[Webkit-unassigned] [Bug 163748] New: [JSC] crash via `new Function("}{")`

Thu Oct 20 12:24:56 PDT 2016

https://bugs.webkit.org/show_bug.cgi?id=163748

            Bug ID: 163748
           Summary: [JSC] crash via `new Function("}{")`
    Classification: Unclassified
           Product: WebKit
           Version: Safari 10
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: caitp at igalia.com

Currently, the FunctionConstructor generates a source string in the form:

"{function anonymous() { <source body parameter> } }", which eventually reaches getFunctionExecutableFromGlobalCode().

getFunctionExecutableFromGlobalCode() asserts that the resulting AST contains a Block with a single statement (a function declaration).

However, it is possible to fail this assertion and crash the browser tab. There is no real guarantee that the source code will produce the expected AST, and it shouldn't fire assertions about the structure of the AST.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20161020/b34344a3/attachment.html>