Bug 228982

Summary: WTFCrash in JSC::Lexer<char16_t>::append8
Product: WebKit Reporter: cathiechen <cathiechen>
Component: JavaScriptCoreAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, mark.lam, msaboff, saam, simon.fraser, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Description cathiechen 2021-08-10 20:27:14 PDT 
Open https://www.drupal.org/project/eu_cookie_compliance/issues/3195373 in Debug build.

Crash info:

ASSERTION FAILED: isLatin1(c)
./parser/Lexer.cpp(873) : void JSC::Lexer<char16_t>::append8(const T *, size_t) [T = char16_t]
1   0x7d55a70b9 WTFCrash
2   0x7d6fa779b WTFCrashWithInfo(int, char const*, char const*, int)
3   0x7d6dfd096 JSC::Lexer<char16_t>::append8(char16_t const*, unsigned long)
4   0x7d6dfe122 JSC::Lexer<char16_t>::parseCommentDirectiveValue()
5   0x7d6dfae4c JSC::Lexer<char16_t>::parseCommentDirective()
6   0x7d6df7bea JSC::Lexer<char16_t>::lexWithoutClearingLineTerminator(JSC::JSToken*, WTF::OptionSet<JSC::LexerFlags>, bool)
7   0x7d6df5500 JSC::Lexer<char16_t>::lex(JSC::JSToken*, WTF::OptionSet<JSC::LexerFlags>, bool)
8   0x7d6e196c8 JSC::Parser<JSC::Lexer<char16_t> >::next(WTF::OptionSet<JSC::LexerFlags>)
9   0x7d6e193a8 JSC::Parser<JSC::Lexer<char16_t> >::Parser(JSC::VM&, JSC::SourceCode const&, JSC::JSParserBuiltinMode, JSC::JSParserStrictMode, JSC::JSParserScriptMode, JSC::SourceParseMode, JSC::SuperBinding, JSC::ConstructorKind, JSC::DerivedContextType, bool, JSC::EvalContextType, JSC::DebuggerParseData*, bool)
10  0x7d6e197ef JSC::Parser<JSC::Lexer<char16_t> >::Parser(JSC::VM&, JSC::SourceCode const&, JSC::JSParserBuiltinMode, JSC::JSParserStrictMode, JSC::JSParserScriptMode, JSC::SourceParseMode, JSC::SuperBinding, JSC::ConstructorKind, JSC::DerivedContextType, bool, JSC::EvalContextType, JSC::DebuggerParseData*, bool)
11  0x7d5db9a44 std::__1::unique_ptr<JSC::ProgramNode, std::__1::default_delete<JSC::ProgramNode> > JSC::parse<JSC::ProgramNode>(JSC::VM&, JSC::SourceCode const&, JSC::Identifier const&, JSC::JSParserBuiltinMode, JSC::JSParserStrictMode, JSC::JSParserScriptMode, JSC::SourceParseMode, JSC::SuperBinding, JSC::ParserError&, JSC::JSTextPosition*, JSC::ConstructorKind, JSC::DerivedContextType, JSC::EvalContextType, JSC::DebuggerParseData*, WTF::HashMap<WTF::RefPtr<WTF::UniquedStringImpl, WTF::PackedPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl> >, JSC::PrivateNameEntry, JSC::IdentifierRepHash, WTF::HashTraits<WTF::RefPtr<WTF::UniquedStringImpl, WTF::RawPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl> > >, JSC::PrivateNameEntryHashTraits, WTF::HashTableTraits> const*, WTF::FixedVector<JSC::JSTextPosition> const*, bool)
12  0x7d706c72e JSC::UnlinkedProgramCodeBlock* JSC::generateUnlinkedCodeBlockImpl<JSC::UnlinkedProgramCodeBlock, JSC::ProgramExecutable>(JSC::VM&, JSC::SourceCode const&, JSC::JSParserStrictMode, JSC::JSParserScriptMode, WTF::OptionSet<JSC::CodeGenerationMode>, JSC::ParserError&, JSC::EvalContextType, JSC::DerivedContextType, bool, WTF::HashSet<WTF::RefPtr<WTF::UniquedStringImpl, WTF::RawPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl> >, JSC::IdentifierRepHash, WTF::HashTraits<WTF::RefPtr<WTF::UniquedStringImpl, WTF::RawPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl> > >, WTF::HashTableTraits> const*, WTF::HashMap<WTF::RefPtr<WTF::UniquedStringImpl, WTF::PackedPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl> >, JSC::PrivateNameEntry, JSC::IdentifierRepHash, WTF::HashTraits<WTF::RefPtr<WTF::UniquedStringImpl, WTF::RawPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl> > >, JSC::PrivateNameEntryHashTraits, WTF::HashTableTraits> const*, JSC::ProgramExecutable*)
13  0x7d706be11 JSC::UnlinkedProgramCodeBlock* JSC::generateUnlinkedCodeBlock<JSC::UnlinkedProgramCodeBlock, JSC::ProgramExecutable>(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserStrictMode, JSC::JSParserScriptMode, WTF::OptionSet<JSC::CodeGenerationMode>, JSC::ParserError&, JSC::EvalContextType, WTF::HashSet<WTF::RefPtr<WTF::UniquedStringImpl, WTF::RawPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl> >, JSC::IdentifierRepHash, WTF::HashTraits<WTF::RefPtr<WTF::UniquedStringImpl, WTF::RawPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl> > >, WTF::HashTableTraits> const*, WTF::HashMap<WTF::RefPtr<WTF::UniquedStringImpl, WTF::PackedPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl> >, JSC::PrivateNameEntry, JSC::IdentifierRepHash, WTF::HashTraits<WTF::RefPtr<WTF::UniquedStringImpl, WTF::RawPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl> > >, JSC::PrivateNameEntryHashTraits, WTF::HashTableTraits> const*)
14  0x7d7015ce9 JSC::UnlinkedProgramCodeBlock* JSC::CodeCache::getUnlinkedGlobalCodeBlock<JSC::UnlinkedProgramCodeBlock, JSC::ProgramExecutable>(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserStrictMode, JSC::JSParserScriptMode, WTF::OptionSet<JSC::CodeGenerationMode>, JSC::ParserError&, JSC::EvalContextType)
15  0x7d7015869 JSC::CodeCache::getUnlinkedProgramCodeBlock(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserStrictMode, WTF::OptionSet<JSC::CodeGenerationMode>, JSC::ParserError&)
16  0x7d73dc8bf JSC::ProgramExecutable::initializeGlobalProperties(JSC::VM&, JSC::JSGlobalObject*, JSC::JSScope*)
17  0x7d6c0efba JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*)
18  0x7d7088a07 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
19  0x7d7088b5a JSC::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
20  0x7b5d631fc WebCore::JSExecState::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
21  0x7b5d62dde WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&)
22  0x7b5d62c09 WebCore::ScriptController::evaluateInWorldIgnoringException(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&)
23  0x7b5d634e5 WebCore::ScriptController::evaluateIgnoringException(WebCore::ScriptSourceCode const&)
24  0x7b65c122a WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&)
25  0x7b65bf3db WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport)
26  0x7b65be93e WebCore::ScriptElement::didFinishInsertingNode()
27  0x7b6a1206e WebCore::HTMLScriptElement::didFinishInsertingNode()
28  0x7b6334a40 void WebCore::executeNodeInsertionWithScriptAssertion<WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&)::$_4>(WebCore::ContainerNode&, WebCore::Node&, WebCore::ContainerNode::ChildChange::Source, WebCore::ReplacedAllChildren, WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&)::$_4)
29  0x7b63317d5 WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&)
30  0x7b63346eb WebCore::ContainerNode::appendChild(WebCore::Node&)
31  0x7b6549c9c WebCore::Node::appendChild(WebCore::Node&)
2021-08-11 11:20:57.622 MiniBrowser[14413:3527807] WebContent process crashed; reloading
Comment 1 Yusuke Suzuki 2021-08-10 22:19:41 PDT 
Created attachment 435323 [details]
Patch
Comment 2 Mark Lam 2021-08-10 23:40:59 PDT 
Comment on attachment 435323 [details]
Patch

r=me
Comment 3 Yusuke Suzuki 2021-08-11 00:00:10 PDT 
Comment on attachment 435323 [details]
Patch

Thanks!
Comment 4 EWS 2021-08-11 00:39:36 PDT 
Committed r280886 (240423@main): <https://commits.webkit.org/240423@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 435323 [details].
Comment 5 Radar WebKit Bug Importer 2021-08-11 00:40:57 PDT 
<rdar://problem/81781139>