Assertion `this->match(PunctuatorKind::GuessDot)' failed in Escargot::esprima::Parser::parseLeftHandSideExpression

Ye0nny commented 9 months ago

Escargot

OS: Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)
Revision : bd95de3c46e515a387ae1c3d0b214d9ddbd99e90

Build Steps

cmake -DESCARGOT_MODE=debug -DESCARGOT_OUTPUT=shell -GNinja

Describe the bug Assertion failure

Test case

testcase

```javascript if ( isNaN ( true % null )!== true ) { throw new Test262Error ( " 1 : true % null === Not - a - Number. Actual : " + true % null ) ; } if ( null % true!== 0 ) { throw new Test262Error ( " 2 : null % true === 0 Actual : " + null % true ) ; } if ( isNaN ( new Boolean Number ( true ) % null )!== true ) { throw new Test262Error ( " 2 : new Boolean ( true ) % null === Not - a - Number. Actual : " + new Boolean ( true ) % null ) ; } if ( null % new Boolean ( true )!== 0 ) { throw new Test262Error ( " 4 : null % new Boolean ( true ) === 0 Actual : " + null % new Boolean ( true ) ) ; } ```

// poc.js
if ( isNaN ( true % null )!== true ) { throw new Test262Error ( " 1 : true % null === Not - a - Number. Actual : " + true % null ) ; }
if ( null % true!== 0 ) { throw new Test262Error ( " 2 : null % true === 0 Actual : " + null % true ) ; }
if ( isNaN ( new Boolean Number ( true ) % null )!== true ) { throw new Test262Error ( " " ) ; }

Execution steps & Output

$ ./escargot/escargot poc.js
escargot: src/parser/esprima_cpp/esprima.cpp:2720: typename ASTBuilder::ASTNode Escargot::esprima::Parser::parseLeftHandSideExpression(ASTBuilder&) [with ASTBuilder = Escargot::NodeGenerator; typename ASTBuilder::ASTNode = Escargot::Node*]: Assertion `this->match(PunctuatorKind::GuessDot)' failed.
Aborted

Backtrace

(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7a70859 in __GI_abort () at abort.c:79
#2  0x00007ffff7a70729 in __assert_fail_base (fmt=0x7ffff7c06588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x555555b2b840 "this->match(PunctuatorKind::GuessDot)", file=0x555555b1fca0 "src/parser/esprima_cpp/esprima.cpp", line=2720, function=<optimized out>) at assert.c:92
#3  0x00007ffff7a81fd6 in __GI___assert_fail (assertion=0x555555b2b840 "this->match(PunctuatorKind::GuessDot)", file=0x555555b1fca0 "src/parser/esprima_cpp/esprima.cpp", line=2720,
    function=0x555555b2d208 "typename ASTBuilder::ASTNode Escargot::esprima::Parser::parseLeftHandSideExpression(ASTBuilder&) [with ASTBuilder = Escargot::NodeGenerator; typename ASTBuilder::ASTNode = Escargot::Node*]") at assert.c:101
#4  0x00005555558915e6 in Escargot::esprima::Parser::parseLeftHandSideExpression<Escargot::NodeGenerator> (this=0x7fffffffd9a0, builder=...) at src/parser/esprima_cpp/esprima.cpp:2720
#5  0x000055555583bc81 in Escargot::esprima::Parser::isolateCoverGrammar<Escargot::NodeGenerator, Escargot::Node* (Escargot::esprima::Parser::*)(Escargot::NodeGenerator&)> (this=0x7fffffffd9a0, builder=..., parseFunction=
    (class Escargot::Node *(Escargot::esprima::Parser::*)(class Escargot::esprima::Parser * const, class Escargot::NodeGenerator &)) 0x555555890c98 <Escargot::esprima::Parser::parseLeftHandSideExpression<Escargot::NodeGenerator>(Escargot::NodeGenerator&)>) at src/parser/esprima_cpp/esprima.cpp:989
#6  0x0000555555884a1f in Escargot::esprima::Parser::parseNewExpression<Escargot::NodeGenerator> (this=0x7fffffffd9a0, builder=...) at src/parser/esprima_cpp/esprima.cpp:2359
#7  0x000055555584aef7 in Escargot::esprima::Parser::inheritCoverGrammar<Escargot::NodeGenerator, Escargot::Node* (Escargot::esprima::Parser::*)(Escargot::NodeGenerator&)> (this=0x7fffffffd9a0, builder=..., parseFunction=
    (class Escargot::Node *(Escargot::esprima::Parser::*)(class Escargot::esprima::Parser * const, class Escargot::NodeGenerator &)) 0x555555884770 <Escargot::esprima::Parser::parseNewExpression<Escargot::NodeGenerator>(Escargot::NodeGenerator&)>) at src/parser/esprima_cpp/esprima.cpp:1013
#8  0x000055555586d3a3 in Escargot::esprima::Parser::parseLeftHandSideExpressionAllowCall<Escargot::NodeGenerator> (this=0x7fffffffd9a0, builder=...) at src/parser/esprima_cpp/esprima.cpp:2476
#9  0x000055555584aef7 in Escargot::esprima::Parser::inheritCoverGrammar<Escargot::NodeGenerator, Escargot::Node* (Escargot::esprima::Parser::*)(Escargot::NodeGenerator&)> (this=0x7fffffffd9a0, builder=..., parseFunction=
    (class Escargot::Node *(Escargot::esprima::Parser::*)(class Escargot::esprima::Parser * const, class Escargot::NodeGenerator &)) 0x55555586d0fa <Escargot::esprima::Parser::parseLeftHandSideExpressionAllowCall<Escargot::NodeGenerator>(Escargot::NodeGenerator&)>) at src/parser/esprima_cpp/esprima.cpp:1013
#10 0x000055555588acb1 in Escargot::esprima::Parser::parseUpdateExpression<Escargot::NodeGenerator> (this=0x7fffffffd9a0, builder=...) at src/parser/esprima_cpp/esprima.cpp:2772
#11 0x0000555555873d5f in Escargot::esprima::Parser::parseUnaryExpression<Escargot::NodeGenerator> (this=0x7fffffffd9a0, builder=...) at src/parser/esprima_cpp/esprima.cpp:2929
#12 0x000055555584aef7 in Escargot::esprima::Parser::inheritCoverGrammar<Escargot::NodeGenerator, Escargot::Node* (Escargot::esprima::Parser::*)(Escargot::NodeGenerator&)> (this=0x7fffffffd9a0, builder=..., parseFunction=
    (class Escargot::Node *(Escargot::esprima::Parser::*)(class Escargot::esprima::Parser * const, class Escargot::NodeGenerator &)) 0x5555558731c8 <Escargot::esprima::Parser::parseUnaryExpression<Escargot::NodeGenerator>(Escargot::NodeGenerator&)>) at src/parser/esprima_cpp/esprima.cpp:1013
#13 0x000055555585ee45 in Escargot::esprima::Parser::parseExponentiationExpression<Escargot::NodeGenerator> (this=0x7fffffffd9a0, builder=...) at src/parser/esprima_cpp/esprima.cpp:2937
#14 0x000055555584aef7 in Escargot::esprima::Parser::inheritCoverGrammar<Escargot::NodeGenerator, Escargot::Node* (Escargot::esprima::Parser::*)(Escargot::NodeGenerator&)> (this=0x7fffffffd9a0, builder=..., parseFunction=
    (class Escargot::Node *(Escargot::esprima::Parser::*)(class Escargot::esprima::Parser * const, class Escargot::NodeGenerator &)) 0x55555585ed22 <Escargot::esprima::Parser::parseExponentiationExpression<Escargot::NodeGenerator>(Escargot::NodeGenerator&)>) at src/parser/esprima_cpp/esprima.cpp:1013
#15 0x000055555584a607 in Escargot::esprima::Parser::parseBinaryExpression<Escargot::NodeGenerator> (this=0x7fffffffd9a0, builder=...) at src/parser/esprima_cpp/esprima.cpp:3035
#16 0x000055555584aef7 in Escargot::esprima::Parser::inheritCoverGrammar<Escargot::NodeGenerator, Escargot::Node* (Escargot::esprima::Parser::*)(Escargot::NodeGenerator&)> (this=0x7fffffffd9a0, builder=..., parseFunction=
    (class Escargot::Node *(Escargot::esprima::Parser::*)(class Escargot::esprima::Parser * const, class Escargot::NodeGenerator &)) 0x55555584a4c8 <Escargot::esprima::Parser::parseBinaryExpression<Escargot::NodeGenerator>(Escargot::NodeGenerator&)>) at src/parser/esprima_cpp/esprima.cpp:1013
#17 0x000055555583c044 in Escargot::esprima::Parser::parseConditionalExpression<Escargot::NodeGenerator> (this=0x7fffffffd9a0, builder=...) at src/parser/esprima_cpp/esprima.cpp:3186
#18 0x000055555583a199 in Escargot::esprima::Parser::parseAssignmentExpression<Escargot::NodeGenerator, false> (this=0x7fffffffd9a0, builder=...) at src/parser/esprima_cpp/esprima.cpp:3228
#19 0x000055555583bc81 in Escargot::esprima::Parser::isolateCoverGrammar<Escargot::NodeGenerator, Escargot::Node* (Escargot::esprima::Parser::*)(Escargot::NodeGenerator&)> (this=0x7fffffffd9a0, builder=..., parseFunction=
    (class Escargot::Node *(Escargot::esprima::Parser::*)(class Escargot::esprima::Parser * const, class Escargot::NodeGenerator &)) 0x555555839eda <Escargot::esprima::Parser::parseAssignmentExpression<Escargot::NodeGenerator, false>(Escargot::NodeGenerator&)>) at src/parser/esprima_cpp/esprima.cpp:989
#20 0x0000555555885937 in Escargot::esprima::Parser::parseArguments<Escargot::NodeGenerator> (this=0x7fffffffd9a0, builder=...) at src/parser/esprima_cpp/esprima.cpp:2287
#21 0x000055555586d62b in Escargot::esprima::Parser::parseLeftHandSideExpressionAllowCall<Escargot::NodeGenerator> (this=0x7fffffffd9a0, builder=...) at src/parser/esprima_cpp/esprima.cpp:2498
#22 0x000055555584aef7 in Escargot::esprima::Parser::inheritCoverGrammar<Escargot::NodeGenerator, Escargot::Node* (Escargot::esprima::Parser::*)(Escargot::NodeGenerator&)> (this=0x7fffffffd9a0, builder=..., parseFunction=
    (class Escargot::Node *(Escargot::esprima::Parser::*)(class Escargot::esprima::Parser * const, class Escargot::NodeGenerator &)) 0x55555586d0fa <Escargot::esprima::Parser::parseLeftHandSideExpressionAllowCall<Escargot::NodeGenerator>(Escargot::NodeGenerator&)>) at src/parser/esprima_cpp/esprima.cpp:1013
#23 0x000055555588acb1 in Escargot::esprima::Parser::parseUpdateExpression<Escargot::NodeGenerator> (this=0x7fffffffd9a0, builder=...) at src/parser/esprima_cpp/esprima.cpp:2772
#24 0x0000555555873d5f in Escargot::esprima::Parser::parseUnaryExpression<Escargot::NodeGenerator> (this=0x7fffffffd9a0, builder=...) at src/parser/esprima_cpp/esprima.cpp:2929
#25 0x000055555584aef7 in Escargot::esprima::Parser::inheritCoverGrammar<Escargot::NodeGenerator, Escargot::Node* (Escargot::esprima::Parser::*)(Escargot::NodeGenerator&)> (this=0x7fffffffd9a0, builder=..., parseFunction=
    (class Escargot::Node *(Escargot::esprima::Parser::*)(class Escargot::esprima::Parser * const, class Escargot::NodeGenerator &)) 0x5555558731c8 <Escargot::esprima::Parser::parseUnaryExpression<Escargot::NodeGenerator>(Escargot::NodeGenerator&)>) at src/parser/esprima_cpp/esprima.cpp:1013
#26 0x000055555585ee45 in Escargot::esprima::Parser::parseExponentiationExpression<Escargot::NodeGenerator> (this=0x7fffffffd9a0, builder=...) at src/parser/esprima_cpp/esprima.cpp:2937
#27 0x000055555584aef7 in Escargot::esprima::Parser::inheritCoverGrammar<Escargot::NodeGenerator, Escargot::Node* (Escargot::esprima::Parser::*)(Escargot::NodeGenerator&)> (this=0x7fffffffd9a0, builder=..., parseFunction=
    (class Escargot::Node *(Escargot::esprima::Parser::*)(class Escargot::esprima::Parser * const, class Escargot::NodeGenerator &)) 0x55555585ed22 <Escargot::esprima::Parser::parseExponentiationExpression<Escargot::NodeGenerator>(Escargot::NodeGenerator&)>) at src/parser/esprima_cpp/esprima.cpp:1013
#28 0x000055555584a607 in Escargot::esprima::Parser::parseBinaryExpression<Escargot::NodeGenerator> (this=0x7fffffffd9a0, builder=...) at src/parser/esprima_cpp/esprima.cpp:3035
#29 0x000055555584aef7 in Escargot::esprima::Parser::inheritCoverGrammar<Escargot::NodeGenerator, Escargot::Node* (Escargot::esprima::Parser::*)(Escargot::NodeGenerator&)> (this=0x7fffffffd9a0, builder=..., parseFunction=
    (class Escargot::Node *(Escargot::esprima::Parser::*)(class Escargot::esprima::Parser * const, class Escargot::NodeGenerator &)) 0x55555584a4c8 <Escargot::esprima::Parser::parseBinaryExpression<Escargot::NodeGenerator>(Escargot::NodeGenerator&)>) at src/parser/esprima_cpp/esprima.cpp:1013
#30 0x000055555583c044 in Escargot::esprima::Parser::parseConditionalExpression<Escargot::NodeGenerator> (this=0x7fffffffd9a0, builder=...) at src/parser/esprima_cpp/esprima.cpp:3186
#31 0x000055555583a199 in Escargot::esprima::Parser::parseAssignmentExpression<Escargot::NodeGenerator, false> (this=0x7fffffffd9a0, builder=...) at src/parser/esprima_cpp/esprima.cpp:3228
#32 0x000055555583bc81 in Escargot::esprima::Parser::isolateCoverGrammar<Escargot::NodeGenerator, Escargot::Node* (Escargot::esprima::Parser::*)(Escargot::NodeGenerator&)> (this=0x7fffffffd9a0, builder=..., parseFunction=
    (class Escargot::Node *(Escargot::esprima::Parser::*)(class Escargot::esprima::Parser * const, class Escargot::NodeGenerator &)) 0x555555839eda <Escargot::esprima::Parser::parseAssignmentExpression<Escargot::NodeGenerator, false>(Escargot::NodeGenerator&)>) at src/parser/esprima_cpp/esprima.cpp:989
#33 0x0000555555850566 in Escargot::esprima::Parser::parseExpression<Escargot::NodeGenerator> (this=0x7fffffffd9a0, builder=...) at src/parser/esprima_cpp/esprima.cpp:3609
#34 0x0000555555858ccb in Escargot::esprima::Parser::parseIfStatement<Escargot::NodeGenerator> (this=0x7fffffffd9a0, builder=...) at src/parser/esprima_cpp/esprima.cpp:4082
#35 0x0000555555845bc5 in Escargot::esprima::Parser::parseStatement<Escargot::NodeGenerator> (this=0x7fffffffd9a0, builder=..., allowFunctionDeclaration=true, shouldTopLevelDeclaration=false) at src/parser/esprima_cpp/esprima.cpp:4924
#36 0x00005555558396bf in Escargot::esprima::Parser::parseStatementListItem<Escargot::NodeGenerator> (this=0x7fffffffd9a0, builder=...) at src/parser/esprima_cpp/esprima.cpp:3662
#37 0x000055555582315e in Escargot::esprima::Parser::parseProgram (this=0x7fffffffd9a0, builder=...) at src/parser/esprima_cpp/esprima.cpp:6896
#38 0x00005555558244a4 in Escargot::esprima::parseProgram (ctx=0xa3af0, source=..., outerClassInfo=0x0, isModule=false, strictFromOutside=false, inWith=false, allowSuperCallFromOutside=false, allowSuperPropertyFromOutside=false, allowNewTargetFromOutside=false, allowArgumentsFromOutside=true) at src/parser/esprima_cpp/esprima.cpp:7122
#39 0x00005555557e5b56 in Escargot::ScriptParser::initializeScript (this=0x59f70, originSource=0x0, originLineOffset=0, source=0xabf70, srcName=0x7a390, parentCodeBlock=0x0, isModule=false, isEvalMode=false, isEvalCodeInFunction=false, inWithOperation=false, strictFromOutside=false, allowSuperCall=false, allowSuperProperty=false, allowNewTarget=false,
    needByteCodeGeneration=true) at src/parser/ScriptParser.cpp:394
#40 0x000055555563bec4 in Escargot::ScriptParser::initializeScript (this=0x59f70, source=0xabf70, srcName=0x7a390, isModule=false) at src/parser/ScriptParser.h:57
#41 0x000055555564333d in Escargot::ScriptParserRef::initializeScript (this=0x59f70, source=0xabf70, srcName=0x7a390, isModule=false) at src/api/EscargotPublic.cpp:4626
#42 0x00005555559a3d07 in evalScript (context=0xa3af0, source=0xabf70, srcName=0x7a390, shouldPrintScriptResult=false, isModule=false) at src/shell/Shell.cpp:751
#43 0x00005555559a52bd in main (argc=2, argv=0x7fffffffe348) at src/shell/Shell.cpp:1130

Expected behavior

SyntaxError: Expected ')'
    at code (poc.js:3:26)

Credits: @Ye0nny, @EJueon

clover2123 commented 9 months ago

@Ye0nny @EJueon Thanks for reporting issues. May I ask you how or where did you get these test codes? Did you generate these tests by yourself?

Ye0nny commented 9 months ago

@clover2123 Thanks for your question. :) These test cases have been generated based on our research results. Additionally, the poc files are manually reduced ones.

clover2123 commented 9 months ago

@Ye0nny

These test cases have been generated based on our research results.

Could you share your research result with us? Or lf there are research papers of yours, please let us know. We may improve the Escargot engine's reliability/security based on your works :)

Ye0nny commented 9 months ago

@clover2123 It's an honor. Our paper is scheduled to be published soon. We'll let you know as soon as it's published. Thank you.

clover2123 commented 7 months ago

Fixed by #1327 Thanks for reporting bugs.

Samsung / escargot

Assertion `this->match(PunctuatorKind::GuessDot)' failed in Escargot::esprima::Parser::parseLeftHandSideExpression #1304