130538 – Strict mode destructuring assignment crashes the parser.

Bug 130538 - Strict mode destructuring assignment crashes the parser.

Summary: Strict mode destructuring assignment crashes the parser.

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Oliver Hunt

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2014-03-20 14:30 PDT by Mark Lam
Modified:	2014-03-24 18:54 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
Patch (4.95 KB, patch) 2014-03-20 17:33 PDT, Oliver Hunt	no flags	Details \| Formatted Diff \| Diff
Patch (16.67 KB, patch) 2014-03-24 18:01 PDT, Oliver Hunt	msaboff: review+	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Lam 2014-03-20 14:30:27 PDT

Here's the test case:

"use strict";  (function(){ ({a: NaN} = null) });

Run that in jsc and you'll get a crash with the following back trace:

(lldb) bt
* thread #1: tid = 0x4ddaef, 0x000000010006d50c JavaScriptCore`WTF::RefPtr<WTF::StringImpl>::get(this=0x0000000000000000) const + 12 at RefPtr.h:57, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x000000010006d50c JavaScriptCore`WTF::RefPtr<WTF::StringImpl>::get(this=0x0000000000000000) const + 12 at RefPtr.h:57
    frame #1: 0x000000010006d4f5 JavaScriptCore`WTF::String::impl(this=0x0000000000000000) const + 21 at WTFString.h:150
    frame #2: 0x00000001000e2699 JavaScriptCore`JSC::Identifier::equal(a=0x0000000000000000, b=0x0000000103001b98) + 25 at Identifier.h:106
    frame #3: 0x00000001000b21ad JavaScriptCore`JSC::operator==(a=0x0000000000000000, b=0x0000000103001b98) + 29 at Identifier.h:200
    frame #4: 0x000000010067e751 JavaScriptCore`JSC::SyntaxChecker::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseUnaryExpression<JSC::SyntaxChecker>(this=0x00007fff5fbfec58, context=0x00007fff5fbfbcd8) + 1697 at Parser.cpp:2262
    frame #5: 0x000000010067dcec JavaScriptCore`JSC::SyntaxChecker::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseBinaryExpression<JSC::SyntaxChecker>(this=0x00007fff5fbfec58, context=0x00007fff5fbfbcd8) + 140 at Parser.cpp:1683
    frame #6: 0x000000010067d8a9 JavaScriptCore`JSC::SyntaxChecker::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseConditionalExpression<JSC::SyntaxChecker>(this=0x00007fff5fbfec58, context=0x00007fff5fbfbcd8) + 57 at Parser.h:1643
    frame #7: 0x000000010067d055 JavaScriptCore`JSC::SyntaxChecker::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseAssignmentExpression<JSC::SyntaxChecker>(this=0x00007fff5fbfec58, context=0x00007fff5fbfbcd8) + 469 at Parser.h:1576
    frame #8: 0x000000010067cb52 JavaScriptCore`JSC::SyntaxChecker::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseExpression<JSC::SyntaxChecker>(this=0x00007fff5fbfec58, context=0x00007fff5fbfbcd8) + 178 at Parser.h:1539
    frame #9: 0x000000010067c8ce JavaScriptCore`JSC::SyntaxChecker::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseExpressionStatement<JSC::SyntaxChecker>(this=0x00007fff5fbfec58, context=0x00007fff5fbfbcd8) + 78 at Parser.h:1444
    frame #10: 0x000000010067478f JavaScriptCore`JSC::SyntaxChecker::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseStatement<JSC::SyntaxChecker>(this=0x00007fff5fbfec58, context=0x00007fff5fbfbcd8, directive=0x00007fff5fbfbc30, directiveLiteralLength=0x00007fff5fbfbc2c) + 1183 at Parser.cpp:1178
    frame #11: 0x0000000100673eeb JavaScriptCore`JSC::SyntaxChecker::SourceElements JSC::Parser<JSC::Lexer<unsigned char> >::parseSourceElements<JSC::SyntaxChecker>(this=0x00007fff5fbfec58, context=0x00007fff5fbfbcd8, mode=CheckForStrictMode) + 107 at Parser.h:336
    frame #12: 0x0000000100673926 JavaScriptCore`JSC::ASTBuilder::FunctionBody JSC::Parser<JSC::Lexer<unsigned char> >::parseFunctionBody<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 390 at Parser.cpp:1214
    frame #13: 0x000000010066c2fa JavaScriptCore`bool JSC::Parser<JSC::Lexer<unsigned char> >::parseFunctionInfo<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8, requirements=FunctionNoRequirements, mode=FunctionMode, nameIsInContainingScope=false, name=0x00007fff5fbfc578, parameters=0x00007fff5fbfc570, body=0x00007fff5fbfc568, openBraceOffset=0x00007fff5fbfc564, closeBraceOffset=0x00007fff5fbfc560, bodyStartLine=0x00007fff5fbfc55c, bodyStartColumn=0x00007fff5fbfc558) + 4922 at Parser.h:1304
    frame #14: 0x0000000100669eed JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseMemberExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 477 at Parser.cpp:2124
    frame #15: 0x0000000100668e74 JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseUnaryExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 1060 at Parser.h:2251
    frame #16: 0x000000010066819a JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseBinaryExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 186 at Parser.cpp:1683
    frame #17: 0x00000001006678b9 JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseConditionalExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 57 at Parser.h:1643
    frame #18: 0x0000000100666d78 JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseAssignmentExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 616 at Parser.h:1576
    frame #19: 0x00000001006665b4 JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 180 at Parser.h:1539
    frame #20: 0x000000010066d459 JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parsePrimaryExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 649 at Parser.cpp:1986
    frame #21: 0x000000010066a02b JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseMemberExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 795 at Parser.h:2127
    frame #22: 0x0000000100668e74 JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseUnaryExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 1060 at Parser.h:2251
    frame #23: 0x000000010066819a JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseBinaryExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 186 at Parser.cpp:1683
    frame #24: 0x00000001006678b9 JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseConditionalExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 57 at Parser.h:1643
    frame #25: 0x0000000100666d78 JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseAssignmentExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 616 at Parser.h:1576
    frame #26: 0x00000001006665b4 JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 180 at Parser.h:1539
    frame #27: 0x000000010066632e JavaScriptCore`JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseExpressionStatement<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 78 at Parser.h:1444
    frame #28: 0x000000010065d7e6 JavaScriptCore`JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseStatement<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8, directive=0x00007fff5fbfd6f8, directiveLiteralLength=0x00007fff5fbfd6f4) + 1206 at Parser.cpp:1178
    frame #29: 0x0000000100607edc JavaScriptCore`JSC::ASTBuilder::SourceElements JSC::Parser<JSC::Lexer<unsigned char> >::parseSourceElements<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8, mode=CheckForStrictMode) + 108 at Parser.cpp:336
    frame #30: 0x0000000100607943 JavaScriptCore`JSC::Parser<JSC::Lexer<unsigned char> >::parseInner(this=0x00007fff5fbfec58) + 227 at Parser.cpp:267
    frame #31: 0x000000010009b93b JavaScriptCore`WTF::PassRefPtr<JSC::ProgramNode> JSC::Parser<JSC::Lexer<unsigned char> >::parse<JSC::ProgramNode>(this=0x00007fff5fbfec58, error=0x00007fff5fbff988) + 283 at Parser.h:894
    frame #32: 0x000000010009a621 JavaScriptCore`WTF::PassRefPtr<JSC::ProgramNode> JSC::parse<JSC::ProgramNode>(vm=0x0000000102007800, source=0x00007fff5fbff8d8, parameters=0x0000000000000000, name=0x00007fff5fbff748, strictness=JSParseNormal, parserMode=JSParseProgramCode, error=0x00007fff5fbff988, positionBeforeLastNewline=0x0000000000000000) + 305 at Parser.h:964
    frame #33: 0x000000010014d06b JavaScriptCore`JSC::checkSyntax(vm=0x0000000102007800, source=0x00007fff5fbff8d8, error=0x00007fff5fbff988) + 219 at Completion.cpp:58
    frame #34: 0x0000000100002668 jsc`runInteractive(globalObject=0x0000000101cff970) + 648 at SourceCode.h:118
    frame #35: 0x00000001000017f3 jsc`jscmain(argc=1, argv=0x00007fff5fbffb58) + 403 at jsc.cpp:1132
    frame #36: 0x00000001000015a1 jsc`main(argc=1, argv=0x00007fff5fbffb58) + 177 at jsc.cpp:871
    frame #37: 0x00007fff854185fd libdyld.dylib`start + 1
    frame #38: 0x00007fff854185fd libdyld.dylib`start + 1

Comment 1 Mark Lam 2014-03-20 14:35:58 PDT

<rdar://problem/16383775>

Comment 2 Radar WebKit Bug Importer 2014-03-20 14:36:47 PDT

<rdar://problem/16383811>

Comment 3 Oliver Hunt 2014-03-20 17:33:46 PDT

Created attachment 227357 [details]
Patch

Comment 4 Mark Lam 2014-03-20 18:13:44 PDT

Comment on attachment 227357 [details]
Patch

r=me with additional tests cases for "eval" and "arguments" in destructing assignments as we discussed offline.

Comment 5 Geoffrey Garen 2014-03-20 18:14:52 PDT

Comment on attachment 227357 [details]
Patch

Can you add a test for the "Cannot deconstruct to" case?

Comment 6 Oliver Hunt 2014-03-24 18:01:21 PDT

Created attachment 227712 [details]
Patch

Comment 7 Michael Saboff 2014-03-24 18:22:03 PDT

Comment on attachment 227712 [details]
Patch

r=me

Comment 8 Oliver Hunt 2014-03-24 18:54:33 PDT

Committed r166216: <http://trac.webkit.org/changeset/166216>