Bug 225094

Summary: Don't pass DontBuildStrings to next token after parsing an empty parameter list
Product: WebKit Reporter: zhunkibatu
Component: JavaScriptCoreAssignee: Saam Barati <saam>
Status: RESOLVED FIXED    
Severity: Normal CC: ashvayka, ews-watchlist, fpizlo, keith_miller, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: All   
OS: All   
See Also: https://bugs.webkit.org/show_bug.cgi?id=245657
Attachments:
Description Flags
the minimal poc
none
Patch none

Description zhunkibatu 2021-04-27 01:39:16 PDT 
Created attachment 427128 [details]
the minimal poc

the following poc can crash latest jsc.

function main() {
    class a {
        g = [].toString()
        'a'()
        {
        }
    }

    function gen()
    {
        let it = a();
    }

    let g = gen();
}

main();
Comment 1 Alexey Proskuryakov 2021-04-27 14:52:15 PDT 
I reproduce the crash with just the first four lines of the test:

function main() {
    class a {
        g = [].toString()
        'a'()


Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x00000001b7a51f00 JSC::SyntaxChecker::ClassExpression JSC::Parser<JSC::Lexer<unsigned char> >::parseClass<JSC::SyntaxChecker>(JSC::SyntaxChecker&, JSC::FunctionNameRequirements, JSC::ParserClassInfo<JSC::SyntaxChecker>&) + 3208
1   com.apple.JavaScriptCore      	0x00000001b7a51c94 JSC::SyntaxChecker::ClassExpression JSC::Parser<JSC::Lexer<unsigned char> >::parseClass<JSC::SyntaxChecker>(JSC::SyntaxChecker&, JSC::FunctionNameRequirements, JSC::ParserClassInfo<JSC::SyntaxChecker>&) + 2588
2   com.apple.JavaScriptCore      	0x00000001b7a4e778 JSC::SyntaxChecker::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseClassDeclaration<JSC::SyntaxChecker>(JSC::SyntaxChecker&, JSC::Parser<JSC::Lexer<unsigned char> >::ExportType, JSC::DeclarationDefaultContext) + 248
3   com.apple.JavaScriptCore      	0x00000001b7a4d5a8 JSC::SyntaxChecker::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseStatementListItem<JSC::SyntaxChecker>(JSC::SyntaxChecker&, JSC::Identifier const*&, unsigned int*) + 752
4   com.apple.JavaScriptCore      	0x00000001b7a4ce7c JSC::SyntaxChecker::SourceElements JSC::Parser<JSC::Lexer<unsigned char> >::parseSourceElements<JSC::SyntaxChecker>(JSC::SyntaxChecker&, JSC::SourceElementsMode) + 148
5   com.apple.JavaScriptCore      	0x00000001b7a408f4 bool JSC::Parser<JSC::Lexer<unsigned char> >::parseFunctionInfo<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::FunctionNameRequirements, JSC::SourceParseMode, bool, JSC::ConstructorKind, JSC::SuperBinding, int, JSC::ParserFunctionInfo<JSC::ASTBuilder>&, JSC::Parser<JSC::Lexer<unsigned char> >::FunctionDefinitionType, WTF::Optional<int>) + 6040
6   com.apple.JavaScriptCore      	0x00000001b7a6ea5c JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseFunctionDeclaration<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::Parser<JSC::Lexer<unsigned char> >::FunctionDeclarationType, JSC::Parser<JSC::Lexer<unsigned char> >::ExportType, JSC::DeclarationDefaultContext, WTF::Optional<int>) + 460
7   com.apple.JavaScriptCore      	0x00000001b7a6dcd4 JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseStatementListItem<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::Identifier const*&, unsigned int*) + 788
8   com.apple.JavaScriptCore      	0x00000001b7a229d0 JSC::ASTBuilder::SourceElements JSC::Parser<JSC::Lexer<unsigned char> >::parseSourceElements<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::SourceElementsMode) + 204
9   com.apple.JavaScriptCore      	0x00000001b7a1d5c4 JSC::Parser<JSC::Lexer<unsigned char> >::parseInner(JSC::Identifier const&, JSC::SourceParseMode, JSC::ParsingContext, WTF::Optional<int>, WTF::Vector<JSC::JSTextPosition, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const*) + 1008
10  com.apple.JavaScriptCore      	0x00000001b738fc7c std::__1::unique_ptr<JSC::ProgramNode, std::__1::default_delete<JSC::ProgramNode> > JSC::Parser<JSC::Lexer<unsigned char> >::parse<JSC::ProgramNode>(JSC::ParserError&, JSC::Identifier const&, JSC::SourceParseMode, JSC::ParsingContext, WTF::Optional<int>, JSC::VariableEnvironment const*, WTF::Vector<JSC::JSTextPosition, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const*) + 140
11  com.apple.JavaScriptCore      	0x00000001b7b47c80 std::__1::unique_ptr<JSC::ProgramNode, std::__1::default_delete<JSC::ProgramNode> > JSC::parse<JSC::ProgramNode>(JSC::VM&, JSC::SourceCode const&, JSC::Identifier const&, JSC::JSParserBuiltinMode, JSC::JSParserStrictMode, JSC::JSParserScriptMode, JSC::SourceParseMode, JSC::SuperBinding, JSC::ParserError&, JSC::JSTextPosition*, JSC::ConstructorKind, JSC::DerivedContextType, JSC::EvalContextType, JSC::DebuggerParseData*, JSC::VariableEnvironment const*, WTF::Vector<JSC::JSTextPosition, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const*, bool) + 304
12  com.apple.JavaScriptCore      	0x00000001b7b41a94 JSC::checkSyntax(JSC::VM&, JSC::SourceCode const&, JSC::ParserError&) + 156
Comment 2 Radar WebKit Bug Importer 2021-04-27 14:52:32 PDT 
<rdar://problem/77231778>
Comment 3 Saam Barati 2021-10-05 15:44:36 PDT 
Created attachment 440283 [details]
Patch
Comment 4 Yusuke Suzuki 2021-10-05 16:00:00 PDT 
Comment on attachment 440283 [details]
Patch

r=me
Comment 5 EWS 2021-10-05 22:20:14 PDT 
Committed r283600 (242552@main): <https://commits.webkit.org/242552@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 440283 [details].