[Webkit-unassigned] [Bug 225094] Reproducible crash in Parser<JSC::Lexer<unsigned char> >::parseClass<JSC::SyntaxChecker>

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Apr 27 14:52:15 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=225094

Alexey Proskuryakov <ap at webkit.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fpizlo at apple.com,
                   |                            |mark.lam at apple.com,
                   |                            |sbarati at apple.com,
                   |                            |shvaikalesh at gmail.com,
                   |                            |webkit-bug-importer at group.a
                   |                            |pple.com, ysuzuki at apple.com
            Summary|crash in                    |Reproducible crash in
                   |Source/JavaScriptCore/runti |Parser<JSC::Lexer<unsigned
                   |me/Identifier.h             |char>
                   |                            |>::parseClass<JSC::SyntaxCh
                   |                            |ecker>
                 OS|Linux                       |All

--- Comment #1 from Alexey Proskuryakov <ap at webkit.org> ---
I reproduce the crash with just the first four lines of the test:

function main() {
    class a {
        g = [].toString()
        'a'()


Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore            0x00000001b7a51f00 JSC::SyntaxChecker::ClassExpression JSC::Parser<JSC::Lexer<unsigned char> >::parseClass<JSC::SyntaxChecker>(JSC::SyntaxChecker&, JSC::FunctionNameRequirements, JSC::ParserClassInfo<JSC::SyntaxChecker>&) + 3208
1   com.apple.JavaScriptCore            0x00000001b7a51c94 JSC::SyntaxChecker::ClassExpression JSC::Parser<JSC::Lexer<unsigned char> >::parseClass<JSC::SyntaxChecker>(JSC::SyntaxChecker&, JSC::FunctionNameRequirements, JSC::ParserClassInfo<JSC::SyntaxChecker>&) + 2588
2   com.apple.JavaScriptCore            0x00000001b7a4e778 JSC::SyntaxChecker::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseClassDeclaration<JSC::SyntaxChecker>(JSC::SyntaxChecker&, JSC::Parser<JSC::Lexer<unsigned char> >::ExportType, JSC::DeclarationDefaultContext) + 248
3   com.apple.JavaScriptCore            0x00000001b7a4d5a8 JSC::SyntaxChecker::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseStatementListItem<JSC::SyntaxChecker>(JSC::SyntaxChecker&, JSC::Identifier const*&, unsigned int*) + 752
4   com.apple.JavaScriptCore            0x00000001b7a4ce7c JSC::SyntaxChecker::SourceElements JSC::Parser<JSC::Lexer<unsigned char> >::parseSourceElements<JSC::SyntaxChecker>(JSC::SyntaxChecker&, JSC::SourceElementsMode) + 148
5   com.apple.JavaScriptCore            0x00000001b7a408f4 bool JSC::Parser<JSC::Lexer<unsigned char> >::parseFunctionInfo<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::FunctionNameRequirements, JSC::SourceParseMode, bool, JSC::ConstructorKind, JSC::SuperBinding, int, JSC::ParserFunctionInfo<JSC::ASTBuilder>&, JSC::Parser<JSC::Lexer<unsigned char> >::FunctionDefinitionType, WTF::Optional<int>) + 6040
6   com.apple.JavaScriptCore            0x00000001b7a6ea5c JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseFunctionDeclaration<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::Parser<JSC::Lexer<unsigned char> >::FunctionDeclarationType, JSC::Parser<JSC::Lexer<unsigned char> >::ExportType, JSC::DeclarationDefaultContext, WTF::Optional<int>) + 460
7   com.apple.JavaScriptCore            0x00000001b7a6dcd4 JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseStatementListItem<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::Identifier const*&, unsigned int*) + 788
8   com.apple.JavaScriptCore            0x00000001b7a229d0 JSC::ASTBuilder::SourceElements JSC::Parser<JSC::Lexer<unsigned char> >::parseSourceElements<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::SourceElementsMode) + 204
9   com.apple.JavaScriptCore            0x00000001b7a1d5c4 JSC::Parser<JSC::Lexer<unsigned char> >::parseInner(JSC::Identifier const&, JSC::SourceParseMode, JSC::ParsingContext, WTF::Optional<int>, WTF::Vector<JSC::JSTextPosition, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const*) + 1008
10  com.apple.JavaScriptCore            0x00000001b738fc7c std::__1::unique_ptr<JSC::ProgramNode, std::__1::default_delete<JSC::ProgramNode> > JSC::Parser<JSC::Lexer<unsigned char> >::parse<JSC::ProgramNode>(JSC::ParserError&, JSC::Identifier const&, JSC::SourceParseMode, JSC::ParsingContext, WTF::Optional<int>, JSC::VariableEnvironment const*, WTF::Vector<JSC::JSTextPosition, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const*) + 140
11  com.apple.JavaScriptCore            0x00000001b7b47c80 std::__1::unique_ptr<JSC::ProgramNode, std::__1::default_delete<JSC::ProgramNode> > JSC::parse<JSC::ProgramNode>(JSC::VM&, JSC::SourceCode const&, JSC::Identifier const&, JSC::JSParserBuiltinMode, JSC::JSParserStrictMode, JSC::JSParserScriptMode, JSC::SourceParseMode, JSC::SuperBinding, JSC::ParserError&, JSC::JSTextPosition*, JSC::ConstructorKind, JSC::DerivedContextType, JSC::EvalContextType, JSC::DebuggerParseData*, JSC::VariableEnvironment const*, WTF::Vector<JSC::JSTextPosition, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const*, bool) + 304
12  com.apple.JavaScriptCore            0x00000001b7b41a94 JSC::checkSyntax(JSC::VM&, JSC::SourceCode const&, JSC::ParserError&) + 156

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210427/e077d116/attachment-0001.htm>

More information about the webkit-unassigned mailing list