Title: [272663] trunk/Source/_javascript_Core
- Revision
- 272663
- Author
- sbar...@apple.com
- Date
- 2021-02-10 10:46:57 -0800 (Wed, 10 Feb 2021)
Log Message
Don't crash when reparsing an arrow function and the parsing invariant is broken
https://bugs.webkit.org/show_bug.cgi?id=221632
<rdar://71874091>
Reviewed by Tadeu Zagallo and Mark Lam.
We have code where we assert that when reparsing an arrow function,
we see the '=>' token after parsing the parameters. Since we already
parsed the arrow function before, this assertion makes sense. But somehow,
this is leading to crashes on real websites. We don't know why this invariant
is being broken. I'm changing this to a debug assert, and we're tracking
the full fix in:
https://bugs.webkit.org/show_bug.cgi?id=221633
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseInner):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (272662 => 272663)
--- trunk/Source/_javascript_Core/ChangeLog 2021-02-10 18:26:43 UTC (rev 272662)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-02-10 18:46:57 UTC (rev 272663)
@@ -1,3 +1,22 @@
+2021-02-10 Saam Barati <sbar...@apple.com>
+
+ Don't crash when reparsing an arrow function and the parsing invariant is broken
+ https://bugs.webkit.org/show_bug.cgi?id=221632
+ <rdar://71874091>
+
+ Reviewed by Tadeu Zagallo and Mark Lam.
+
+ We have code where we assert that when reparsing an arrow function,
+ we see the '=>' token after parsing the parameters. Since we already
+ parsed the arrow function before, this assertion makes sense. But somehow,
+ this is leading to crashes on real websites. We don't know why this invariant
+ is being broken. I'm changing this to a debug assert, and we're tracking
+ the full fix in:
+ https://bugs.webkit.org/show_bug.cgi?id=221633
+
+ * parser/Parser.cpp:
+ (JSC::Parser<LexerType>::parseInner):
+
2021-02-09 Yusuke Suzuki <ysuz...@apple.com>
[JSC] C++ iteration should support fast iterator protocol
Modified: trunk/Source/_javascript_Core/parser/Parser.cpp (272662 => 272663)
--- trunk/Source/_javascript_Core/parser/Parser.cpp 2021-02-10 18:26:43 UTC (rev 272662)
+++ trunk/Source/_javascript_Core/parser/Parser.cpp 2021-02-10 18:46:57 UTC (rev 272663)
@@ -230,8 +230,17 @@
parameters = parseFunctionParameters(context, functionInfo);
if (SourceParseModeSet(SourceParseMode::ArrowFunctionMode, SourceParseMode::AsyncArrowFunctionMode).contains(parseMode) && !hasError()) {
- // The only way we could have an error while reparsing is if we run out of stack space.
- RELEASE_ASSERT(match(ARROWFUNCTION), m_token.m_type, static_cast<uint8_t>(parseMode), m_lexer->currentOffset(), m_lexer->codeLength());
+ // FIXME:
+ // Logically, this should be an assert, since we already successfully parsed the arrow
+ // function when syntax checking. So logically, we should see the arrow token here.
+ // But we're seeing crashes in the wild when making this an assert. Instead, we'll just
+ // handle it as an error in release builds, and an assert on debug builds, with the hopes
+ // of fixing it in the future.
+ // https://bugs.webkit.org/show_bug.cgi?id=221633
+ if (UNLIKELY(!match(ARROWFUNCTION))) {
+ ASSERT_NOT_REACHED();
+ return makeUnexpected("Parser error"_s);
+ }
next();
isArrowFunctionBodyExpression = !match(OPENBRACE);
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
