Bug 147538

Summary:

JavascriptCore Crash in JSC::ASTBuilder::Property JSC::Parser<JSC::Lexer<unsigned char> >::parseProperty<JSC::ASTBuilder>(JSC::ASTBuilder&, bool)

Product:

WebKit

Reporter:

Puzzor <puzzorsj>

Component:

JavaScriptCore

Assignee:

Yusuke Suzuki <ysuzuki>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

buildbot, commit-queue, rniwa, ysuzuki

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
./jsc a.js	none
Patch	none
Archive of layout-test-results from ews100 for mac-mavericks	none
Archive of layout-test-results from ews106 for mac-mavericks-wk2	none
Patch	none

Description Puzzor 2015-08-02 01:08:02 PDT

Created attachment 258030 [details]
./jsc a.js

When you put "V={=>" in JavaScriptCore, it will crash.

#0  0x00007ffff79eaaab in JSC::ASTBuilder::Property JSC::Parser<JSC::Lexer<unsigned char> >::parseProperty<JSC::ASTBuilder>(JSC::ASTBuilder&, bool) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#1  0x00007ffff79e5ca6 in JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseMemberExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#2  0x00007ffff79a9092 in JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseAssignmentExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) [clone .part.592] () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#3  0x00007ffff79aa6d7 in JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseAssignmentExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) [clone .part.592] () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#4  0x00007ffff79ebb82 in JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#5  0x00007ffff79ef6ad in JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseExpressionOrLabelStatement<JSC::ASTBuilder>(JSC::ASTBuilder&) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#6  0x00007ffff79eed9b in JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseStatement<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::Identifier const*&, unsigned int*) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#7  0x00007ffff79efcf0 in JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseStatementListItem<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::Identifier const*&, unsigned int*) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#8  0x00007ffff79effd6 in JSC::ASTBuilder::SourceElements JSC::Parser<JSC::Lexer<unsigned char> >::parseSourceElements<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::SourceElementsMode) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#9  0x00007ffff79f1037 in JSC::Parser<JSC::Lexer<unsigned char> >::parseInner(JSC::Identifier const&, JSC::FunctionParseMode) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#10 0x00007ffff767f801 in std::unique_ptr<JSC::ProgramNode, std::default_delete<JSC::ProgramNode> > JSC::Parser<JSC::Lexer<unsigned char> >::parse<JSC::ProgramNode>(JSC::ParserError&, JSC::Identifier const&, JSC::FunctionParseMode) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#11 0x00007ffff7680194 in std::unique_ptr<JSC::ProgramNode, std::default_delete<JSC::ProgramNode> > JSC::parse<JSC::ProgramNode>(JSC::VM*, JSC::SourceCode const&, JSC::Identifier const&, JSC::JSParserBuiltinMode, JSC::JSParserStrictMode, JSC::JSParserCodeType, JSC::ParserError&, JSC::JSTextPosition*, JSC::FunctionParseMode, JSC::ConstructorKind, JSC::ThisTDZMode) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#12 0x00007ffff7a79b28 in JSC::UnlinkedProgramCodeBlock* JSC::CodeCache::getGlobalCodeBlock<JSC::UnlinkedProgramCodeBlock, JSC::ProgramExecutable>(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserBuiltinMode, JSC::JSParserStrictMode, JSC::ThisTDZMode, JSC::DebuggerMode, JSC::ProfilerMode, JSC::ParserError&, JSC::VariableEnvironment const*) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#13 0x00007ffff7a770f5 in JSC::CodeCache::getProgramCodeBlock(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserBuiltinMode, JSC::JSParserStrictMode, JSC::DebuggerMode, JSC::ProfilerMode, JSC::ParserError&) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#14 0x00007ffff7af5d49 in JSC::JSGlobalObject::createProgramCodeBlock(JSC::ExecState*, JSC::ProgramExecutable*, JSC::JSObject**) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#15 0x00007ffff7abb9e6 in JSC::ProgramExecutable::initializeGlobalProperties(JSC::VM&, JSC::ExecState*, JSC::JSScope*) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#16 0x00007ffff790f0ad in JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#17 0x00007ffff7a90d5a in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#18 0x000000000040d9f6 in jscmain(int, char**) ()
#19 0x0000000000407848 in main ()
#20 0x00007ffff6bb9ec5 in __libc_start_main (main=0x4077d0 <main>, argc=0x2, argv=0x7fffffffe5d8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe5c8) at libc-start.c:287
#21 0x00000000004078a3 in _start ()

In template <class TreeBuilder> TreeProperty Parser<LexerType>::parseProperty(TreeBuilder& context, bool complete), ident may be a invalid ptr and the reference to it may be wrong.

Comment 1 Alexey Proskuryakov 2015-08-02 14:11:14 PDT

Crashes on Mac, too (unsurprisingly).

Comment 2 Yusuke Suzuki 2015-08-03 10:22:33 PDT

Created attachment 258072 [details]
Patch

Comment 3 WebKit Commit Bot 2015-08-03 10:26:08 PDT

Attachment 258072 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/parser/ParserTokens.h:119:  enum members should use InterCaps with an initial capital letter.  [readability/enum_casing] [4]
Total errors found: 1 in 3 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 4 Build Bot 2015-08-03 10:56:52 PDT

Comment on attachment 258072 [details]
Patch

Attachment 258072 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/11794

New failing tests:
js/arrowfunction-syntax-errors.html

Comment 5 Build Bot 2015-08-03 10:56:54 PDT

Created attachment 258077 [details]
Archive of layout-test-results from ews100 for mac-mavericks

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews100  Port: mac-mavericks  Platform: Mac OS X 10.9.5

Comment 6 Build Bot 2015-08-03 11:01:24 PDT

Comment on attachment 258072 [details]
Patch

Attachment 258072 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/11798

New failing tests:
js/arrowfunction-syntax-errors.html

Comment 7 Build Bot 2015-08-03 11:01:28 PDT

Created attachment 258079 [details]
Archive of layout-test-results from ews106 for mac-mavericks-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews106  Port: mac-mavericks-wk2  Platform: Mac OS X 10.9.5

Comment 8 Yusuke Suzuki 2015-08-03 11:25:39 PDT

Created attachment 258087 [details]
Patch

Comment 9 Yusuke Suzuki 2015-08-03 11:26:09 PDT

Fixed the test expectation file.

Comment 10 WebKit Commit Bot 2015-08-03 11:27:05 PDT

Attachment 258087 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/parser/ParserTokens.h:119:  enum members should use InterCaps with an initial capital letter.  [readability/enum_casing] [4]
Total errors found: 1 in 5 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 11 Geoffrey Garen 2015-08-03 13:21:15 PDT

Comment on attachment 258087 [details]
Patch

r=me

Comment 12 Yusuke Suzuki 2015-08-03 13:36:44 PDT

Comment on attachment 258087 [details]
Patch

Thanks!

Comment 13 WebKit Commit Bot 2015-08-03 14:26:18 PDT

Comment on attachment 258087 [details]
Patch

Clearing flags on attachment: 258087

Committed r187763: <http://trac.webkit.org/changeset/187763>

Comment 14 WebKit Commit Bot 2015-08-03 14:26:22 PDT

All reviewed patches have been landed.  Closing bug.