Bug 147538

Summary:

JavascriptCore Crash in JSC::ASTBuilder::Property JSC::Parser<JSC::Lexer<unsigned char> >::parseProperty<JSC::ASTBuilder>(JSC::ASTBuilder&, bool)

Product:

WebKit

Reporter:

Puzzor <puzzorsj>

Component:

JavaScriptCore

Assignee:

Yusuke Suzuki <ysuzuki>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

buildbot, commit-queue, rniwa, ysuzuki

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
./jsc a.js	none
Patch	none
Archive of layout-test-results from ews100 for mac-mavericks	none
Archive of layout-test-results from ews106 for mac-mavericks-wk2	none
Patch	none

Puzzor

Reported 2015-08-02 01:08:02 PDT

Created attachment 258030 [details] ./jsc a.js When you put "V={=>" in JavaScriptCore, it will crash. #0 0x00007ffff79eaaab in JSC::ASTBuilder::Property JSC::Parser<JSC::Lexer<unsigned char> >::parseProperty<JSC::ASTBuilder>(JSC::ASTBuilder&, bool) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #1 0x00007ffff79e5ca6 in JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseMemberExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #2 0x00007ffff79a9092 in JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseAssignmentExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) [clone .part.592] () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #3 0x00007ffff79aa6d7 in JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseAssignmentExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) [clone .part.592] () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #4 0x00007ffff79ebb82 in JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #5 0x00007ffff79ef6ad in JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseExpressionOrLabelStatement<JSC::ASTBuilder>(JSC::ASTBuilder&) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #6 0x00007ffff79eed9b in JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseStatement<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::Identifier const*&, unsigned int*) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #7 0x00007ffff79efcf0 in JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseStatementListItem<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::Identifier const*&, unsigned int*) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #8 0x00007ffff79effd6 in JSC::ASTBuilder::SourceElements JSC::Parser<JSC::Lexer<unsigned char> >::parseSourceElements<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::SourceElementsMode) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #9 0x00007ffff79f1037 in JSC::Parser<JSC::Lexer<unsigned char> >::parseInner(JSC::Identifier const&, JSC::FunctionParseMode) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #10 0x00007ffff767f801 in std::unique_ptr<JSC::ProgramNode, std::default_delete<JSC::ProgramNode> > JSC::Parser<JSC::Lexer<unsigned char> >::parse<JSC::ProgramNode>(JSC::ParserError&, JSC::Identifier const&, JSC::FunctionParseMode) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #11 0x00007ffff7680194 in std::unique_ptr<JSC::ProgramNode, std::default_delete<JSC::ProgramNode> > JSC::parse<JSC::ProgramNode>(JSC::VM*, JSC::SourceCode const&, JSC::Identifier const&, JSC::JSParserBuiltinMode, JSC::JSParserStrictMode, JSC::JSParserCodeType, JSC::ParserError&, JSC::JSTextPosition*, JSC::FunctionParseMode, JSC::ConstructorKind, JSC::ThisTDZMode) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #12 0x00007ffff7a79b28 in JSC::UnlinkedProgramCodeBlock* JSC::CodeCache::getGlobalCodeBlock<JSC::UnlinkedProgramCodeBlock, JSC::ProgramExecutable>(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserBuiltinMode, JSC::JSParserStrictMode, JSC::ThisTDZMode, JSC::DebuggerMode, JSC::ProfilerMode, JSC::ParserError&, JSC::VariableEnvironment const*) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #13 0x00007ffff7a770f5 in JSC::CodeCache::getProgramCodeBlock(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserBuiltinMode, JSC::JSParserStrictMode, JSC::DebuggerMode, JSC::ProfilerMode, JSC::ParserError&) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #14 0x00007ffff7af5d49 in JSC::JSGlobalObject::createProgramCodeBlock(JSC::ExecState*, JSC::ProgramExecutable*, JSC::JSObject**) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #15 0x00007ffff7abb9e6 in JSC::ProgramExecutable::initializeGlobalProperties(JSC::VM&, JSC::ExecState*, JSC::JSScope*) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #16 0x00007ffff790f0ad in JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #17 0x00007ffff7a90d5a in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #18 0x000000000040d9f6 in jscmain(int, char**) () #19 0x0000000000407848 in main () #20 0x00007ffff6bb9ec5 in __libc_start_main (main=0x4077d0 <main>, argc=0x2, argv=0x7fffffffe5d8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe5c8) at libc-start.c:287 #21 0x00000000004078a3 in _start () In template <class TreeBuilder> TreeProperty Parser<LexerType>::parseProperty(TreeBuilder& context, bool complete), ident may be a invalid ptr and the reference to it may be wrong.

Attachments
./jsc a.js (5 bytes, application/javascript) 2015-08-02 01:08 PDT, Puzzor	no flags	Details
Patch (2.74 KB, patch) 2015-08-03 10:22 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Archive of layout-test-results from ews100 for mac-mavericks (538.57 KB, application/zip) 2015-08-03 10:56 PDT, Build Bot	no flags	Details
Archive of layout-test-results from ews106 for mac-mavericks-wk2 (597.78 KB, application/zip) 2015-08-03 11:01 PDT, Build Bot	no flags	Details
Patch (6.27 KB, patch) 2015-08-03 11:25 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Alexey Proskuryakov

Comment 1 2015-08-02 14:11:14 PDT

Crashes on Mac, too (unsurprisingly).

Yusuke Suzuki

Comment 2 2015-08-03 10:22:33 PDT

Created attachment 258072 [details] Patch

WebKit Commit Bot

Comment 3 2015-08-03 10:26:08 PDT

Attachment 258072 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/parser/ParserTokens.h:119: enum members should use InterCaps with an initial capital letter. [readability/enum_casing] [4] Total errors found: 1 in 3 files If any of these errors are false positives, please file a bug against check-webkit-style.

Build Bot

Comment 4 2015-08-03 10:56:52 PDT

Comment on attachment 258072 [details] Patch Attachment 258072 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/11794 New failing tests: js/arrowfunction-syntax-errors.html

Build Bot

Comment 5 2015-08-03 10:56:54 PDT

Created attachment 258077 [details] Archive of layout-test-results from ews100 for mac-mavericks The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews100 Port: mac-mavericks Platform: Mac OS X 10.9.5

Build Bot

Comment 6 2015-08-03 11:01:24 PDT

Comment on attachment 258072 [details] Patch Attachment 258072 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/11798 New failing tests: js/arrowfunction-syntax-errors.html

Build Bot

Comment 7 2015-08-03 11:01:28 PDT

Created attachment 258079 [details] Archive of layout-test-results from ews106 for mac-mavericks-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews106 Port: mac-mavericks-wk2 Platform: Mac OS X 10.9.5

Yusuke Suzuki

Comment 8 2015-08-03 11:25:39 PDT

Created attachment 258087 [details] Patch

Yusuke Suzuki

Comment 9 2015-08-03 11:26:09 PDT

Fixed the test expectation file.

WebKit Commit Bot

Comment 10 2015-08-03 11:27:05 PDT

Attachment 258087 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/parser/ParserTokens.h:119: enum members should use InterCaps with an initial capital letter. [readability/enum_casing] [4] Total errors found: 1 in 5 files If any of these errors are false positives, please file a bug against check-webkit-style.

Geoffrey Garen

Comment 11 2015-08-03 13:21:15 PDT

Comment on attachment 258087 [details] Patch r=me

Yusuke Suzuki

Comment 12 2015-08-03 13:36:44 PDT

Comment on attachment 258087 [details] Patch Thanks!

WebKit Commit Bot

Comment 13 2015-08-03 14:26:18 PDT

Comment on attachment 258087 [details] Patch Clearing flags on attachment: 258087 Committed r187763: <http://trac.webkit.org/changeset/187763>

WebKit Commit Bot

Comment 14 2015-08-03 14:26:22 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.