179763 2017-11-16 05:46:44 -0800 REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject 2017-11-16 07:33:40 -0800 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 rmorisset rmorisset bfulgham buildbot commit-queue keith_miller mark.lam msaboff product-security saam webkit-bug-importer oldest_to_newest 1372576 0 rmorisset 2017-11-16 05:46:44 -0800 <rdar://problem/35550513>, this problem has been found by David Kilzer through fuzzing. The bug was exposed by a change in r224592 (the addition of phantomLocalDirect(virtualRegisterForArgument(0)) in flush) but is not directly related otherwise. The root cause of the bug was found by Saam Barati: when doing an OSR enter, |this| would be assumed to be a valid, non-null cell. This would then lead to the removal of tdz_check, making the next operation (pushByVal in this case) dereference the null value. 1372578 1 327057 rmorisset 2017-11-16 05:50:15 -0800 Created attachment 327057 Patch 1372580 2 327058 rmorisset 2017-11-16 06:03:01 -0800 Created attachment 327058 Patch 1372581 3 buildbot 2017-11-16 06:04:53 -0800 Attachment 327058 did not pass style-queue: ERROR: JSTests/ChangeLog:9: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: fuzzer [changelog/unwantedsecurityterms] [3] Total errors found: 1 in 4 files If any of these errors are false positives, please file a bug against check-webkit-style. 1372586 4 webkit-bug-importer 2017-11-16 06:26:59 -0800 <rdar://problem/35587643> 1372587 5 327058 keith_miller 2017-11-16 06:33:25 -0800 Comment on attachment 327058 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=327058&action=review r=me. > Source/JavaScriptCore/ChangeLog:3 > + REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216) We can probably drop the line number. 1372588 6 327058 rmorisset 2017-11-16 06:45:14 -0800 Comment on attachment 327058 Patch >Subversion Revision: 224677 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index acff454706f86bf6a95ba92f35d1fa8972a0680b..613051cc3feaf51da6d4940d7083102ff3160d7f 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,20 @@ >+2017-11-16 Robin Morisset <rmorisset@apple.com> >+ >+ REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject >+ https://bugs.webkit.org/show_bug.cgi?id=179763 >+ <rdar://problem/35550513> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Fix null pointer dereference caused by an eliminated tdz_check >+ >+ The problem was when doing an OSR entry in DFG while |this| was null >+ (because super() had not yet been called in the constructor of this >+ subclass), it would be marked as non-null, and the tdz_check eliminated. >+ >+ * dfg/DFGInPlaceAbstractState.cpp: >+ (JSC::DFG::InPlaceAbstractState::initialize): >+ > 2017-11-09 Yusuke Suzuki <utatane.tea@gmail.com> > > [JSC] Retry module fetching if previous request fails >diff --git a/Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.cpp b/Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.cpp >index b49cb4cd96234a9271ccab82c4e678ba93d78243..8d84990bdb56a83de86916d91373725c6b7c66dc 100644 >--- a/Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.cpp >+++ b/Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.cpp >@@ -129,7 +129,7 @@ void InPlaceAbstractState::initialize() > entrypoint->valuesAtHead.argument(i).setType(SpecBoolean); > break; > case FlushedCell: >- entrypoint->valuesAtHead.argument(i).setType(m_graph, SpecCell); >+ entrypoint->valuesAtHead.argument(i).setType(m_graph, SpecCellCheck); > break; > case FlushedJSValue: > entrypoint->valuesAtHead.argument(i).makeBytecodeTop(); >diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog >index 584a9a701226e1fab5e870400615cf4f31097d32..c9a4a34ee4e6b378ccc943a53fdeea24aee497b1 100644 >--- a/JSTests/ChangeLog >+++ b/JSTests/ChangeLog >@@ -1,3 +1,17 @@ >+2017-11-16 Robin Morisset <rmorisset@apple.com> >+ >+ REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject >+ https://bugs.webkit.org/show_bug.cgi?id=179763 >+ <rdar://problem/35550513> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Just adding a slightly cleaned-up version of the original fuzzer-found test. >+ >+ * stress/tdz-this-in-try-catch.js: Added. >+ (__v_6388): >+ (__v_6392): >+ > 2017-11-08 Saam Barati <sbarati@apple.com> > > A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile >diff --git a/JSTests/stress/tdz-this-in-try-catch.js b/JSTests/stress/tdz-this-in-try-catch.js >new file mode 100644 >index 0000000000000000000000000000000000000000..89f22baf572df31e68cfd463d1491567df03edef >--- /dev/null >+++ b/JSTests/stress/tdz-this-in-try-catch.js >@@ -0,0 +1,22 @@ >+var __v_6388 = class __c_95 { >+}; >+var __v_6392 = class __c_97 extends __v_6388 { >+ constructor() { >+ var __v_6407 = () => { >+ try { >+ __v_6386(); >+ } catch (e) {} >+ try { >+ super.foo = 'q'; >+ } catch (e) {} >+ super() >+ try { >+ this.idValue >+ } catch (e) {} >+ }; >+ __v_6407(); >+ } >+}; >+for (var i = 0; i < 1000; ++i) { >+ new __v_6392() >+} 1372589 7 rmorisset 2017-11-16 06:46:02 -0800 I just removed the line number from the Changelog, as suggested by Keith. 1372595 8 327058 commit-queue 2017-11-16 07:04:40 -0800 Comment on attachment 327058 Patch Clearing flags on attachment: 327058 Committed r224915: <https://trac.webkit.org/changeset/224915> 1372596 9 commit-queue 2017-11-16 07:04:42 -0800 All reviewed patches have been landed. Closing bug. 1372603 10 mark.lam 2017-11-16 07:33:40 -0800 <rdar://problem/35550513> 327057 2017-11-16 05:50:15 -0800 2017-11-16 06:02:58 -0800 Patch bug-179763-20171116145014.patch text/plain 1602 rmorisset U3VidmVyc2lvbiBSZXZpc2lvbjogMjI0Njc3CmRpZmYgLS1naXQgYS9Tb3VyY2UvSmF2YVNjcmlw dENvcmUvZGZnL0RGR0luUGxhY2VBYnN0cmFjdFN0YXRlLmNwcCBiL1NvdXJjZS9KYXZhU2NyaXB0 Q29yZS9kZmcvREZHSW5QbGFjZUFic3RyYWN0U3RhdGUuY3BwCmluZGV4IGI0OWNiNGNkOTYyMzRh OTI3MWNjYWI4MmM0ZTY3OGJhOTNkNzgyNDMuLjhkODQ5OTBiZGI1NmE4M2RlODY5MTZkOTEzNzM3 MjVjNmI3YzY2ZGMgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9kZmcvREZHSW5Q bGFjZUFic3RyYWN0U3RhdGUuY3BwCisrKyBiL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9kZmcvREZH SW5QbGFjZUFic3RyYWN0U3RhdGUuY3BwCkBAIC0xMjksNyArMTI5LDcgQEAgdm9pZCBJblBsYWNl QWJzdHJhY3RTdGF0ZTo6aW5pdGlhbGl6ZSgpCiAgICAgICAgICAgICAgICAgICAgIGVudHJ5cG9p bnQtPnZhbHVlc0F0SGVhZC5hcmd1bWVudChpKS5zZXRUeXBlKFNwZWNCb29sZWFuKTsKICAgICAg ICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAgICAgICAgY2FzZSBGbHVzaGVkQ2VsbDoK LSAgICAgICAgICAgICAgICAgICAgZW50cnlwb2ludC0+dmFsdWVzQXRIZWFkLmFyZ3VtZW50KGkp LnNldFR5cGUobV9ncmFwaCwgU3BlY0NlbGwpOworICAgICAgICAgICAgICAgICAgICBlbnRyeXBv aW50LT52YWx1ZXNBdEhlYWQuYXJndW1lbnQoaSkuc2V0VHlwZShtX2dyYXBoLCBTcGVjQ2VsbENo ZWNrKTsKICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAgICAgICAgY2FzZSBG bHVzaGVkSlNWYWx1ZToKICAgICAgICAgICAgICAgICAgICAgZW50cnlwb2ludC0+dmFsdWVzQXRI ZWFkLmFyZ3VtZW50KGkpLm1ha2VCeXRlY29kZVRvcCgpOwpkaWZmIC0tZ2l0IGEvSlNUZXN0cy9z dHJlc3MvdGR6LXRoaXMtaW4tdHJ5LWNhdGNoLmpzIGIvSlNUZXN0cy9zdHJlc3MvdGR6LXRoaXMt aW4tdHJ5LWNhdGNoLmpzCm5ldyBmaWxlIG1vZGUgMTAwNjQ0CmluZGV4IDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAuLjg5ZjIyYmFmNTcyZGYzMWU2OGNmZDQ2M2QxNDkx NTY3ZGYwM2VkZWYKLS0tIC9kZXYvbnVsbAorKysgYi9KU1Rlc3RzL3N0cmVzcy90ZHotdGhpcy1p bi10cnktY2F0Y2guanMKQEAgLTAsMCArMSwyMiBAQAordmFyIF9fdl82Mzg4ID0gY2xhc3MgX19j Xzk1IHsKK307Cit2YXIgX192XzYzOTIgPSBjbGFzcyBfX2NfOTcgZXh0ZW5kcyBfX3ZfNjM4OCB7 CisgIGNvbnN0cnVjdG9yKCkgeworICAgIHZhciBfX3ZfNjQwNyA9ICgpID0+IHsKKyAgICAgICAg dHJ5IHsKKyAgICAgICAgICBfX3ZfNjM4NigpOworICAgICAgICB9IGNhdGNoIChlKSB7fQorICAg ICAgICB0cnkgeworICAgICAgICAgIHN1cGVyLmZvbyA9ICdxJzsKKyAgICAgICAgfSBjYXRjaCAo ZSkge30KKyAgICAgICAgc3VwZXIoKQorICAgICAgICB0cnkgeworICAgICAgICAgIHRoaXMuaWRW YWx1ZQorICAgICAgICB9IGNhdGNoIChlKSB7fQorICAgIH07CisgICAgX192XzY0MDcoKTsKKyAg fQorfTsKK2ZvciAodmFyIGkgPSAwOyBpIDwgMTAwMDsgKytpKSB7CisgICAgbmV3IF9fdl82Mzky KCkKK30K 327058 2017-11-16 06:03:01 -0800 2017-11-16 07:04:40 -0800 Patch bug-179763-20171116150259.patch text/plain 3551 rmorisset U3VidmVyc2lvbiBSZXZpc2lvbjogMjI0Njc3CmRpZmYgLS1naXQgYS9Tb3VyY2UvSmF2YVNjcmlw dENvcmUvQ2hhbmdlTG9nIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwppbmRleCBh Y2ZmNDU0NzA2Zjg2YmY2YTk1YmE5MmYzNWQxZmE4OTcyYTA2ODBiLi42MTMwNTFjYzNmZWFmNTFk YTZkNDk0MGQ3MDgzMTAyZmYzMTYwZDdmIDEwMDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENv cmUvQ2hhbmdlTG9nCisrKyBiL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKQEAgLTEs MyArMSwyMCBAQAorMjAxNy0xMS0xNiAgUm9iaW4gTW9yaXNzZXQgIDxybW9yaXNzZXRAYXBwbGUu Y29tPgorCisgICAgICAgIFJFR1JFU1NJT04gKHIyMjQ1OTIpOiBvc3MtZnV6ejoganNjOiBOdWxs LWRlcmVmZXJlbmNlIFJFQUQgaW4gSlNDOjpKU0NlbGw6OmlzT2JqZWN0ICg0MjE2KQorICAgICAg ICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTc5NzYzCisgICAgICAg IDxyZGFyOi8vcHJvYmxlbS8zNTU1MDUxMz4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkg KE9PUFMhKS4KKworICAgICAgICBGaXggbnVsbCBwb2ludGVyIGRlcmVmZXJlbmNlIGNhdXNlZCBi eSBhbiBlbGltaW5hdGVkIHRkel9jaGVjaworCisgICAgICAgIFRoZSBwcm9ibGVtIHdhcyB3aGVu IGRvaW5nIGFuIE9TUiBlbnRyeSBpbiBERkcgd2hpbGUgfHRoaXN8IHdhcyBudWxsCisgICAgICAg IChiZWNhdXNlIHN1cGVyKCkgaGFkIG5vdCB5ZXQgYmVlbiBjYWxsZWQgaW4gdGhlIGNvbnN0cnVj dG9yIG9mIHRoaXMKKyAgICAgICAgc3ViY2xhc3MpLCBpdCB3b3VsZCBiZSBtYXJrZWQgYXMgbm9u LW51bGwsIGFuZCB0aGUgdGR6X2NoZWNrIGVsaW1pbmF0ZWQuCisKKyAgICAgICAgKiBkZmcvREZH SW5QbGFjZUFic3RyYWN0U3RhdGUuY3BwOgorICAgICAgICAoSlNDOjpERkc6OkluUGxhY2VBYnN0 cmFjdFN0YXRlOjppbml0aWFsaXplKToKKwogMjAxNy0xMS0wOSAgWXVzdWtlIFN1enVraSAgPHV0 YXRhbmUudGVhQGdtYWlsLmNvbT4KIAogICAgICAgICBbSlNDXSBSZXRyeSBtb2R1bGUgZmV0Y2hp bmcgaWYgcHJldmlvdXMgcmVxdWVzdCBmYWlscwpkaWZmIC0tZ2l0IGEvU291cmNlL0phdmFTY3Jp cHRDb3JlL2RmZy9ERkdJblBsYWNlQWJzdHJhY3RTdGF0ZS5jcHAgYi9Tb3VyY2UvSmF2YVNjcmlw dENvcmUvZGZnL0RGR0luUGxhY2VBYnN0cmFjdFN0YXRlLmNwcAppbmRleCBiNDljYjRjZDk2MjM0 YTkyNzFjY2FiODJjNGU2NzhiYTkzZDc4MjQzLi44ZDg0OTkwYmRiNTZhODNkZTg2OTE2ZDkxMzcz NzI1YzZiN2M2NmRjIDEwMDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvZGZnL0RGR0lu UGxhY2VBYnN0cmFjdFN0YXRlLmNwcAorKysgYi9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvZGZnL0RG R0luUGxhY2VBYnN0cmFjdFN0YXRlLmNwcApAQCAtMTI5LDcgKzEyOSw3IEBAIHZvaWQgSW5QbGFj ZUFic3RyYWN0U3RhdGU6OmluaXRpYWxpemUoKQogICAgICAgICAgICAgICAgICAgICBlbnRyeXBv aW50LT52YWx1ZXNBdEhlYWQuYXJndW1lbnQoaSkuc2V0VHlwZShTcGVjQm9vbGVhbik7CiAgICAg ICAgICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAgICAgIGNhc2UgRmx1c2hlZENlbGw6 Ci0gICAgICAgICAgICAgICAgICAgIGVudHJ5cG9pbnQtPnZhbHVlc0F0SGVhZC5hcmd1bWVudChp KS5zZXRUeXBlKG1fZ3JhcGgsIFNwZWNDZWxsKTsKKyAgICAgICAgICAgICAgICAgICAgZW50cnlw b2ludC0+dmFsdWVzQXRIZWFkLmFyZ3VtZW50KGkpLnNldFR5cGUobV9ncmFwaCwgU3BlY0NlbGxD aGVjayk7CiAgICAgICAgICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAgICAgIGNhc2Ug Rmx1c2hlZEpTVmFsdWU6CiAgICAgICAgICAgICAgICAgICAgIGVudHJ5cG9pbnQtPnZhbHVlc0F0 SGVhZC5hcmd1bWVudChpKS5tYWtlQnl0ZWNvZGVUb3AoKTsKZGlmZiAtLWdpdCBhL0pTVGVzdHMv Q2hhbmdlTG9nIGIvSlNUZXN0cy9DaGFuZ2VMb2cKaW5kZXggNTg0YTlhNzAxMjI2ZTFmYWI1ZTg3 MDQwMDYxNWNmNGYzMTA5N2QzMi4uYzlhNGEzNGVlNGU2YjM3OGNjYzk0M2E1M2ZkZWVhMjRhZWU0 OTdiMSAxMDA2NDQKLS0tIGEvSlNUZXN0cy9DaGFuZ2VMb2cKKysrIGIvSlNUZXN0cy9DaGFuZ2VM b2cKQEAgLTEsMyArMSwxNyBAQAorMjAxNy0xMS0xNiAgUm9iaW4gTW9yaXNzZXQgIDxybW9yaXNz ZXRAYXBwbGUuY29tPgorCisgICAgICAgIFJFR1JFU1NJT04gKHIyMjQ1OTIpOiBvc3MtZnV6ejog anNjOiBOdWxsLWRlcmVmZXJlbmNlIFJFQUQgaW4gSlNDOjpKU0NlbGw6OmlzT2JqZWN0ICg0MjE2 KQorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTc5NzYz CisgICAgICAgIDxyZGFyOi8vcHJvYmxlbS8zNTU1MDUxMz4KKworICAgICAgICBSZXZpZXdlZCBi eSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBKdXN0IGFkZGluZyBhIHNsaWdodGx5IGNsZWFu ZWQtdXAgdmVyc2lvbiBvZiB0aGUgb3JpZ2luYWwgZnV6emVyLWZvdW5kIHRlc3QuCisKKyAgICAg ICAgKiBzdHJlc3MvdGR6LXRoaXMtaW4tdHJ5LWNhdGNoLmpzOiBBZGRlZC4KKyAgICAgICAgKF9f dl82Mzg4KToKKyAgICAgICAgKF9fdl82MzkyKToKKwogMjAxNy0xMS0wOCAgU2FhbSBCYXJhdGkg IDxzYmFyYXRpQGFwcGxlLmNvbT4KIAogICAgICAgICBBIEpTRnVuY3Rpb24ncyBPYmplY3RBbGxv Y2F0aW9uUHJvZmlsZSBzaG91bGQgd2F0Y2ggdGhlIHBvbHkgcHJvdG90eXBlIHdhdGNocG9pbnQg c28gaXQgY2FuIGNsZWFyIGl0cyBvYmplY3QgYWxsb2NhdGlvbiBwcm9maWxlCmRpZmYgLS1naXQg YS9KU1Rlc3RzL3N0cmVzcy90ZHotdGhpcy1pbi10cnktY2F0Y2guanMgYi9KU1Rlc3RzL3N0cmVz cy90ZHotdGhpcy1pbi10cnktY2F0Y2guanMKbmV3IGZpbGUgbW9kZSAxMDA2NDQKaW5kZXggMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMC4uODlmMjJiYWY1NzJkZjMxZTY4 Y2ZkNDYzZDE0OTE1NjdkZjAzZWRlZgotLS0gL2Rldi9udWxsCisrKyBiL0pTVGVzdHMvc3RyZXNz L3Rkei10aGlzLWluLXRyeS1jYXRjaC5qcwpAQCAtMCwwICsxLDIyIEBACit2YXIgX192XzYzODgg PSBjbGFzcyBfX2NfOTUgeworfTsKK3ZhciBfX3ZfNjM5MiA9IGNsYXNzIF9fY185NyBleHRlbmRz IF9fdl82Mzg4IHsKKyAgY29uc3RydWN0b3IoKSB7CisgICAgdmFyIF9fdl82NDA3ID0gKCkgPT4g eworICAgICAgICB0cnkgeworICAgICAgICAgIF9fdl82Mzg2KCk7CisgICAgICAgIH0gY2F0Y2gg KGUpIHt9CisgICAgICAgIHRyeSB7CisgICAgICAgICAgc3VwZXIuZm9vID0gJ3EnOworICAgICAg ICB9IGNhdGNoIChlKSB7fQorICAgICAgICBzdXBlcigpCisgICAgICAgIHRyeSB7CisgICAgICAg ICAgdGhpcy5pZFZhbHVlCisgICAgICAgIH0gY2F0Y2ggKGUpIHt9CisgICAgfTsKKyAgICBfX3Zf NjQwNygpOworICB9Cit9OworZm9yICh2YXIgaSA9IDA7IGkgPCAxMDAwOyArK2kpIHsKKyAgICBu ZXcgX192XzYzOTIoKQorfQo=