245066 – Crash in /WebKit/Source/JavaScriptCore/parser/Parser.cpp(3012)

RESOLVED FIXED Bug 245066

Crash in /WebKit/Source/JavaScriptCore/parser/Parser.cpp(3012)

https://bugs.webkit.org/show_bug.cgi?id=245066

Summary Crash in /WebKit/Source/JavaScriptCore/parser/Parser.cpp(3012)

xiangwei1895

Reported 2022-09-12 03:16:00 PDT

JSC crashes when executing the following code： function main(){ class a{ g = [] 'a'(){} } } ASSERTION FAILED: ident /data/WebKit/Source/JavaScriptCore/parser/Parser.cpp(3012) : typename TreeBuilder::ClassExpression JSC::Parser<JSC::Lexer<LChar> >::parseClass(TreeBuilder &, JSC::FunctionNameRequirements, ParserClassInfo<TreeBuilder> &) [LexerType = JSC::Lexer<LChar>, TreeBuilder = JSC::SyntaxChecker]

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2022-09-12 03:16:11 PDT

<rdar://problem/99815328>

Yusuke Suzuki

Comment 2 2022-10-05 19:47:20 PDT

Pull request: https://github.com/WebKit/WebKit/pull/5065

Yusuke Suzuki

Comment 3 2022-10-05 19:48:27 PDT

Making it non security since it is always a nullptr crash.

EWS

Comment 4 2022-10-06 02:21:43 PDT

Committed 255212@main (89c0d4c38e9a): <https://commits.webkit.org/255212@main> Reviewed commits have been landed. Closing PR #5065 and removing active labels.

Yusuke Suzuki

Comment 5 2023-01-26 14:22:52 PST

*** Bug 245657 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Local Build

Hardware PC

OS Linux

Product WebKit

Component JavaScriptCore

Assignee

Yusuke Suzuki

Reported

2022-09-12 03:16 PDT

Modified

2023-01-26 14:22 PST History

CC List

3 users Show

URL

Keywords InRadar

Duplicates (1)

245657 View as bug list

Depends on

Blocks