Summary: | octal and binary parsing is wrong for some programs | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Saam Barati <saam> | ||||
Component: | JavaScriptCore | Assignee: | Michael Saboff <msaboff> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Normal | CC: | benjamin, fpizlo, ggaren, gskachkov, keith_miller, mark.lam, msaboff, oliver, sukolsak, webkit-bug-importer, ysuzuki | ||||
Priority: | P2 | Keywords: | InRadar | ||||
Version: | WebKit Local Build | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Attachments: |
|
Description
Saam Barati
2016-06-06 15:28:26 PDT
I don't get this crash with a debug build of ToT (r201731): $ DYLD_FRAMEWORK_PATH=WebKitBuild/Debug WebKitBuild/Debug/jsc >>> eval("0o19") Exception: SyntaxError: Unexpected number '9'. Parse error. It would appear that this is somehow machine dependent. What joy :) Turns out that the issue is reading uninitialized memory. Thus the machine dependent failure. Bad binary literals have the same issue. Patch in the works. Created attachment 280656 [details]
Patch
Comment on attachment 280656 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=280656&action=review > Source/JavaScriptCore/ChangeLog:9 > + When there is an error parsing an binary or octal literal, we need to clear the returnValue > + of any residual value. Why? (In reply to comment #6) > Comment on attachment 280656 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=280656&action=review > > > Source/JavaScriptCore/ChangeLog:9 > > + When there is an error parsing an binary or octal literal, we need to clear the returnValue > > + of any residual value. > > Why? Because returnValue's value is used to determine INTEGER or DOUBLE token type. If the value is a double and an impure NaN we get the crash. The syntax checking is based on having leftover characters and is done after the returnValue has been processed. I'll add some of that detail to the ChangeLog. Committed r201737: <http://trac.webkit.org/changeset/201737> |