[webkit-changes] [272672] branches/safari-611.1.14.1-branch/Source/JavaScriptCore

[repstein]

Title: [272672] branches/safari-611.1.14.1-branch/Source/_javascript_Core

Revision

272672

Author

repst...@apple.com

Date

2021-02-10 12:05:55 -0800 (Wed, 10 Feb 2021)

Log Message

Cherry-pick r272663. rdar://problem/74197958

    Don't crash when reparsing an arrow function and the parsing invariant is broken
    https://bugs.webkit.org/show_bug.cgi?id=221632
    <rdar://71874091>

    Reviewed by Tadeu Zagallo and Mark Lam.

    We have code where we assert that when reparsing an arrow function,
    we see the '=>' token after parsing the parameters. Since we already
    parsed the arrow function before, this assertion makes sense. But somehow,
    this is leading to crashes on real websites. We don't know why this invariant
    is being broken. I'm changing this to a debug assert, and we're tracking
    the full fix in:
    https://bugs.webkit.org/show_bug.cgi?id=221633

    * parser/Parser.cpp:
    (JSC::Parser<LexerType>::parseInner):

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@272663 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

• branches/safari-611.1.14.1-branch/Source/_javascript_Core/ChangeLog
• branches/safari-611.1.14.1-branch/Source/_javascript_Core/parser/Parser.cpp

Diff

Modified: branches/safari-611.1.14.1-branch/Source/_javascript_Core/ChangeLog (272671 => 272672)

--- branches/safari-611.1.14.1-branch/Source/_javascript_Core/ChangeLog	2021-02-10 20:04:49 UTC (rev 272671)
+++ branches/safari-611.1.14.1-branch/Source/_javascript_Core/ChangeLog	2021-02-10 20:05:55 UTC (rev 272672)
@@ -1,3 +1,47 @@
+2021-02-10  Alan Coon  <alanc...@apple.com>
+
+        Cherry-pick r272663. rdar://problem/74197958
+
+    Don't crash when reparsing an arrow function and the parsing invariant is broken
+    https://bugs.webkit.org/show_bug.cgi?id=221632
+    <rdar://71874091>
+    
+    Reviewed by Tadeu Zagallo and Mark Lam.
+    
+    We have code where we assert that when reparsing an arrow function,
+    we see the '=>' token after parsing the parameters. Since we already
+    parsed the arrow function before, this assertion makes sense. But somehow,
+    this is leading to crashes on real websites. We don't know why this invariant
+    is being broken. I'm changing this to a debug assert, and we're tracking
+    the full fix in:
+    https://bugs.webkit.org/show_bug.cgi?id=221633
+    
+    * parser/Parser.cpp:
+    (JSC::Parser<LexerType>::parseInner):
+    
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@272663 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-02-10  Saam Barati  <sbar...@apple.com>
+
+            Don't crash when reparsing an arrow function and the parsing invariant is broken
+            https://bugs.webkit.org/show_bug.cgi?id=221632
+            <rdar://71874091>
+
+            Reviewed by Tadeu Zagallo and Mark Lam.
+
+            We have code where we assert that when reparsing an arrow function,
+            we see the '=>' token after parsing the parameters. Since we already
+            parsed the arrow function before, this assertion makes sense. But somehow,
+            this is leading to crashes on real websites. We don't know why this invariant
+            is being broken. I'm changing this to a debug assert, and we're tracking
+            the full fix in:
+            https://bugs.webkit.org/show_bug.cgi?id=221633
+
+            * parser/Parser.cpp:
+            (JSC::Parser<LexerType>::parseInner):
+
 2021-02-09  Russell Epstein  <repst...@apple.com>
 
         Cherry-pick r271571. rdar://problem/74146017

Modified: branches/safari-611.1.14.1-branch/Source/_javascript_Core/parser/Parser.cpp (272671 => 272672)

--- branches/safari-611.1.14.1-branch/Source/_javascript_Core/parser/Parser.cpp	2021-02-10 20:04:49 UTC (rev 272671)
+++ branches/safari-611.1.14.1-branch/Source/_javascript_Core/parser/Parser.cpp	2021-02-10 20:05:55 UTC (rev 272672)
@@ -228,8 +228,17 @@
             parameters = parseFunctionParameters(context, parseMode, functionInfo);
 
         if (SourceParseModeSet(SourceParseMode::ArrowFunctionMode, SourceParseMode::AsyncArrowFunctionMode).contains(parseMode) && !hasError()) {
-            // The only way we could have an error while reparsing is if we run out of stack space.
-            RELEASE_ASSERT(match(ARROWFUNCTION), m_token.m_type, static_cast<uint8_t>(parseMode), m_lexer->currentOffset(), m_lexer->codeLength());
+            // FIXME:
+            // Logically, this should be an assert, since we already successfully parsed the arrow
+            // function when syntax checking. So logically, we should see the arrow token here.
+            // But we're seeing crashes in the wild when making this an assert. Instead, we'll just
+            // handle it as an error in release builds, and an assert on debug builds, with the hopes
+            // of fixing it in the future.
+            // https://bugs.webkit.org/show_bug.cgi?id=221633
+            if (UNLIKELY(!match(ARROWFUNCTION))) {
+                ASSERT_NOT_REACHED();
+                return makeUnexpected("Parser error"_s);
+            }
             next();
             isArrowFunctionBodyExpression = !match(OPENBRACE);
         }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes