RESOLVED FIXED 147538
JavascriptCore Crash in JSC::ASTBuilder::Property JSC::Parser<JSC::Lexer<unsigned char> >::parseProperty<JSC::ASTBuilder>(JSC::ASTBuilder&, bool) 
https://bugs.webkit.org/show_bug.cgi?id=147538
Summary JavascriptCore Crash in JSC::ASTBuilder::Property JSC::Parser<JSC::Lexer<unsi...
Puzzor
Reported 2015-08-02 01:08:02 PDT
Created attachment 258030 [details] ./jsc a.js When you put "V={=>" in JavaScriptCore, it will crash. #0 0x00007ffff79eaaab in JSC::ASTBuilder::Property JSC::Parser<JSC::Lexer<unsigned char> >::parseProperty<JSC::ASTBuilder>(JSC::ASTBuilder&, bool) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #1 0x00007ffff79e5ca6 in JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseMemberExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #2 0x00007ffff79a9092 in JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseAssignmentExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) [clone .part.592] () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #3 0x00007ffff79aa6d7 in JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseAssignmentExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) [clone .part.592] () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #4 0x00007ffff79ebb82 in JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #5 0x00007ffff79ef6ad in JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseExpressionOrLabelStatement<JSC::ASTBuilder>(JSC::ASTBuilder&) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #6 0x00007ffff79eed9b in JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseStatement<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::Identifier const*&, unsigned int*) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #7 0x00007ffff79efcf0 in JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseStatementListItem<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::Identifier const*&, unsigned int*) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #8 0x00007ffff79effd6 in JSC::ASTBuilder::SourceElements JSC::Parser<JSC::Lexer<unsigned char> >::parseSourceElements<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::SourceElementsMode) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #9 0x00007ffff79f1037 in JSC::Parser<JSC::Lexer<unsigned char> >::parseInner(JSC::Identifier const&, JSC::FunctionParseMode) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #10 0x00007ffff767f801 in std::unique_ptr<JSC::ProgramNode, std::default_delete<JSC::ProgramNode> > JSC::Parser<JSC::Lexer<unsigned char> >::parse<JSC::ProgramNode>(JSC::ParserError&, JSC::Identifier const&, JSC::FunctionParseMode) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #11 0x00007ffff7680194 in std::unique_ptr<JSC::ProgramNode, std::default_delete<JSC::ProgramNode> > JSC::parse<JSC::ProgramNode>(JSC::VM*, JSC::SourceCode const&, JSC::Identifier const&, JSC::JSParserBuiltinMode, JSC::JSParserStrictMode, JSC::JSParserCodeType, JSC::ParserError&, JSC::JSTextPosition*, JSC::FunctionParseMode, JSC::ConstructorKind, JSC::ThisTDZMode) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #12 0x00007ffff7a79b28 in JSC::UnlinkedProgramCodeBlock* JSC::CodeCache::getGlobalCodeBlock<JSC::UnlinkedProgramCodeBlock, JSC::ProgramExecutable>(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserBuiltinMode, JSC::JSParserStrictMode, JSC::ThisTDZMode, JSC::DebuggerMode, JSC::ProfilerMode, JSC::ParserError&, JSC::VariableEnvironment const*) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #13 0x00007ffff7a770f5 in JSC::CodeCache::getProgramCodeBlock(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserBuiltinMode, JSC::JSParserStrictMode, JSC::DebuggerMode, JSC::ProfilerMode, JSC::ParserError&) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #14 0x00007ffff7af5d49 in JSC::JSGlobalObject::createProgramCodeBlock(JSC::ExecState*, JSC::ProgramExecutable*, JSC::JSObject**) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #15 0x00007ffff7abb9e6 in JSC::ProgramExecutable::initializeGlobalProperties(JSC::VM&, JSC::ExecState*, JSC::JSScope*) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #16 0x00007ffff790f0ad in JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #17 0x00007ffff7a90d5a in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) () from /home/puzzor/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #18 0x000000000040d9f6 in jscmain(int, char**) () #19 0x0000000000407848 in main () #20 0x00007ffff6bb9ec5 in __libc_start_main (main=0x4077d0 <main>, argc=0x2, argv=0x7fffffffe5d8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe5c8) at libc-start.c:287 #21 0x00000000004078a3 in _start () In template <class TreeBuilder> TreeProperty Parser<LexerType>::parseProperty(TreeBuilder& context, bool complete), ident may be a invalid ptr and the reference to it may be wrong.
Attachments
./jsc a.js (5 bytes, application/javascript)
2015-08-02 01:08 PDT, Puzzor 		no flags
Details
Patch (2.74 KB, patch)
2015-08-03 10:22 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews100 for mac-mavericks (538.57 KB, application/zip)
2015-08-03 10:56 PDT, Build Bot 		no flags
Details
Archive of layout-test-results from ews106 for mac-mavericks-wk2 (597.78 KB, application/zip)
2015-08-03 11:01 PDT, Build Bot 		no flags
Details
Patch (6.27 KB, patch)
2015-08-03 11:25 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2015-08-02 14:11:14 PDT
Crashes on Mac, too (unsurprisingly).
Yusuke Suzuki
Comment 2 2015-08-03 10:22:33 PDT
Created attachment 258072 [details] Patch
WebKit Commit Bot
Comment 3 2015-08-03 10:26:08 PDT
Attachment 258072 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/parser/ParserTokens.h:119: enum members should use InterCaps with an initial capital letter. [readability/enum_casing] [4] Total errors found: 1 in 3 files If any of these errors are false positives, please file a bug against check-webkit-style.
Build Bot
Comment 4 2015-08-03 10:56:52 PDT
Comment on attachment 258072 [details] Patch Attachment 258072 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/11794 New failing tests: js/arrowfunction-syntax-errors.html
Build Bot
Comment 5 2015-08-03 10:56:54 PDT
Created attachment 258077 [details] Archive of layout-test-results from ews100 for mac-mavericks The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews100 Port: mac-mavericks Platform: Mac OS X 10.9.5
Build Bot
Comment 6 2015-08-03 11:01:24 PDT
Comment on attachment 258072 [details] Patch Attachment 258072 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/11798 New failing tests: js/arrowfunction-syntax-errors.html
Build Bot
Comment 7 2015-08-03 11:01:28 PDT
Created attachment 258079 [details] Archive of layout-test-results from ews106 for mac-mavericks-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews106 Port: mac-mavericks-wk2 Platform: Mac OS X 10.9.5
Yusuke Suzuki
Comment 8 2015-08-03 11:25:39 PDT
Created attachment 258087 [details] Patch
Yusuke Suzuki
Comment 9 2015-08-03 11:26:09 PDT
Fixed the test expectation file.
WebKit Commit Bot
Comment 10 2015-08-03 11:27:05 PDT
Attachment 258087 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/parser/ParserTokens.h:119: enum members should use InterCaps with an initial capital letter. [readability/enum_casing] [4] Total errors found: 1 in 5 files If any of these errors are false positives, please file a bug against check-webkit-style.
Geoffrey Garen
Comment 11 2015-08-03 13:21:15 PDT
Comment on attachment 258087 [details] Patch r=me
Yusuke Suzuki
Comment 12 2015-08-03 13:36:44 PDT
Comment on attachment 258087 [details] Patch Thanks!
WebKit Commit Bot
Comment 13 2015-08-03 14:26:18 PDT
Comment on attachment 258087 [details] Patch Clearing flags on attachment: 258087 Committed r187763: <http://trac.webkit.org/changeset/187763>
WebKit Commit Bot
Comment 14 2015-08-03 14:26:22 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.