247644 2022-11-08 14:34:30 -0800 Segfault in JSC::IdentifierArena::makeBigIntDecimalIdentifier 2022-11-09 14:31:27 -0800 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 d_degazio d_degazio webkit-bug-importer oldest_to_newest 1911105 0 463459 d_degazio 2022-11-08 14:34:30 -0800 Created attachment 463459 Reproducing case The attached source fails with a segmentation fault when lexing the 0x1n bigint identifier. This seems to be because we use a JSBigInt value within the parser to handle converting non-decimal integer constants to decimal identifiers. When allocating this JSBigInt fails (in this case, because we have exhausted all memory in the previous invocation of foo), we try to throw an exception. In the lexer/parser however, there is no global object to throw an exception to, so the bigint implementation falls back to returning a null pointer, which causes the segfault when we use it later in makeBigIntDecimalIdentifier. rdar://98566429 1911123 1 d_degazio 2022-11-08 15:11:34 -0800 Pull request: https://github.com/WebKit/WebKit/pull/6271 1911365 2 ews-feeder 2022-11-09 14:31:25 -0800 Committed 256501@main (32b972813979): <https://commits.webkit.org/256501@main> Reviewed commits have been landed. Closing PR #6271 and removing active labels. 463459 2022-11-08 14:34:30 -0800 2022-11-08 14:34:30 -0800 Reproducing case segfault-in-identifierarena-makebigdecimalidentifier.js text/plain 218 d_degazio ZnVuY3Rpb24gZm9vKCkgewogIGxldCBtID0gbmV3IFdlYkFzc2VtYmx5Lk1lbW9yeSh7aW5pdGlh bDogMTAwMH0pOwogIHRyeSB7CiAgICBmb28oKTsKICB9IGNhdGNoIHt9CiAgZm9yIChsZXQgaSA9 IDA7IGkgPCAxMDAwOyBpKyspIHsKICAgIG5ldyBVaW50OEFycmF5KGkpOwogIH0KfQoKdHJ5IHsK ICBmb28oKTsKfSBjYXRjaCAoeCkge30KCmV2YWwoJ2NsYXNzIEN7MHgxbicpOwo=