WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
130538
Strict mode destructuring assignment crashes the parser.
https://bugs.webkit.org/show_bug.cgi?id=130538
Summary
Strict mode destructuring assignment crashes the parser.
Mark Lam
Reported
2014-03-20 14:30:27 PDT
Here's the test case: "use strict"; (function(){ ({a: NaN} = null) }); Run that in jsc and you'll get a crash with the following back trace: (lldb) bt * thread #1: tid = 0x4ddaef, 0x000000010006d50c JavaScriptCore`WTF::RefPtr<WTF::StringImpl>::get(this=0x0000000000000000) const + 12 at RefPtr.h:57, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x000000010006d50c JavaScriptCore`WTF::RefPtr<WTF::StringImpl>::get(this=0x0000000000000000) const + 12 at RefPtr.h:57 frame #1: 0x000000010006d4f5 JavaScriptCore`WTF::String::impl(this=0x0000000000000000) const + 21 at WTFString.h:150 frame #2: 0x00000001000e2699 JavaScriptCore`JSC::Identifier::equal(a=0x0000000000000000, b=0x0000000103001b98) + 25 at Identifier.h:106 frame #3: 0x00000001000b21ad JavaScriptCore`JSC::operator==(a=0x0000000000000000, b=0x0000000103001b98) + 29 at Identifier.h:200 frame #4: 0x000000010067e751 JavaScriptCore`JSC::SyntaxChecker::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseUnaryExpression<JSC::SyntaxChecker>(this=0x00007fff5fbfec58, context=0x00007fff5fbfbcd8) + 1697 at Parser.cpp:2262 frame #5: 0x000000010067dcec JavaScriptCore`JSC::SyntaxChecker::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseBinaryExpression<JSC::SyntaxChecker>(this=0x00007fff5fbfec58, context=0x00007fff5fbfbcd8) + 140 at Parser.cpp:1683 frame #6: 0x000000010067d8a9 JavaScriptCore`JSC::SyntaxChecker::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseConditionalExpression<JSC::SyntaxChecker>(this=0x00007fff5fbfec58, context=0x00007fff5fbfbcd8) + 57 at Parser.h:1643 frame #7: 0x000000010067d055 JavaScriptCore`JSC::SyntaxChecker::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseAssignmentExpression<JSC::SyntaxChecker>(this=0x00007fff5fbfec58, context=0x00007fff5fbfbcd8) + 469 at Parser.h:1576 frame #8: 0x000000010067cb52 JavaScriptCore`JSC::SyntaxChecker::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseExpression<JSC::SyntaxChecker>(this=0x00007fff5fbfec58, context=0x00007fff5fbfbcd8) + 178 at Parser.h:1539 frame #9: 0x000000010067c8ce JavaScriptCore`JSC::SyntaxChecker::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseExpressionStatement<JSC::SyntaxChecker>(this=0x00007fff5fbfec58, context=0x00007fff5fbfbcd8) + 78 at Parser.h:1444 frame #10: 0x000000010067478f JavaScriptCore`JSC::SyntaxChecker::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseStatement<JSC::SyntaxChecker>(this=0x00007fff5fbfec58, context=0x00007fff5fbfbcd8, directive=0x00007fff5fbfbc30, directiveLiteralLength=0x00007fff5fbfbc2c) + 1183 at Parser.cpp:1178 frame #11: 0x0000000100673eeb JavaScriptCore`JSC::SyntaxChecker::SourceElements JSC::Parser<JSC::Lexer<unsigned char> >::parseSourceElements<JSC::SyntaxChecker>(this=0x00007fff5fbfec58, context=0x00007fff5fbfbcd8, mode=CheckForStrictMode) + 107 at Parser.h:336 frame #12: 0x0000000100673926 JavaScriptCore`JSC::ASTBuilder::FunctionBody JSC::Parser<JSC::Lexer<unsigned char> >::parseFunctionBody<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 390 at Parser.cpp:1214 frame #13: 0x000000010066c2fa JavaScriptCore`bool JSC::Parser<JSC::Lexer<unsigned char> >::parseFunctionInfo<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8, requirements=FunctionNoRequirements, mode=FunctionMode, nameIsInContainingScope=false, name=0x00007fff5fbfc578, parameters=0x00007fff5fbfc570, body=0x00007fff5fbfc568, openBraceOffset=0x00007fff5fbfc564, closeBraceOffset=0x00007fff5fbfc560, bodyStartLine=0x00007fff5fbfc55c, bodyStartColumn=0x00007fff5fbfc558) + 4922 at Parser.h:1304 frame #14: 0x0000000100669eed JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseMemberExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 477 at Parser.cpp:2124 frame #15: 0x0000000100668e74 JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseUnaryExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 1060 at Parser.h:2251 frame #16: 0x000000010066819a JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseBinaryExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 186 at Parser.cpp:1683 frame #17: 0x00000001006678b9 JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseConditionalExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 57 at Parser.h:1643 frame #18: 0x0000000100666d78 JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseAssignmentExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 616 at Parser.h:1576 frame #19: 0x00000001006665b4 JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 180 at Parser.h:1539 frame #20: 0x000000010066d459 JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parsePrimaryExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 649 at Parser.cpp:1986 frame #21: 0x000000010066a02b JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseMemberExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 795 at Parser.h:2127 frame #22: 0x0000000100668e74 JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseUnaryExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 1060 at Parser.h:2251 frame #23: 0x000000010066819a JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseBinaryExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 186 at Parser.cpp:1683 frame #24: 0x00000001006678b9 JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseConditionalExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 57 at Parser.h:1643 frame #25: 0x0000000100666d78 JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseAssignmentExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 616 at Parser.h:1576 frame #26: 0x00000001006665b4 JavaScriptCore`JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseExpression<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 180 at Parser.h:1539 frame #27: 0x000000010066632e JavaScriptCore`JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseExpressionStatement<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8) + 78 at Parser.h:1444 frame #28: 0x000000010065d7e6 JavaScriptCore`JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseStatement<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8, directive=0x00007fff5fbfd6f8, directiveLiteralLength=0x00007fff5fbfd6f4) + 1206 at Parser.cpp:1178 frame #29: 0x0000000100607edc JavaScriptCore`JSC::ASTBuilder::SourceElements JSC::Parser<JSC::Lexer<unsigned char> >::parseSourceElements<JSC::ASTBuilder>(this=0x00007fff5fbfec58, context=0x00007fff5fbfd8f8, mode=CheckForStrictMode) + 108 at Parser.cpp:336 frame #30: 0x0000000100607943 JavaScriptCore`JSC::Parser<JSC::Lexer<unsigned char> >::parseInner(this=0x00007fff5fbfec58) + 227 at Parser.cpp:267 frame #31: 0x000000010009b93b JavaScriptCore`WTF::PassRefPtr<JSC::ProgramNode> JSC::Parser<JSC::Lexer<unsigned char> >::parse<JSC::ProgramNode>(this=0x00007fff5fbfec58, error=0x00007fff5fbff988) + 283 at Parser.h:894 frame #32: 0x000000010009a621 JavaScriptCore`WTF::PassRefPtr<JSC::ProgramNode> JSC::parse<JSC::ProgramNode>(vm=0x0000000102007800, source=0x00007fff5fbff8d8, parameters=0x0000000000000000, name=0x00007fff5fbff748, strictness=JSParseNormal, parserMode=JSParseProgramCode, error=0x00007fff5fbff988, positionBeforeLastNewline=0x0000000000000000) + 305 at Parser.h:964 frame #33: 0x000000010014d06b JavaScriptCore`JSC::checkSyntax(vm=0x0000000102007800, source=0x00007fff5fbff8d8, error=0x00007fff5fbff988) + 219 at Completion.cpp:58 frame #34: 0x0000000100002668 jsc`runInteractive(globalObject=0x0000000101cff970) + 648 at SourceCode.h:118 frame #35: 0x00000001000017f3 jsc`jscmain(argc=1, argv=0x00007fff5fbffb58) + 403 at jsc.cpp:1132 frame #36: 0x00000001000015a1 jsc`main(argc=1, argv=0x00007fff5fbffb58) + 177 at jsc.cpp:871 frame #37: 0x00007fff854185fd libdyld.dylib`start + 1 frame #38: 0x00007fff854185fd libdyld.dylib`start + 1
Attachments
Patch
(4.95 KB, patch)
2014-03-20 17:33 PDT
,
Oliver Hunt
no flags
Details
Formatted Diff
Diff
Patch
(16.67 KB, patch)
2014-03-24 18:01 PDT
,
Oliver Hunt
msaboff
: review+
Details
Formatted Diff
Diff
Show Obsolete
(1)
View All
Add attachment
proposed patch, testcase, etc.
Mark Lam
Comment 1
2014-03-20 14:35:58 PDT
<
rdar://problem/16383775
>
Radar WebKit Bug Importer
Comment 2
2014-03-20 14:36:47 PDT
<
rdar://problem/16383811
>
Oliver Hunt
Comment 3
2014-03-20 17:33:46 PDT
Created
attachment 227357
[details]
Patch
Mark Lam
Comment 4
2014-03-20 18:13:44 PDT
Comment on
attachment 227357
[details]
Patch r=me with additional tests cases for "eval" and "arguments" in destructing assignments as we discussed offline.
Geoffrey Garen
Comment 5
2014-03-20 18:14:52 PDT
Comment on
attachment 227357
[details]
Patch Can you add a test for the "Cannot deconstruct to" case?
Oliver Hunt
Comment 6
2014-03-24 18:01:21 PDT
Created
attachment 227712
[details]
Patch
Michael Saboff
Comment 7
2014-03-24 18:22:03 PDT
Comment on
attachment 227712
[details]
Patch r=me
Oliver Hunt
Comment 8
2014-03-24 18:54:33 PDT
Committed
r166216
: <
http://trac.webkit.org/changeset/166216
>
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug