[Webkit-unassigned] [Bug 284240] New: ASSERTION FAILED: !m_parsingBuiltinFunction in JavaScriptCore Lexer

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Dec 7 19:08:58 PST 2024 

https://bugs.webkit.org/show_bug.cgi?id=284240

            Bug ID: 284240
           Summary: ASSERTION FAILED: !m_parsingBuiltinFunction in
                    JavaScriptCore Lexer
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: entryhii at gmail.com

Hello, I found a crash in JavaScriptCore.

The Poc is shown as below:

======================poc.js====================
const v2 = new Date();
class C4 {}
const v5 = C4.constructor;
v5(v5, v2);
==============================================


Reproduce crash: ./jsc -f poc.js --exposePrivateIdentifiers=true

Backtrace:
* thread #1, name = 'jsc', stop reason = signal SIGABRT
  * frame #0: 0x00007ffff2c53884 libc.so.6`__pthread_kill_implementation + 276
    frame #1: 0x00007ffff2c02afe libc.so.6`raise + 30
    frame #2: 0x00007ffff2beb87f libc.so.6`abort + 223
    frame #3: 0x00007ffff548c32a libJavaScriptCore.so.1`WTFCrashWithInfo((null)=1022, (null)="/home/wjm/WebKit-https/WebKit_validate/Source/JavaScriptCore/parser/Lexer.cpp", (null)="JSC::JSTokenType JSC::Lexer<char16_t>::parseIdentifier(JSC::JSTokenData *, OptionSet<JSC::LexerFlags>, bool) [T = char16_t, shouldCreateIdentifier = true]", (null)=2354) at Assertions.h:913:5
    frame #4: 0x00007ffff642464b libJavaScriptCore.so.1`JSC::JSTokenType JSC::Lexer<char16_t>::parseIdentifier<true>(this=0x00007fffe9058ee0, tokenData=0x00007fffffffc5a0, lexerFlags=<unavailable>, strictMode=<unavailable>) at Lexer.cpp:1022:5
    frame #5: 0x00007ffff6421a49 libJavaScriptCore.so.1`JSC::Lexer<char16_t>::lexWithoutClearingLineTerminator(this=0x00007fffe9058ee0, tokenRecord=0x00007fffffffc598, lexerFlags=<unavailable>, strictMode=false) at Lexer.cpp:2507:21
    frame #6: 0x00007ffff6361e61 libJavaScriptCore.so.1`JSC::Parser<JSC::Lexer<char16_t>>::Parser(JSC::VM&, JSC::SourceCode const&, JSC::ImplementationVisibility, JSC::JSParserBuiltinMode, unsigned char, JSC::JSParserScriptMode, JSC::SourceParseMode, JSC::FunctionMode, JSC::SuperBinding, JSC::ConstructorKind, JSC::DerivedContextType, bool, JSC::EvalContextType, JSC::DebuggerParseData*, bool) [inlined] JSC::Lexer<char16_t>::lex(this=<unavailable>, tokenRecord=<unavailable>, lexerFlags=(m_storage = '\0'), strictMode=<unavailable>) at Lexer.h:413:12
    frame #7: 0x00007ffff6361e53 libJavaScriptCore.so.1`JSC::Parser<JSC::Lexer<char16_t>>::Parser(JSC::VM&, JSC::SourceCode const&, JSC::ImplementationVisibility, JSC::JSParserBuiltinMode, unsigned char, JSC::JSParserScriptMode, JSC::SourceParseMode, JSC::FunctionMode, JSC::SuperBinding, JSC::ConstructorKind, JSC::DerivedContextType, bool, JSC::EvalContextType, JSC::DebuggerParseData*, bool) [inlined] JSC::Parser<JSC::Lexer<char16_t>>::next(this=0x00007fffffffa650, lexerFlags=(m_storage = '\0')) at Parser.h:1578:35
    frame #8: 0x00007ffff6361e3b libJavaScriptCore.so.1`JSC::Parser<JSC::Lexer<char16_t>>::Parser(this=0x00007fffffffa650, vm=<unavailable>, source=<unavailable>, implementationVisibility=<unavailable>, builtinMode=NotBuiltin, lexicallyScopedFeatures='\0', scriptMode=<unavailable>, parseMode=ProgramMode, functionMode=None, superBinding=NotNeeded, constructorKind=None, derivedContextType=None, isEvalContext=<unavailable>, evalContextType=None, debuggerParseData=0x0000000000000000, isInsideOrdinaryFunction=<unavailable>) at Parser.cpp:172:5
    frame #9: 0x00007ffff64c087b libJavaScriptCore.so.1`JSC::parseFunctionForFunctionConstructor(vm=0x00007fffa7000000, source=0x00007fffffffc918, lexicallyScopedFeatures=<unavailable>, error=<unavailable>, positionBeforeLastNewline=<unavailable>, functionConstructorParametersEndPosition=<unavailable>) at Parser.h:2377:30
    frame #10: 0x00007ffff64bfafb libJavaScriptCore.so.1`JSC::CodeCache::getUnlinkedGlobalFunctionExecutable(this=<unavailable>, vm=<unavailable>, name=0x00007fffa7480370, source=0x00007fffffffc918, lexicallyScopedFeatures='\0', codeGenerationMode=<unavailable>, functionConstructorParametersEndPosition=<unavailable>, error=<unavailable>) at CodeCache.cpp:229:44
    frame #11: 0x00007ffff58af7b2 libJavaScriptCore.so.1`JSC::UnlinkedFunctionExecutable::fromGlobalCode(name=0x00007fffa7480370, globalObject=0x00007fffa741a088, source=0x00007fffffffc918, lexicallyScopedFeatures='\0', exception=<unavailable>, overrideLineNumber=<unavailable>, functionConstructorParametersEndPosition=<unavailable>) at UnlinkedFunctionExecutable.cpp:217:57
    frame #12: 0x00007ffff65324a9 libJavaScriptCore.so.1`JSC::constructFunctionSkippingEvalEnabledCheck(JSC::JSGlobalObject*, WTF::String&&, unsigned char, JSC::Identifier const&, JSC::SourceOrigin const&, WTF::String const&, JSC::SourceTaintedOrigin, WTF::TextPosition const&, int, std::__1::optional<int>, JSC::FunctionConstructionMode, JSC::JSValue) [inlined] JSC::FunctionExecutable::fromGlobalCode(name=0x00007fffa7480370, globalObject=0x00007fffa741a088, source=0x00007fffffffc918, lexicallyScopedFeatures='\0', exception=0x00007fffffffc910, overrideLineNumber=<unavailable>, functionConstructorParametersEndPosition=<unavailable>) at FunctionExecutable.cpp:135:9
    frame #13: 0x00007ffff653247d libJavaScriptCore.so.1`JSC::constructFunctionSkippingEvalEnabledCheck(globalObject=0x00007fffa741a088, program=0x00007fffffffca00, lexicallyScopedFeatures='\0', functionName=0x00007fffa7480370, sourceOrigin=0x00007ffff7899570, sourceURL=0x00007ffff7899582, taintedOrigin=Untainted, position=0x00007fffffffcbb8, overrideLineNumber=-1, functionConstructorParametersEndPosition= Has Value=true , functionConstructionMode=Function, newTarget=JSValue @ 0x00007fffffffc9e8) at FunctionConstructor.cpp:169:36
    frame #14: 0x00007ffff6531957 libJavaScriptCore.so.1`JSC::constructFunction(globalObject=<unavailable>, args=0x00007fffffffcc38, functionName=<unavailable>, sourceOrigin=<unavailable>, sourceURL=<unavailable>, taintedOrigin=<unavailable>, position=<unavailable>, functionConstructionMode=<unavailable>, newTarget=<unavailable>) at FunctionConstructor.cpp:159:5
    frame #15: 0x00007ffff6532ac5 libJavaScriptCore.so.1`JSC::constructFunction(globalObject=0x00007fffa741a088, callFrame=0x00007fffffffcc50, args=0x00007fffffffcc38, functionConstructionMode=<unavailable>, newTarget=JSValue @ r15) at FunctionConstructor.cpp:222:12
    frame #16: 0x00007ffff6531415 libJavaScriptCore.so.1`JSC::callFunctionConstructor(globalObject=<unavailable>, callFrame=<unavailable>) at FunctionConstructor.cpp:55:28
    frame #17: 0x00007fffa8178327
    frame #18: 0x00007ffff6dc0712 libJavaScriptCore.so.1`llint_op_call + 187
    frame #19: 0x00007ffff6d9d57d libJavaScriptCore.so.1`llint_call_javascript + 6
    frame #20: 0x00007ffff61f1f86 libJavaScriptCore.so.1`JSC::Interpreter::executeProgram(this=<unavailable>, source=<unavailable>, (null)=<unavailable>, thisObj=0x00007fffe9022308) at Interpreter.cpp:1164:28
    frame #21: 0x00007ffff64e5b0f libJavaScriptCore.so.1`JSC::evaluate(globalObject=0x00007fffa741a088, source=0x00007fffffffd208, thisValue=JSValue @ 0x00007fffffffd0a8, returnedException=0x00007fffffffd2f8) at Completion.cpp:138:37
    frame #22: 0x0000555555569b64 jsc`int runJSC<jscmain(int, char**)::$_9>(CommandLine const&, bool, jscmain(int, char**)::$_9 const&) at jsc.cpp:3819:35
    frame #23: 0x0000555555568d08 jsc`int runJSC<jscmain(int, char**)::$_9>(CommandLine const&, bool, jscmain(int, char**)::$_9 const&) [inlined] jscmain(int, char**)::$_9::operator()(this=<unavailable>, vm=<unavailable>, globalObject=0x00007fffa741a088, success=0x00007fffffffd17f) const at jsc.cpp:4508:13
    frame #24: 0x0000555555568cfb jsc`int runJSC<jscmain(int, char**)::$_9>(options=0x00005555555e2c80, isWorker=false, func=<unavailable>) at jsc.cpp:4299:13
    frame #25: 0x0000555555566e53 jsc`jscmain(argc=7, argv=0x00007fffffffd608) at jsc.cpp:4501:18
    frame #26: 0x0000555555566a60 jsc`main(argc=7, argv=0x00007fffffffd608) at jsc.cpp:3575:15
    frame #27: 0x00007ffff2becb8a libc.so.6`__libc_start_call_main + 122
    frame #28: 0x00007ffff2becc4b libc.so.6`__libc_start_main@@GLIBC_2.34 + 139
    frame #29: 0x00005555555628b5 jsc`_start + 37

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20241208/5f6e8816/attachment.htm>

More information about the webkit-unassigned mailing list