Bug 245066

Summary:	Crash in /WebKit/Source/JavaScriptCore/parser/Parser.cpp(3012)
Product:	WebKit	Reporter:	xiangwei1895
Component:	JavaScriptCore	Assignee:	Yusuke Suzuki <ysuzuki>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	bfulgham, webkit-bug-importer, zhunkibatu
Priority:	P2	Keywords:	InRadar
Version:	WebKit Local Build
Hardware:	PC
OS:	Linux

xiangwei1895

Reported 2022-09-12 03:16:00 PDT

JSC crashes when executing the following code： function main(){ class a{ g = [] 'a'(){} } } ASSERTION FAILED: ident /data/WebKit/Source/JavaScriptCore/parser/Parser.cpp(3012) : typename TreeBuilder::ClassExpression JSC::Parser<JSC::Lexer<LChar> >::parseClass(TreeBuilder &, JSC::FunctionNameRequirements, ParserClassInfo<TreeBuilder> &) [LexerType = JSC::Lexer<LChar>, TreeBuilder = JSC::SyntaxChecker]

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2022-09-12 03:16:11 PDT

<rdar://problem/99815328>

Yusuke Suzuki

Comment 2 2022-10-05 19:47:20 PDT

Pull request: https://github.com/WebKit/WebKit/pull/5065

Yusuke Suzuki

Comment 3 2022-10-05 19:48:27 PDT

Making it non security since it is always a nullptr crash.

EWS

Comment 4 2022-10-06 02:21:43 PDT

Committed 255212@main (89c0d4c38e9a): <https://commits.webkit.org/255212@main> Reviewed commits have been landed. Closing PR #5065 and removing active labels.

Yusuke Suzuki

Comment 5 2023-01-26 14:22:52 PST

*** Bug 245657 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.