Bug 124886

Summary: Crash in JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseUnaryExpression<JSC::ASTBuilder>(JSC::ASTBuilder&)
Product: WebKit Reporter: Renata Hodovan <rhodovan.u-szeged>
Component: JavaScriptCoreAssignee: Oliver Hunt <oliver>
Status: RESOLVED FIXED    
Severity: Normal CC: kling, mark.lam, noam, oliver
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 116980    
Attachments:
Description Flags
Test case
none
Patch sam: review+

Renata Hodovan
Reported 2013-11-26 04:14:53 PST
Created attachment 217872 [details] Test case The following short expression makes release WebKit crash and causes an assertion failure in the debug version: 1 % +; ==================================== Release backtrace: 1 0x684a5d 2 0x6875f4 3 0x689030 4 0x68b036 5 0x68f43f 6 0x6e7655 7 0x6eaaf0 8 0x452a37 9 0x43ed98 10 0x5bddc0 11 0x43609e 12 0x40c599 jscmain(int, char**) 13 0x40651b main 14 0x7ffff5aef76d __libc_start_main 15 0x406591 Program received signal SIGSEGV, Segmentation fault. 0x0000000000821e49 in WTFCrash () (gdb) bt #0 0x0000000000821e49 in WTFCrash () #1 0x0000000000684a5d in JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseAssignmentExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) () #2 0x00000000006875f4 in JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) () #3 0x0000000000689030 in JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseExpressionStatement<JSC::ASTBuilder>(JSC::ASTBuilder&) () #4 0x000000000068b036 in JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseStatement<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::Identifier const*&, unsigned int*) () #5 0x000000000068f43f in JSC::Parser<JSC::Lexer<unsigned char> >::parseInner() () #6 0x00000000006e7655 in WTF::PassRefPtr<JSC::ProgramNode> JSC::parse<JSC::ProgramNode>(JSC::VM*, JSC::SourceCode const&, JSC::FunctionParameters*, JSC::Identifier const&, JSC::JSParserStrictness, JSC::JSParserMode, JSC::ParserError&, JSC::JSTextPosition*) [clone .constprop.127] () #7 0x00000000006eaaf0 in JSC::UnlinkedProgramCodeBlock* JSC::CodeCache::getGlobalCodeBlock<JSC::UnlinkedProgramCodeBlock, JSC::ProgramExecutable>(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserStrictness, JSC::DebuggerMode, JSC::ProfilerMode, JSC::ParserError&) () #8 0x0000000000452a37 in JSC::JSGlobalObject::createProgramCodeBlock(JSC::ExecState*, JSC::ProgramExecutable*, JSC::JSObject**) () #9 0x000000000043ed98 in JSC::ProgramExecutable::initializeGlobalProperties(JSC::VM&, JSC::ExecState*, JSC::JSScope*) () #10 0x00000000005bddc0 in JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) () #11 0x000000000043609e in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) () #12 0x000000000040c599 in jscmain(int, char**) () #13 0x000000000040651b in main () ==================================== Debug backtrace: SHOULD NEVER BE REACHED /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp(2163) : const char* JSC::operatorString(bool, unsigned int) 1 0x7ffff7508504 WTFCrash 2 0x7ffff73088a3 3 0x7ffff734f45d JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseUnaryExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) 4 0x7ffff734b96b JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseBinaryExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) 5 0x7ffff734399d JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseConditionalExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) 6 0x7ffff7339887 JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseAssignmentExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) 7 0x7ffff732e679 JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) 8 0x7ffff73259fd JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseExpressionStatement<JSC::ASTBuilder>(JSC::ASTBuilder&) 9 0x7ffff731dfb9 JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseStatement<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::Identifier const*&, unsigned int*) 10 0x7ffff731b450 JSC::ASTBuilder::SourceElements JSC::Parser<JSC::Lexer<unsigned char> >::parseSourceElements<(JSC::SourceElementsMode)0, JSC::ASTBuilder>(JSC::ASTBuilder&) 11 0x7ffff7315019 JSC::Parser<JSC::Lexer<unsigned char> >::parseInner() 12 0x7ffff702d35f WTF::PassRefPtr<JSC::ProgramNode> JSC::Parser<JSC::Lexer<unsigned char> >::parse<JSC::ProgramNode>(JSC::ParserError&) 13 0x7ffff702cf69 WTF::PassRefPtr<JSC::ProgramNode> JSC::parse<JSC::ProgramNode>(JSC::VM*, JSC::SourceCode const&, JSC::FunctionParameters*, JSC::Identifier const&, JSC::JSParserStrictness, JSC::JSParserMode, JSC::ParserError&, JSC::JSTextPosition*) 14 0x7ffff73bc20a JSC::UnlinkedProgramCodeBlock* JSC::CodeCache::getGlobalCodeBlock<JSC::UnlinkedProgramCodeBlock, JSC::ProgramExecutable>(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserStrictness, JSC::DebuggerMode, JSC::ProfilerMode, JSC::ParserError&) 15 0x7ffff73ba873 JSC::CodeCache::getProgramCodeBlock(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserStrictness, JSC::DebuggerMode, JSC::ProfilerMode, JSC::ParserError&) 16 0x7ffff7401ebd JSC::JSGlobalObject::createProgramCodeBlock(JSC::ExecState*, JSC::ProgramExecutable*, JSC::JSObject**) 17 0x7ffff73d4065 JSC::ProgramExecutable::initializeGlobalProperties(JSC::VM&, JSC::ExecState*, JSC::JSScope*) 18 0x7ffff72a0386 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) 19 0x7ffff73c7324 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) 20 0x4163a0 21 0x41716f jscmain(int, char**) 22 0x41618c main 23 0x7ffff5b8d76d __libc_start_main 24 0x414c99 Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7508509 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:341 341 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff7508509 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:341 #1 0x00007ffff73088a3 in JSC::operatorString (prefix=true, tok=39250) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:2163 #2 0x00007ffff734f45d in JSC::Parser<JSC::Lexer<unsigned char> >::parseUnaryExpression<JSC::ASTBuilder> (this=0x7fffffffadc0, context=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:2208 #3 0x00007ffff734b96b in JSC::Parser<JSC::Lexer<unsigned char> >::parseBinaryExpression<JSC::ASTBuilder> (this=0x7fffffffadc0, context=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:1639 #4 0x00007ffff734399d in JSC::Parser<JSC::Lexer<unsigned char> >::parseConditionalExpression<JSC::ASTBuilder> (this=0x7fffffffadc0, context=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:1599 #5 0x00007ffff7339887 in JSC::Parser<JSC::Lexer<unsigned char> >::parseAssignmentExpression<JSC::ASTBuilder> (this=0x7fffffffadc0, context=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:1533 #6 0x00007ffff732e679 in JSC::Parser<JSC::Lexer<unsigned char> >::parseExpression<JSC::ASTBuilder> (this=0x7fffffffadc0, context=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:1496 #7 0x00007ffff73259fd in JSC::Parser<JSC::Lexer<unsigned char> >::parseExpressionStatement<JSC::ASTBuilder> (this=0x7fffffffadc0, context=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:1401 #8 0x00007ffff731dfb9 in JSC::Parser<JSC::Lexer<unsigned char> >::parseStatement<JSC::ASTBuilder> (this=0x7fffffffadc0, context=..., directive=@0x7fffffffa498: 0x0, directiveLiteralLength=0x7fffffffa4b4) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:1135 #9 0x00007ffff731b450 in JSC::Parser<JSC::Lexer<unsigned char> >::parseSourceElements<(JSC::SourceElementsMode)0, JSC::ASTBuilder> (this=0x7fffffffadc0, context=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:300 #10 0x00007ffff7315019 in JSC::Parser<JSC::Lexer<unsigned char> >::parseInner (this=0x7fffffffadc0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:247 #11 0x00007ffff702d35f in JSC::Parser<JSC::Lexer<unsigned char> >::parse<JSC::ProgramNode> (this=0x7fffffffadc0, error=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.h:887 #12 0x00007ffff702cf69 in JSC::parse<JSC::ProgramNode> (vm=0x6464e0, source=..., parameters=0x0, name=..., strictness=JSC::JSParseNormal, parserMode=JSC::JSParseProgramCode, error=..., positionBeforeLastNewline=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.h:957 #13 0x00007ffff73bc20a in JSC::CodeCache::getGlobalCodeBlock<JSC::UnlinkedProgramCodeBlock, JSC::ProgramExecutable> (this=0x657340, vm=..., executable=0x7fffa992fef0, source=..., strictness=JSC::JSParseNormal, debuggerMode=JSC::DebuggerOff, profilerMode=JSC::ProfilerOff, error=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/CodeCache.cpp:95 #14 0x00007ffff73ba873 in JSC::CodeCache::getProgramCodeBlock (this=0x657340, vm=..., executable=0x7fffa992fef0, source=..., strictness=JSC::JSParseNormal, debuggerMode=JSC::DebuggerOff, profilerMode=JSC::ProfilerOff, error=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/CodeCache.cpp:129 #15 0x00007ffff7401ebd in JSC::JSGlobalObject::createProgramCodeBlock (this=0x7fffa99ff970, callFrame=0x7fffa99ff9b0, executable=0x7fffa992fef0, exception=0x7fffffffc660) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/JSGlobalObject.cpp:731 #16 0x00007ffff73d4065 in JSC::ProgramExecutable::initializeGlobalProperties (this=0x7fffa992fef0, vm=..., callFrame=0x7fffa99ff9b0, scope=0x7fffa99ff970) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Executable.cpp:463 #17 0x00007ffff72a0386 in JSC::Interpreter::execute (this=0x6573d0, program=0x7fffa992fef0, callFrame=0x7fffa99ff9b0, thisObj=0x7fffa98cfeb0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/Interpreter.cpp:850 #18 0x00007ffff73c7324 in JSC::evaluate (exec=0x7fffa99ff9b0, source=..., thisValue=..., returnedException=0x7fffffffdbb0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Completion.cpp:83 #19 0x00000000004163a0 in runWithScripts (globalObject=0x7fffa99ff970, scripts=..., dump=false) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jsc.cpp:646 #20 0x000000000041716f in jscmain (argc=2, argv=0x7fffffffde58) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jsc.cpp:863 #21 0x000000000041618c in main (argc=2, argv=0x7fffffffde58) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jsc.cpp:604
Attachments
Test case (6 bytes, application/javascript)
2013-11-26 04:14 PST, Renata Hodovan 		no flags
Details
Patch (4.30 KB, patch)
2013-11-26 12:12 PST, Oliver Hunt 		sam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Oliver Hunt
Comment 1 2013-11-26 10:13:04 PST
Looking at this. I've probably created a bogus fall through when adding error messages
Oliver Hunt
Comment 2 2013-11-26 12:12:34 PST
Created attachment 217894 [details] Patch
Sam Weinig
Comment 3 2013-11-26 12:14:20 PST
Comment on attachment 217894 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=217894&action=review > Source/JavaScriptCore/parser/Parser.cpp:42 > + propagateError();\ We usually put a space before the \.
Oliver Hunt
Comment 4 2013-11-26 12:22:25 PST
Committed r159790: <http://trac.webkit.org/changeset/159790>
Note You need to log in before you can comment on or make changes to this bug.