Title: [275343] trunk/Source/_javascript_Core
- Revision
- 275343
- Author
- [email protected]
- Date
- 2021-03-31 19:55:07 -0700 (Wed, 31 Mar 2021)
Log Message
UBSan: JSC::Parser<LexerType>::parseProperty(): runtime error: load of value nnn, which is not a valid value for type 'bool'
<https://webkit.org/b/223896>
<rdar://problem/75970132>
Reviewed by Darin Adler.
Based on a suggestion by Darin Adler.
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseProperty):
- Change 'escaped' to 'wasUnescapedIdent' to avoid the undefined
behavior since m_token.m_data.escaped is only set in the case
when an identifer is parsed (in Lexer<>::parseIdentifer()),
not a string (in Lexer<>::parseString()). This simplifies the
logic later in the method.
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (275342 => 275343)
--- trunk/Source/_javascript_Core/ChangeLog 2021-04-01 02:32:41 UTC (rev 275342)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-04-01 02:55:07 UTC (rev 275343)
@@ -1,3 +1,21 @@
+2021-03-31 David Kilzer <[email protected]>
+
+ UBSan: JSC::Parser<LexerType>::parseProperty(): runtime error: load of value nnn, which is not a valid value for type 'bool'
+ <https://webkit.org/b/223896>
+ <rdar://problem/75970132>
+
+ Reviewed by Darin Adler.
+
+ Based on a suggestion by Darin Adler.
+
+ * parser/Parser.cpp:
+ (JSC::Parser<LexerType>::parseProperty):
+ - Change 'escaped' to 'wasUnescapedIdent' to avoid the undefined
+ behavior since m_token.m_data.escaped is only set in the case
+ when an identifer is parsed (in Lexer<>::parseIdentifer()),
+ not a string (in Lexer<>::parseString()). This simplifies the
+ logic later in the method.
+
2021-03-31 Mark Lam <[email protected]>
Missing exception check in HashMapImpl::add().
Modified: trunk/Source/_javascript_Core/parser/Parser.cpp (275342 => 275343)
--- trunk/Source/_javascript_Core/parser/Parser.cpp 2021-04-01 02:32:41 UTC (rev 275342)
+++ trunk/Source/_javascript_Core/parser/Parser.cpp 2021-04-01 02:55:07 UTC (rev 275343)
@@ -4336,11 +4336,11 @@
case STRING: {
namedProperty:
const Identifier* ident = m_token.m_data.ident;
- bool escaped = m_token.m_data.escaped;
+ bool wasUnescapedIdent = wasIdent && !m_token.m_data.escaped;
unsigned getterOrSetterStartOffset = tokenStart();
JSToken identToken = m_token;
- if (wasIdent && !isGeneratorMethodParseMode(parseMode) && (!escaped && (*ident == m_vm.propertyNames->get || *ident == m_vm.propertyNames->set)))
+ if (wasUnescapedIdent && !isGeneratorMethodParseMode(parseMode) && (*ident == m_vm.propertyNames->get || *ident == m_vm.propertyNames->set))
nextExpectIdentifier(LexerFlags::IgnoreReservedWords);
else
nextExpectIdentifier(TreeBuilder::DontBuildKeywords | LexerFlags::IgnoreReservedWords);
@@ -4379,7 +4379,7 @@
classifyExpressionError(ErrorIndicatesPattern);
Optional<PropertyNode::Type> type;
- if (!escaped) {
+ if (wasUnescapedIdent) {
if (*ident == m_vm.propertyNames->get)
type = PropertyNode::Getter;
else if (*ident == m_vm.propertyNames->set)
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
