SVN: rev200124 Build with: perl Tools/Scripts/build-jsc --gtk --debug Test case: --- (new class D extends class {} { constructor() { eval(`super["m"]()`) } }) --- Crashes with: --- Thread 1 "jsc-debug" received signal SIGSEGV, Segmentation fault. 0x00007ffff6a33742 in llint_entry () from /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18 --- Also reproducible with: --- (new class D extends class {} { constructor(f) { super[f()]() } }) --- And with: --- new class extends class {} { constructor() { super["m"](super()) } } --- Stack trace: --- #0 0x00007ffff6a33742 in llint_entry () from /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18 #1 0x00007ffff6a2d895 in vmEntryToJavaScript () from /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18 #2 0x00007ffff69d46d2 in JSC::JITCode::execute (this=0x7ffff0d9c848, vm=0x7fffb09f1000, protoCallFrame=0x7fffffffc000) at ../../Source/JavaScriptCore/jit/JITCode.cpp:80 #3 0x00007ffff6999ca2 in JSC::Interpreter::execute (this=0x7ffff0def058, eval=0x7fffaedfbee0, callFrame=0x7fffffffca50, thisValue=..., scope=0x7fffaeddbec0) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:1255 #4 0x00007ffff6995405 in JSC::eval (callFrame=0x7fffffffca50) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:208 #5 0x00007ffff6a29fd7 in JSC::(anonymous namespace)::llint_slow_path_call_eval (exec=0x7fffffffcae0, pc=0x7ffff0dd7628) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1354 #6 0x00007ffff6a33ea2 in llint_entry () from /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18 #7 0x00007ffff6a33b4b in llint_entry () from /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18 #8 0x00007ffff6a2d895 in vmEntryToJavaScript () from /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18 #9 0x00007ffff69d46d2 in JSC::JITCode::execute (this=0x7ffff0d9c5f0, vm=0x7fffb09f1000, protoCallFrame=0x7fffffffcd30) at ../../Source/JavaScriptCore/jit/JITCode.cpp:80 #10 0x00007ffff6997f4f in JSC::Interpreter::execute (this=0x7ffff0def058, program=0x7fffaedfbf70, callFrame=0x7fffaede7940, thisObj=0x7fffaedba360) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:960 #11 0x00007ffff6b849ad in JSC::evaluate (exec=0x7fffaede7940, source=..., thisValue=..., returnedException=...) at ../../Source/JavaScriptCore/runtime/Completion.cpp:106 #12 0x000000000043a120 in runInteractive (globalObject=0x7fffaede7900) at ../../Source/JavaScriptCore/jsc.cpp:2083 #13 0x000000000043abcb in runJSC (vm=0x7fffb09f1000, options=...) at ../../Source/JavaScriptCore/jsc.cpp:2244 #14 0x000000000043b0a1 in jscmain (argc=1, argv=0x7fffffffdbb8) at ../../Source/JavaScriptCore/jsc.cpp:2293 #15 0x000000000043967f in main (argc=1, argv=0x7fffffffdbb8) at ../../Source/JavaScriptCore/jsc.cpp:1947 Warning: the current language does not match this frame. ---
Preemptively marked as s-s, please unhide if this issue is not security relevant.
At first look, there is problem that we do not emit TDZ check of super when we are trying access to the super by bracket notation in constructor. I'll try to fix.
Created attachment 277618 [details] Patch hot fix
Comment on attachment 277618 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=277618&action=review > Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:940 > + } > else WebKit coding style puts this brace and else on the same line
Comment on attachment 277618 [details] Patch Patch landed Committed 200191: <http://trac.webkit.org/changeset/200191>
<rdar://problem/27326239>