Title: [272668] branches/safari-611.1.14.0-branch/Source/_javascript_Core
- Revision
- 272668
- Author
- repst...@apple.com
- Date
- 2021-02-10 11:53:48 -0800 (Wed, 10 Feb 2021)
Log Message
Cherry-pick r272663. rdar://problem/74197969
Don't crash when reparsing an arrow function and the parsing invariant is broken
https://bugs.webkit.org/show_bug.cgi?id=221632
<rdar://71874091>
Reviewed by Tadeu Zagallo and Mark Lam.
We have code where we assert that when reparsing an arrow function,
we see the '=>' token after parsing the parameters. Since we already
parsed the arrow function before, this assertion makes sense. But somehow,
this is leading to crashes on real websites. We don't know why this invariant
is being broken. I'm changing this to a debug assert, and we're tracking
the full fix in:
https://bugs.webkit.org/show_bug.cgi?id=221633
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseInner):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@272663 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-611.1.14.0-branch/Source/_javascript_Core/ChangeLog (272667 => 272668)
--- branches/safari-611.1.14.0-branch/Source/_javascript_Core/ChangeLog 2021-02-10 19:50:03 UTC (rev 272667)
+++ branches/safari-611.1.14.0-branch/Source/_javascript_Core/ChangeLog 2021-02-10 19:53:48 UTC (rev 272668)
@@ -1,3 +1,47 @@
+2021-02-10 Ruben Turcios <rubent...@apple.com>
+
+ Cherry-pick r272663. rdar://problem/74197969
+
+ Don't crash when reparsing an arrow function and the parsing invariant is broken
+ https://bugs.webkit.org/show_bug.cgi?id=221632
+ <rdar://71874091>
+
+ Reviewed by Tadeu Zagallo and Mark Lam.
+
+ We have code where we assert that when reparsing an arrow function,
+ we see the '=>' token after parsing the parameters. Since we already
+ parsed the arrow function before, this assertion makes sense. But somehow,
+ this is leading to crashes on real websites. We don't know why this invariant
+ is being broken. I'm changing this to a debug assert, and we're tracking
+ the full fix in:
+ https://bugs.webkit.org/show_bug.cgi?id=221633
+
+ * parser/Parser.cpp:
+ (JSC::Parser<LexerType>::parseInner):
+
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@272663 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-02-10 Saam Barati <sbar...@apple.com>
+
+ Don't crash when reparsing an arrow function and the parsing invariant is broken
+ https://bugs.webkit.org/show_bug.cgi?id=221632
+ <rdar://71874091>
+
+ Reviewed by Tadeu Zagallo and Mark Lam.
+
+ We have code where we assert that when reparsing an arrow function,
+ we see the '=>' token after parsing the parameters. Since we already
+ parsed the arrow function before, this assertion makes sense. But somehow,
+ this is leading to crashes on real websites. We don't know why this invariant
+ is being broken. I'm changing this to a debug assert, and we're tracking
+ the full fix in:
+ https://bugs.webkit.org/show_bug.cgi?id=221633
+
+ * parser/Parser.cpp:
+ (JSC::Parser<LexerType>::parseInner):
+
2021-02-09 Russell Epstein <repst...@apple.com>
Cherry-pick r271571. rdar://problem/74145979
Modified: branches/safari-611.1.14.0-branch/Source/_javascript_Core/parser/Parser.cpp (272667 => 272668)
--- branches/safari-611.1.14.0-branch/Source/_javascript_Core/parser/Parser.cpp 2021-02-10 19:50:03 UTC (rev 272667)
+++ branches/safari-611.1.14.0-branch/Source/_javascript_Core/parser/Parser.cpp 2021-02-10 19:53:48 UTC (rev 272668)
@@ -228,8 +228,17 @@
parameters = parseFunctionParameters(context, parseMode, functionInfo);
if (SourceParseModeSet(SourceParseMode::ArrowFunctionMode, SourceParseMode::AsyncArrowFunctionMode).contains(parseMode) && !hasError()) {
- // The only way we could have an error while reparsing is if we run out of stack space.
- RELEASE_ASSERT(match(ARROWFUNCTION), m_token.m_type, static_cast<uint8_t>(parseMode), m_lexer->currentOffset(), m_lexer->codeLength());
+ // FIXME:
+ // Logically, this should be an assert, since we already successfully parsed the arrow
+ // function when syntax checking. So logically, we should see the arrow token here.
+ // But we're seeing crashes in the wild when making this an assert. Instead, we'll just
+ // handle it as an error in release builds, and an assert on debug builds, with the hopes
+ // of fixing it in the future.
+ // https://bugs.webkit.org/show_bug.cgi?id=221633
+ if (UNLIKELY(!match(ARROWFUNCTION))) {
+ ASSERT_NOT_REACHED();
+ return makeUnexpected("Parser error"_s);
+ }
next();
isArrowFunctionBodyExpression = !match(OPENBRACE);
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes