctionConstructionMode::Function, newTarget=...)
    at ../../Source/JavaScriptCore/runtime/FunctionConstructor.cpp:121
#5  0x00007ffff6b609fa in JSC::constructFunction (exec=0x7fffffffcb20, globalObject=0x7fffaf1e7900, args=..., functionName=..., sourceURL=..., position=..., 
    functionConstructionMode=JSC::FunctionConstructionMode::Function, newTarget=...) at ../../Source/JavaScriptCore/runtime/FunctionConstructor.cpp:86
#6  0x00007ffff6b611ea in JSC::constructFunction (exec=0x7fffffffcb20, globalObject=0x7fffaf1e7900, args=..., 
    functionConstructionMode=JSC::FunctionConstructionMode::Function, newTarget=...) at ../../Source/JavaScriptCore/runtime/FunctionConstructor.cpp:137
#7  0x00007ffff6b60900 in JSC::callFunctionConstructor (exec=0x7fffffffcb20) at ../../Source/JavaScriptCore/runtime/FunctionConstructor.cpp:71
...
---
Comment 19 Michael Catanzaro 2016-10-21 05:13:47 PDT 
*** Bug 163748 has been marked as a duplicate of this bug. ***
Comment 20 Caitlin Potter (:caitp) 2016-10-21 06:45:49 PDT 
I've added another version of the fix. I guess if this has been opened for so long, maybe nobody really cares about this crash, but it's not too much effort to fix it. The smaller patch ought to land, whichever that is.
Comment 21 Saam Barati 2016-10-28 02:49:14 PDT 
(In reply to comment #20)
> I've added another version of the fix. I guess if this has been opened for
> so long, maybe nobody really cares about this crash, but it's not too much
> effort to fix it. The smaller patch ought to land, whichever that is.

I definitely care about fixing this. Can you upload your patch from the other bug here?
Comment 22 Caitlin Potter (:caitp) 2016-10-28 05:55:36 PDT 
(In reply to comment #21)
> (In reply to comment #20)
> > I've added another version of the fix. I guess if this has been opened for
> > so long, maybe nobody really cares about this crash, but it's not too much
> > effort to fix it. The smaller patch ought to land, whichever that is.
> 
> I definitely care about fixing this. Can you upload your patch from the
> other bug here?

The other fix has landed already (https://trac.webkit.org/changeset/207684)