Bug 225094

Summary: Don't pass DontBuildStrings to next token after parsing an empty parameter list
Product: WebKit Reporter: zhunkibatu
Component: JavaScriptCoreAssignee: Saam Barati <saam>
Status: RESOLVED FIXED    
Severity: Normal CC: ashvayka, ews-watchlist, fpizlo, keith_miller, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: All   
OS: All   
See Also: https://bugs.webkit.org/show_bug.cgi?id=245657
Attachments:
Description Flags
the minimal poc
none
Patch none

zhunkibatu
Reported 2021-04-27 01:39:16 PDT
Created attachment 427128 [details] the minimal poc the following poc can crash latest jsc. function main() { class a { g = [].toString() 'a'() { } } function gen() { let it = a(); } let g = gen(); } main();
Attachments
the minimal poc (183 bytes, text/javascript)
2021-04-27 01:39 PDT, zhunkibatu 		no flags
Details
Patch (2.60 KB, patch)
2021-10-05 15:44 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2021-04-27 14:52:15 PDT
I reproduce the crash with just the first four lines of the test: function main() { class a { g = [].toString() 'a'() Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x00000001b7a51f00 JSC::SyntaxChecker::ClassExpression JSC::Parser<JSC::Lexer<unsigned char> >::parseClass<JSC::SyntaxChecker>(JSC::SyntaxChecker&, JSC::FunctionNameRequirements, JSC::ParserClassInfo<JSC::SyntaxChecker>&) + 3208 1 com.apple.JavaScriptCore 0x00000001b7a51c94 JSC::SyntaxChecker::ClassExpression JSC::Parser<JSC::Lexer<unsigned char> >::parseClass<JSC::SyntaxChecker>(JSC::SyntaxChecker&, JSC::FunctionNameRequirements, JSC::ParserClassInfo<JSC::SyntaxChecker>&) + 2588 2 com.apple.JavaScriptCore 0x00000001b7a4e778 JSC::SyntaxChecker::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseClassDeclaration<JSC::SyntaxChecker>(JSC::SyntaxChecker&, JSC::Parser<JSC::Lexer<unsigned char> >::ExportType, JSC::DeclarationDefaultContext) + 248 3 com.apple.JavaScriptCore 0x00000001b7a4d5a8 JSC::SyntaxChecker::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseStatementListItem<JSC::SyntaxChecker>(JSC::SyntaxChecker&, JSC::Identifier const*&, unsigned int*) + 752 4 com.apple.JavaScriptCore 0x00000001b7a4ce7c JSC::SyntaxChecker::SourceElements JSC::Parser<JSC::Lexer<unsigned char> >::parseSourceElements<JSC::SyntaxChecker>(JSC::SyntaxChecker&, JSC::SourceElementsMode) + 148 5 com.apple.JavaScriptCore 0x00000001b7a408f4 bool JSC::Parser<JSC::Lexer<unsigned char> >::parseFunctionInfo<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::FunctionNameRequirements, JSC::SourceParseMode, bool, JSC::ConstructorKind, JSC::SuperBinding, int, JSC::ParserFunctionInfo<JSC::ASTBuilder>&, JSC::Parser<JSC::Lexer<unsigned char> >::FunctionDefinitionType, WTF::Optional<int>) + 6040 6 com.apple.JavaScriptCore 0x00000001b7a6ea5c JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseFunctionDeclaration<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::Parser<JSC::Lexer<unsigned char> >::FunctionDeclarationType, JSC::Parser<JSC::Lexer<unsigned char> >::ExportType, JSC::DeclarationDefaultContext, WTF::Optional<int>) + 460 7 com.apple.JavaScriptCore 0x00000001b7a6dcd4 JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseStatementListItem<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::Identifier const*&, unsigned int*) + 788 8 com.apple.JavaScriptCore 0x00000001b7a229d0 JSC::ASTBuilder::SourceElements JSC::Parser<JSC::Lexer<unsigned char> >::parseSourceElements<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::SourceElementsMode) + 204 9 com.apple.JavaScriptCore 0x00000001b7a1d5c4 JSC::Parser<JSC::Lexer<unsigned char> >::parseInner(JSC::Identifier const&, JSC::SourceParseMode, JSC::ParsingContext, WTF::Optional<int>, WTF::Vector<JSC::JSTextPosition, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const*) + 1008 10 com.apple.JavaScriptCore 0x00000001b738fc7c std::__1::unique_ptr<JSC::ProgramNode, std::__1::default_delete<JSC::ProgramNode> > JSC::Parser<JSC::Lexer<unsigned char> >::parse<JSC::ProgramNode>(JSC::ParserError&, JSC::Identifier const&, JSC::SourceParseMode, JSC::ParsingContext, WTF::Optional<int>, JSC::VariableEnvironment const*, WTF::Vector<JSC::JSTextPosition, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const*) + 140 11 com.apple.JavaScriptCore 0x00000001b7b47c80 std::__1::unique_ptr<JSC::ProgramNode, std::__1::default_delete<JSC::ProgramNode> > JSC::parse<JSC::ProgramNode>(JSC::VM&, JSC::SourceCode const&, JSC::Identifier const&, JSC::JSParserBuiltinMode, JSC::JSParserStrictMode, JSC::JSParserScriptMode, JSC::SourceParseMode, JSC::SuperBinding, JSC::ParserError&, JSC::JSTextPosition*, JSC::ConstructorKind, JSC::DerivedContextType, JSC::EvalContextType, JSC::DebuggerParseData*, JSC::VariableEnvironment const*, WTF::Vector<JSC::JSTextPosition, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const*, bool) + 304 12 com.apple.JavaScriptCore 0x00000001b7b41a94 JSC::checkSyntax(JSC::VM&, JSC::SourceCode const&, JSC::ParserError&) + 156
Radar WebKit Bug Importer
Comment 2 2021-04-27 14:52:32 PDT
<rdar://problem/77231778>
Saam Barati
Comment 3 2021-10-05 15:44:36 PDT
Created attachment 440283 [details] Patch
Yusuke Suzuki
Comment 4 2021-10-05 16:00:00 PDT
Comment on attachment 440283 [details] Patch r=me
EWS
Comment 5 2021-10-05 22:20:14 PDT
Committed r283600 (242552@main): <https://commits.webkit.org/242552@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 440283 [details].
Note You need to log in before you can comment on or make changes to this bug.