Changeset 202648 in webkit

Timestamp:

Jun 29, 2016 2:48:17 PM (8 years ago)

Author:

sbarati@apple.com

Message:

Destructuring variable declaration is missing a validation of the syntax of a sub production when there is a rhs
​https://bugs.webkit.org/show_bug.cgi?id=159267

Reviewed by Mark Lam.

Source/JavaScriptCore:

We were parsing something without checking if it had a syntax error.
This is wrong for many reasons, but it could actually cause a crash
in a debug build if you parsed particular programs.

• parser/Parser.cpp:

(JSC::Parser<LexerType>::parseVariableDeclarationList):

LayoutTests:

• js/parser-syntax-check-expected.txt:
• js/script-tests/parser-syntax-check.js:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/js/parser-syntax-check-expected.txt (modified) (1 diff)
• LayoutTests/js/script-tests/parser-syntax-check.js (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/parser/Parser.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-06-29  Saam barati  <sbarati@apple.com>
+
+        Destructuring variable declaration is missing a validation of the syntax of a sub production when there is a rhs
+        https://bugs.webkit.org/show_bug.cgi?id=159267
+
+        Reviewed by Mark Lam.
+
+        * js/parser-syntax-check-expected.txt:
+        * js/script-tests/parser-syntax-check.js:
+
 2016-06-29  Nan Wang  <n_wang@apple.com>
 

trunk/LayoutTests/js/parser-syntax-check-expected.txt

@@ -1100 +1100 @@
 PASS Invalid: "function f() { 1 % 
 -- }"
+PASS Invalid: "let {w} = (foo-=()), {} = ("a" ^= "b");"
+PASS Invalid: "function f() { let {w} = (foo-=()), {} = ("a" ^= "b"); }"
+PASS Invalid: "const {w} = (foo-=()), {} = ("a" ^= "b");"
+PASS Invalid: "function f() { const {w} = (foo-=()), {} = ("a" ^= "b"); }"
+PASS Invalid: "var {w} = (foo-=()), {} = ("a" ^= "b");"
+PASS Invalid: "function f() { var {w} = (foo-=()), {} = ("a" ^= "b"); }"
+PASS Invalid: "let {w} = ();"
+PASS Invalid: "function f() { let {w} = (); }"
+PASS Invalid: "let {w} = 1234abc;"
+PASS Invalid: "function f() { let {w} = 1234abc; }"
+PASS Invalid: "const {w} = 1234abc;"
+PASS Invalid: "function f() { const {w} = 1234abc; }"
+PASS Invalid: "var {w} = 1234abc;"
+PASS Invalid: "function f() { var {w} = 1234abc; }"
 Rest parameter
 PASS Valid:   "function foo(...a) { }"

trunk/LayoutTests/js/script-tests/parser-syntax-check.js

@@ -658 +658 @@
 invalid("1 % \n++");
 invalid("1 % \n--");
+invalid('let {w} = (foo-=()), {} = ("a" ^= "b");');
+invalid('const {w} = (foo-=()), {} = ("a" ^= "b");');
+invalid('var {w} = (foo-=()), {} = ("a" ^= "b");');
+invalid('let {w} = ();');
+invalid('let {w} = 1234abc;');
+invalid('const {w} = 1234abc;');
+invalid('var {w} = 1234abc;');
 
 debug("Rest parameter");

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-06-29  Saam barati  <sbarati@apple.com>
+
+        Destructuring variable declaration is missing a validation of the syntax of a sub production when there is a rhs
+        https://bugs.webkit.org/show_bug.cgi?id=159267
+
+        Reviewed by Mark Lam.
+
+        We were parsing something without checking if it had a syntax error.
+        This is wrong for many reasons, but it could actually cause a crash
+        in a debug build if you parsed particular programs.
+
+        * parser/Parser.cpp:
+        (JSC::Parser<LexerType>::parseVariableDeclarationList):
+
 2016-06-29  Joseph Pecoraro  <pecoraro@apple.com>
 

trunk/Source/JavaScriptCore/parser/Parser.cpp

@@ -734 +734 @@
                 next(TreeBuilder::DontBuildStrings); // consume '='
                 TreeExpression rhs = parseAssignmentExpression(context);
+                propagateError();
+                ASSERT(rhs);
                 node = context.createDestructuringAssignment(location, pattern, rhs);
                 lastInitializer = rhs;