[Webkit-unassigned] [Bug 223896] New: UBSan: JSC::Parser<LexerType>::parseProperty(): runtime error: load of value nnn, which is not a valid value for type 'bool'

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Mar 29 13:18:09 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=223896

            Bug ID: 223896
           Summary: UBSan: JSC::Parser<LexerType>::parseProperty():
                    runtime error: load of value nnn, which is not a valid
                    value for type 'bool'
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ddkilzer at webkit.org

Running all layout tests with a Release+UBSan build of WebKit (see Bug 176131) results in ~951 tests hitting this UBSan warning at least once with different values of "nnn":

    parser/Parser.cpp:4339:39: runtime error: load of value nnn, which is not a valid value for type 'bool'

Note that "struct JSToken" attempts to initialize "union JSTokenData" in its definition in PaserTokens.h:

    struct JSToken {
        JSTokenType m_type { ERRORTOK };
        JSTokenData m_data { { nullptr, nullptr, false } };
        JSTokenLocation m_location;
        JSTextPosition m_startPosition;
        JSTextPosition m_endPosition;

        void dump(WTF::PrintStream&) const;
    };

However, it seems the `escaped` field may not be initialized somewhere else the JSTokenData's m_type is set to JSTokenType::STRING.

    union JSTokenData {
        struct {
            const Identifier* cooked;
            const Identifier* raw;
            bool isTail;
        };
        struct {
            uint32_t line;
            uint32_t offset;
            uint32_t lineStartOffset;
        };
        double doubleValue;
        struct {
            const Identifier* ident;
            bool escaped;
        };
        struct {
            const Identifier* bigIntString;
            uint8_t radix;
        };
        struct {
            const Identifier* pattern;
            const Identifier* flags;
        };
    };

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210329/b2d07ecd/attachment-0001.htm>

More information about the webkit-unassigned mailing list