Bug 158128 - JS parser incorrectly handles invalid utf8 in error messages.
Summary: JS parser incorrectly handles invalid utf8 in error messages.
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Oliver Hunt
URL:
Keywords: EasyFix, HasReduction
: 158082 (view as bug list)
Depends on:
Blocks:
 
Reported: 2016-05-26 11:56 PDT by Oliver Hunt
Modified: 2016-06-06 09:24 PDT (History)
9 users (show)

See Also:


Attachments
Patch (9.49 KB, patch)
2016-06-02 15:46 PDT, Oliver Hunt
saam: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Oliver Hunt 2016-05-26 11:56:57 PDT
The bug occurs with an input like this:
eval('({m("\udeaf")})');


The initial parsing of this results in the \udeaf escape being converted to an actual literal. This is correct.
eval then parses that string, which results in a parse error while parsing the parameter list (string literals aren't valid parameter names).

The bug occurs when we try to actually set the error message:
failWithMessage("Expected a parameter pattern or a ')' in parameter list");

This tries to produce an error message that includes the bogus token:
Exception: SyntaxError: Unexpected string literal "<The failing token>". Expected a parameter pattern or a ')' in parameter list.

This string is produced via concatenation in PrintStringStream (or whatever it's called), which calls fromUTF8() on the buffer, because \udeaf isn't a valid utf8 sequence fromUTF8 fails and returns String().

The parser then checks the error state by checking errorMessage.isNull(), which it now is. This leads to the parser continuing in a bogus state and subsequently crashing.
Comment 1 Oliver Hunt 2016-06-02 15:46:27 PDT
Created attachment 280373 [details]
Patch
Comment 2 Oliver Hunt 2016-06-02 16:06:29 PDT
Committed r201624: <http://trac.webkit.org/changeset/201624>
Comment 3 Oliver Hunt 2016-06-06 09:24:02 PDT
*** Bug 158082 has been marked as a duplicate of this bug. ***