[MERGE #6127 @boingoing] OS#18260560 - ASSERTION : scope at GetEnclosingFunc

boingoing · boingoing · commit bcb97d11d922 · 2019-05-21T12:07:32.000-07:00
Merge pull request #6127 from boingoing:bug_OS18260560 Named function expression with nested-function declared in default arguments containing a with statement referencing the parent function expression by name results in a null dereference of the enclosing scope. ```javascript (function foo(a = function bar() { with ({}) { foo; } }()) {})(); ``` We try and look at the param scope and body scope but we don't check the function expression scope in `ByteCodeGenerator::CheckDeferParseHasMaybeEscapedNestedFunc`. Simple fix is to check function expression scope if param and body scope are nullptr. Fixes: https://microsoft.visualstudio.com/OS/_workitems/edit/18260560 Found vis oss-fuzz
diff --git a/lib/Runtime/ByteCode/ByteCodeGenerator.cpp b/lib/Runtime/ByteCode/ByteCodeGenerator.cpp
@@ -2096,7 +2096,10 @@ void ByteCodeGenerator::CheckDeferParseHasMaybeEscapedNestedFunc()
     else
     {
         // We have to wait until it is parsed before we populate the stack nested func parent.
-        FuncInfo * parentFunc = top->GetParamScope() ? top->GetParamScope()->GetEnclosingFunc() : top->GetBodyScope()->GetEnclosingFunc();
+        Scope * enclosingScope = top->GetParamScope() ? top->GetParamScope() :
+                                 top->GetBodyScope() ? top->GetBodyScope() :
+                                 top->GetFuncExprScope();
+        FuncInfo * parentFunc = enclosingScope->GetEnclosingFunc();
         if (!parentFunc->IsGlobalFunction())
         {
             Assert(parentFunc->byteCodeFunction != rootFuncBody);
diff --git a/test/Bugs/bug_OS18260560.js b/test/Bugs/bug_OS18260560.js
@@ -0,0 +1,12 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+
+(function foo(a = function bar() {
+  with ({}) {
+      foo;
+  }
+}()) {})();
+
+console.log("pass");
diff --git a/test/Bugs/rlexe.xml b/test/Bugs/rlexe.xml
@@ -570,4 +570,10 @@
       <compile-flags>-maxinterpretcount:1 -maxsimplejitruncount:1 -MinMemOpCount:0 -werexceptionsupport  -bgjit- -loopinterpretcount:1</compile-flags>
     </default>
   </test>
+  <test>
+    <default>
+      <files>bug_OS18260560.js</files>
+      <compile-flags>-force:deferparse</compile-flags>
+    </default>
+  </test>
 </regress-exe>

Original file line number	Diff line number	Diff line change
`@@ -2096,7 +2096,10 @@ void ByteCodeGenerator::CheckDeferParseHasMaybeEscapedNestedFunc()`
`2096`	`2096`	`else`
`2097`	`2097`	`{`
`2098`	`2098`	`// We have to wait until it is parsed before we populate the stack nested func parent.`
`2099`		`- FuncInfo * parentFunc = top->GetParamScope() ? top->GetParamScope()->GetEnclosingFunc() : top->GetBodyScope()->GetEnclosingFunc();`
	`2099`	`+ Scope * enclosingScope = top->GetParamScope() ? top->GetParamScope() :`
	`2100`	`+ top->GetBodyScope() ? top->GetBodyScope() :`
	`2101`	`+ top->GetFuncExprScope();`
	`2102`	`+ FuncInfo * parentFunc = enclosingScope->GetEnclosingFunc();`
`2100`	`2103`	`if (!parentFunc->IsGlobalFunction())`
`2101`	`2104`	`{`
`2102`	`2105`	`Assert(parentFunc->byteCodeFunction != rootFuncBody);`