Bug 130538

Summary:

Strict mode destructuring assignment crashes the parser.

Product:

WebKit

Reporter:

Mark Lam <mark.lam>

Component:

JavaScriptCore

Assignee:

Oliver Hunt <oliver>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

mark.lam, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none
Patch	msaboff: review+

Mark Lam

Reported 2014-03-20 14:30:27 PDT

Here's the test case: "use strict"; (function(){ ({a: NaN} = null) }); Run that in jsc and you'll get a crash with the following back trace: (lldb) bt * thread #1: tid = 0x4ddaef, 0x000000010006d50c JavaScriptCore`WTF::RefPtr<WTF::StringImpl>::get(this=0x0000000000000000) const + 12 at RefPtr.h:57, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x000000010006d50c JavaScriptCore`WTF::RefPtr<WTF::StringImpl>::get(this=0x0000000000000000) const + 12 at RefPtr.h:57 frame #1: 0x000000010006d4f5 JavaScriptCore`WTF::String::impl(this=0x0000000000000000) const + 21 at WTFString.h:150 frame #2: 0x00000001000e2699 JavaScriptCore`JSC::Identifier::equal(a=0x0000000000000000, b=0x0000000103001b98) + 25 at Identifier.h:106 frame #3: 0x00000001000b21ad JavaScriptCore`JSC::operator==(a=0x0000000000000000, b=0x0000000103001b98) + 29 at Identifier.h:200 frame #4: 0x000000010067e751 JavaScriptCore`JSC::SyntaxChecker::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseUnaryExpression<JSC::SyntaxChecker>(this=0x00007fff5fbfec58, context=0x00007fff5fbfbcd8) + 1697 at Parser.cpp:2262 frame #5: 0x000000010067dcec JavaScriptCore`JSC::SyntaxChecker::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseBinaryExpression<JSC::SyntaxChecker>(this=0x00007fff5fbfec58, context=0x00007fff5fbfbcd8) + 140 at Parser.cpp:1683 frame #6: 0x000000010067d8a9 JavaScriptCore`JSC::SyntaxChecker::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseConditionalExpression<JSC::SyntaxChecker>(this=0x00007fff5fbfec58, context=0x00007fff5fbfbcd8) + 57 at Parser.h:1643 frame #7: 0x000000010067d055 JavaScriptCore`JSC::SyntaxChecker::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseAssignmentExpression<JSC::SyntaxChecker>(this=0x00007fff5fbfec58, context=0x00007fff5fbfbcd8) + 469 at Parser.h:1576 frame #8: 0x000000010067cb52 JavaScriptCore`JSC::SyntaxChecker::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseExpression<JSC::SyntaxChecker>(this=0x00007fff5fbfec58, context=0x00007fff5fbfbcd8) + 178 at Parser.h:1539 frame #9: 0x000000010067c8ce JavaScriptCore`JSC::SyntaxChecker::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseExpressionStatement<JSC::SyntaxChecker>(this=0x00007fff5fbfec58, context=0x00007fff5fbfbcd8) + 78 at Parser.h:1444 frame #10: 0x000000010067478f JavaScriptCore`JSC::SyntaxChecker::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseStatement<JSC::SyntaxChecker>(this=0x00007fff5fbfec58, context=0x00007fff5fbfbcd8, directive=0x00007fff5fbfbc30, directiveLiteralLength=0x00007fff5fbfbc2c) + 1183 at Parser.cpp:1178 frame #11: 0x0000000100673eeb JavaScriptCore`JSC::SyntaxChecker::SourceElements JSC::Parser<JSC::Lexer<unsigned char> >::parseSourceElements<JSC::SyntaxChecker>(this=0x00007fff5fbfec58, context=0x00007fff5fbfbcd8, mode=CheckForStrictMode) + 107 at Parser.h:336 frame #12: 0x0000000100673926 JavaScriptCore`JSC::ASTBuilder::FunctionBody JSC::Parser<JSC::Lexer<unsigned char> >::parseFunctionBody<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 390 at Parser.cpp:1214 frame #13: 0x000000010066c2fa JavaScriptCore`bool JSC::Parser<JSC::Lexer<unsigned char> >::parseFunctionInfo<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8, requirements=FunctionNoRequirements, mode=FunctionMode, nameIsInContainingScope=false, name=0x00007fff5fbfc578, parameters=0x00007fff5fbfc570, body=0x00007fff5fbfc568, openBraceOffset=0x00007fff5fbfc564, closeBraceOffset=0x00007fff5fbfc560, bodyStartLine=0x00007fff5fbfc55c, bodyStartColumn=0x00007fff5fbfc558) + 4922 at Parser.h:1304 frame #14: 0x0000000100669eed JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseMemberExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 477 at Parser.cpp:2124 frame #15: 0x0000000100668e74 JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseUnaryExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 1060 at Parser.h:2251 frame #16: 0x000000010066819a JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseBinaryExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 186 at Parser.cpp:1683 frame #17: 0x00000001006678b9 JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseConditionalExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 57 at Parser.h:1643 frame #18: 0x0000000100666d78 JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseAssignmentExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 616 at Parser.h:1576 frame #19: 0x00000001006665b4 JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 180 at Parser.h:1539 frame #20: 0x000000010066d459 JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parsePrimaryExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 649 at Parser.cpp:1986 frame #21: 0x000000010066a02b JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseMemberExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 795 at Parser.h:2127 frame #22: 0x0000000100668e74 JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseUnaryExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 1060 at Parser.h:2251 frame #23: 0x000000010066819a JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseBinaryExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 186 at Parser.cpp:1683 frame #24: 0x00000001006678b9 JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseConditionalExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 57 at Parser.h:1643 frame #25: 0x0000000100666d78 JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseAssignmentExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 616 at Parser.h:1576 frame #26: 0x00000001006665b4 JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 180 at Parser.h:1539 frame #27: 0x000000010066632e JavaScriptCore`JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseExpressionStatement<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 78 at Parser.h:1444 frame #28: 0x000000010065d7e6 JavaScriptCore`JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseStatement<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8, directive=0x00007fff5fbfd6f8, directiveLiteralLength=0x00007fff5fbfd6f4) + 1206 at Parser.cpp:1178 frame #29: 0x0000000100607edc JavaScriptCore`JSC::ASTBuilder::SourceElements JSC::Parser<JSC::Lexer<unsigned char> >::parseSourceElements<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8, mode=CheckForStrictMode) + 108 at Parser.cpp:336 frame #30: 0x0000000100607943 JavaScriptCore`JSC::Parser<JSC::Lexer<unsigned char> >::parseInner(this=0x00007fff5fbfec58) + 227 at Parser.cpp:267 frame #31: 0x000000010009b93b JavaScriptCore`WTF::PassRefPtr<JSC::ProgramNode> JSC::Parser<JSC::Lexer<unsigned char> >::parse<JSC::ProgramNode>(this=0x00007fff5fbfec58, error=0x00007fff5fbff988) + 283 at Parser.h:894 frame #32: 0x000000010009a621 JavaScriptCore`WTF::PassRefPtr<JSC::ProgramNode> JSC::parse<JSC::ProgramNode>(vm=0x0000000102007800, source=0x00007fff5fbff8d8, parameters=0x0000000000000000, name=0x00007fff5fbff748, strictness=JSParseNormal, parserMode=JSParseProgramCode, error=0x00007fff5fbff988, positionBeforeLastNewline=0x0000000000000000) + 305 at Parser.h:964 frame #33: 0x000000010014d06b JavaScriptCore`JSC::checkSyntax(vm=0x0000000102007800, source=0x00007fff5fbff8d8, error=0x00007fff5fbff988) + 219 at Completion.cpp:58 frame #34: 0x0000000100002668 jsc`runInteractive(globalObject=0x0000000101cff970) + 648 at SourceCode.h:118 frame #35: 0x00000001000017f3 jsc`jscmain(argc=1, argv=0x00007fff5fbffb58) + 403 at jsc.cpp:1132 frame #36: 0x00000001000015a1 jsc`main(argc=1, argv=0x00007fff5fbffb58) + 177 at jsc.cpp:871 frame #37: 0x00007fff854185fd libdyld.dylib`start + 1 frame #38: 0x00007fff854185fd libdyld.dylib`start + 1

Attachments
Patch (4.95 KB, patch) 2014-03-20 17:33 PDT, Oliver Hunt	no flags	Details Formatted Diff Diff
Patch (16.67 KB, patch) 2014-03-24 18:01 PDT, Oliver Hunt	msaboff: review+	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Mark Lam

Comment 1 2014-03-20 14:35:58 PDT

<rdar://problem/16383775>

Radar WebKit Bug Importer

Comment 2 2014-03-20 14:36:47 PDT

<rdar://problem/16383811>

Oliver Hunt

Comment 3 2014-03-20 17:33:46 PDT

Created attachment 227357 [details] Patch

Mark Lam

Comment 4 2014-03-20 18:13:44 PDT

Comment on attachment 227357 [details] Patch r=me with additional tests cases for "eval" and "arguments" in destructing assignments as we discussed offline.

Geoffrey Garen

Comment 5 2014-03-20 18:14:52 PDT

Comment on attachment 227357 [details] Patch Can you add a test for the "Cannot deconstruct to" case?

Oliver Hunt

Comment 6 2014-03-24 18:01:21 PDT

Created attachment 227712 [details] Patch

Michael Saboff

Comment 7 2014-03-24 18:22:03 PDT

Comment on attachment 227712 [details] Patch r=me

Oliver Hunt

Comment 8 2014-03-24 18:54:33 PDT

Committed r166216: <http://trac.webkit.org/changeset/166216>

Note You need to log in before you can comment on or make changes to this bug.