Bug 228982

Summary:

WTFCrash in JSC::Lexer<char16_t>::append8

Product:

WebKit

Reporter:

cathiechen <cathiechen>

Component:

JavaScriptCore

Assignee:

Yusuke Suzuki <ysuzuki>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ews-watchlist, keith_miller, mark.lam, msaboff, saam, simon.fraser, tzagallo, webkit-bug-importer, ysuzuki

Priority:

Keywords:

InRadar

Version:

WebKit Local Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none

cathiechen

Reported 2021-08-10 20:27:14 PDT

Open https://www.drupal.org/project/eu_cookie_compliance/issues/3195373 in Debug build. Crash info: ASSERTION FAILED: isLatin1(c) ./parser/Lexer.cpp(873) : void JSC::Lexer<char16_t>::append8(const T *, size_t) [T = char16_t] 1 0x7d55a70b9 WTFCrash 2 0x7d6fa779b WTFCrashWithInfo(int, char const*, char const*, int) 3 0x7d6dfd096 JSC::Lexer<char16_t>::append8(char16_t const*, unsigned long) 4 0x7d6dfe122 JSC::Lexer<char16_t>::parseCommentDirectiveValue() 5 0x7d6dfae4c JSC::Lexer<char16_t>::parseCommentDirective() 6 0x7d6df7bea JSC::Lexer<char16_t>::lexWithoutClearingLineTerminator(JSC::JSToken*, WTF::OptionSet<JSC::LexerFlags>, bool) 7 0x7d6df5500 JSC::Lexer<char16_t>::lex(JSC::JSToken*, WTF::OptionSet<JSC::LexerFlags>, bool) 8 0x7d6e196c8 JSC::Parser<JSC::Lexer<char16_t> >::next(WTF::OptionSet<JSC::LexerFlags>) 9 0x7d6e193a8 JSC::Parser<JSC::Lexer<char16_t> >::Parser(JSC::VM&, JSC::SourceCode const&, JSC::JSParserBuiltinMode, JSC::JSParserStrictMode, JSC::JSParserScriptMode, JSC::SourceParseMode, JSC::SuperBinding, JSC::ConstructorKind, JSC::DerivedContextType, bool, JSC::EvalContextType, JSC::DebuggerParseData*, bool) 10 0x7d6e197ef JSC::Parser<JSC::Lexer<char16_t> >::Parser(JSC::VM&, JSC::SourceCode const&, JSC::JSParserBuiltinMode, JSC::JSParserStrictMode, JSC::JSParserScriptMode, JSC::SourceParseMode, JSC::SuperBinding, JSC::ConstructorKind, JSC::DerivedContextType, bool, JSC::EvalContextType, JSC::DebuggerParseData*, bool) 11 0x7d5db9a44 std::__1::unique_ptr<JSC::ProgramNode, std::__1::default_delete<JSC::ProgramNode> > JSC::parse<JSC::ProgramNode>(JSC::VM&, JSC::SourceCode const&, JSC::Identifier const&, JSC::JSParserBuiltinMode, JSC::JSParserStrictMode, JSC::JSParserScriptMode, JSC::SourceParseMode, JSC::SuperBinding, JSC::ParserError&, JSC::JSTextPosition*, JSC::ConstructorKind, JSC::DerivedContextType, JSC::EvalContextType, JSC::DebuggerParseData*, WTF::HashMap<WTF::RefPtr<WTF::UniquedStringImpl, WTF::PackedPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl> >, JSC::PrivateNameEntry, JSC::IdentifierRepHash, WTF::HashTraits<WTF::RefPtr<WTF::UniquedStringImpl, WTF::RawPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl> > >, JSC::PrivateNameEntryHashTraits, WTF::HashTableTraits> const*, WTF::FixedVector<JSC::JSTextPosition> const*, bool) 12 0x7d706c72e JSC::UnlinkedProgramCodeBlock* JSC::generateUnlinkedCodeBlockImpl<JSC::UnlinkedProgramCodeBlock, JSC::ProgramExecutable>(JSC::VM&, JSC::SourceCode const&, JSC::JSParserStrictMode, JSC::JSParserScriptMode, WTF::OptionSet<JSC::CodeGenerationMode>, JSC::ParserError&, JSC::EvalContextType, JSC::DerivedContextType, bool, WTF::HashSet<WTF::RefPtr<WTF::UniquedStringImpl, WTF::RawPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl> >, JSC::IdentifierRepHash, WTF::HashTraits<WTF::RefPtr<WTF::UniquedStringImpl, WTF::RawPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl> > >, WTF::HashTableTraits> const*, WTF::HashMap<WTF::RefPtr<WTF::UniquedStringImpl, WTF::PackedPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl> >, JSC::PrivateNameEntry, JSC::IdentifierRepHash, WTF::HashTraits<WTF::RefPtr<WTF::UniquedStringImpl, WTF::RawPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl> > >, JSC::PrivateNameEntryHashTraits, WTF::HashTableTraits> const*, JSC::ProgramExecutable*) 13 0x7d706be11 JSC::UnlinkedProgramCodeBlock* JSC::generateUnlinkedCodeBlock<JSC::UnlinkedProgramCodeBlock, JSC::ProgramExecutable>(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserStrictMode, JSC::JSParserScriptMode, WTF::OptionSet<JSC::CodeGenerationMode>, JSC::ParserError&, JSC::EvalContextType, WTF::HashSet<WTF::RefPtr<WTF::UniquedStringImpl, WTF::RawPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl> >, JSC::IdentifierRepHash, WTF::HashTraits<WTF::RefPtr<WTF::UniquedStringImpl, WTF::RawPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl> > >, WTF::HashTableTraits> const*, WTF::HashMap<WTF::RefPtr<WTF::UniquedStringImpl, WTF::PackedPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl> >, JSC::PrivateNameEntry, JSC::IdentifierRepHash, WTF::HashTraits<WTF::RefPtr<WTF::UniquedStringImpl, WTF::RawPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl> > >, JSC::PrivateNameEntryHashTraits, WTF::HashTableTraits> const*) 14 0x7d7015ce9 JSC::UnlinkedProgramCodeBlock* JSC::CodeCache::getUnlinkedGlobalCodeBlock<JSC::UnlinkedProgramCodeBlock, JSC::ProgramExecutable>(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserStrictMode, JSC::JSParserScriptMode, WTF::OptionSet<JSC::CodeGenerationMode>, JSC::ParserError&, JSC::EvalContextType) 15 0x7d7015869 JSC::CodeCache::getUnlinkedProgramCodeBlock(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserStrictMode, WTF::OptionSet<JSC::CodeGenerationMode>, JSC::ParserError&) 16 0x7d73dc8bf JSC::ProgramExecutable::initializeGlobalProperties(JSC::VM&, JSC::JSGlobalObject*, JSC::JSScope*) 17 0x7d6c0efba JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) 18 0x7d7088a07 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 19 0x7d7088b5a JSC::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 20 0x7b5d631fc WebCore::JSExecState::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 21 0x7b5d62dde WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) 22 0x7b5d62c09 WebCore::ScriptController::evaluateInWorldIgnoringException(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) 23 0x7b5d634e5 WebCore::ScriptController::evaluateIgnoringException(WebCore::ScriptSourceCode const&) 24 0x7b65c122a WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&) 25 0x7b65bf3db WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) 26 0x7b65be93e WebCore::ScriptElement::didFinishInsertingNode() 27 0x7b6a1206e WebCore::HTMLScriptElement::didFinishInsertingNode() 28 0x7b6334a40 void WebCore::executeNodeInsertionWithScriptAssertion<WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&)::$_4>(WebCore::ContainerNode&, WebCore::Node&, WebCore::ContainerNode::ChildChange::Source, WebCore::ReplacedAllChildren, WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&)::$_4) 29 0x7b63317d5 WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&) 30 0x7b63346eb WebCore::ContainerNode::appendChild(WebCore::Node&) 31 0x7b6549c9c WebCore::Node::appendChild(WebCore::Node&) 2021-08-11 11:20:57.622 MiniBrowser[14413:3527807] WebContent process crashed; reloading

Attachments
Patch (3.36 KB, patch) 2021-08-10 22:19 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Yusuke Suzuki

Comment 1 2021-08-10 22:19:41 PDT

Created attachment 435323 [details] Patch

Mark Lam

Comment 2 2021-08-10 23:40:59 PDT

Comment on attachment 435323 [details] Patch r=me

Yusuke Suzuki

Comment 3 2021-08-11 00:00:10 PDT

Comment on attachment 435323 [details] Patch Thanks!

EWS

Comment 4 2021-08-11 00:39:36 PDT

Committed r280886 (240423@main): <https://commits.webkit.org/240423@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 435323 [details].

Radar WebKit Bug Importer

Comment 5 2021-08-11 00:40:57 PDT

<rdar://problem/81781139>

Note You need to log in before you can comment on or make changes to this bug.