Changeset 207684 in webkit

Timestamp:

Oct 21, 2016 10:49:30 AM (8 years ago)

Author:

caitp@igalia.com

Message:

[JSC] don't crash when arguments to new Function() produce unexpected AST
​https://bugs.webkit.org/show_bug.cgi?id=163748

Reviewed by Mark Lam.

JSTests:

• stress/regress-163748.js: Added.

(assert):
(shouldThrowSyntaxError):
(GeneratorFunction):

Source/JavaScriptCore:

The ASSERT(statement); and ASSERT(funcDecl); lines are removed, replaced with blocks
to report a generic Parser error message. These lines are only possible to be reached
if the input string produced an unexpected AST, which previously could be used to crash
the process via ASSERT failure.

The node type assertions are left in the tree, as it should be impossible for a top-level
{ to produce anything other than a Block node. If the node turns out not to be a Block,
it indicates that the (C++) caller of this function (E.g in FunctionConstructor.cpp), is
doing something incorrect. Similarly, it should be impossible for the funcDecl node to
be anything other than a function declaration given the conventions of the caller of this
function.

• runtime/CodeCache.cpp:

(JSC::CodeCache::getFunctionExecutableFromGlobalCode):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/regress-163748.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/CodeCache.cpp (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2016-10-21  Caitlin Potter  <caitp@igalia.com>
+
+        [JSC] don't crash when arguments to `new Function()` produce unexpected AST
+        https://bugs.webkit.org/show_bug.cgi?id=163748
+
+        Reviewed by Mark Lam.
+
+        * stress/regress-163748.js: Added.
+        (assert):
+        (shouldThrowSyntaxError):
+        (GeneratorFunction):
+
 2016-10-20  Keith Miller  <keith_miller@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-10-21  Caitlin Potter  <caitp@igalia.com>
+
+        [JSC] don't crash when arguments to `new Function()` produce unexpected AST
+        https://bugs.webkit.org/show_bug.cgi?id=163748
+
+        Reviewed by Mark Lam.
+
+        The ASSERT(statement); and ASSERT(funcDecl); lines are removed, replaced with blocks
+        to report a generic Parser error message. These lines are only possible to be reached
+        if the input string produced an unexpected AST, which previously could be used to crash
+        the process via ASSERT failure.
+
+        The node type assertions are left in the tree, as it should be impossible for a top-level
+        `{` to produce anything other than a Block node. If the node turns out not to be a Block,
+        it indicates that the (C++) caller of this function (E.g in FunctionConstructor.cpp), is
+        doing something incorrect. Similarly, it should be impossible for the `funcDecl` node to
+        be anything other than a function declaration given the conventions of the caller of this
+        function.
+
+        * runtime/CodeCache.cpp:
+        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
+
 2016-10-20  Keith Miller  <keith_miller@apple.com>
 

trunk/Source/JavaScriptCore/runtime/CodeCache.cpp

@@ -183 +183 @@
     // This function assumes an input string that would result in a single function declaration.
     StatementNode* statement = program->singleStatement();
-    ASSERT(statement);
+    if (UNLIKELY(!statement)) {
+        JSToken token;
+        error = ParserError(ParserError::SyntaxError, ParserError::SyntaxErrorIrrecoverable, token, "Parser error", -1);
+        return nullptr;
+    }
     ASSERT(statement->isBlock());
-    if (!statement || !statement->isBlock())
-        return nullptr;
 
     StatementNode* funcDecl = static_cast<BlockNode*>(statement)->singleStatement();
-    ASSERT(funcDecl);
+    if (UNLIKELY(!funcDecl)) {
+        JSToken token;
+        error = ParserError(ParserError::SyntaxError, ParserError::SyntaxErrorIrrecoverable, token, "Parser error", -1);
+        return nullptr;
+    }
     ASSERT(funcDecl->isFuncDeclNode());
-    if (!funcDecl || !funcDecl->isFuncDeclNode())
-        return nullptr;
 
     FunctionMetadataNode* metadata = static_cast<FuncDeclNode*>(funcDecl)->metadata();