Bug 139165

Summary: Crash (integer overflow) beneath ByteCodeParser::handleGetById typing in search field on weather.com
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal CC: kling
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 139195    
Attachments:
Description Flags
Patch oliver: review+

Michael Saboff
Reported 2014-12-01 17:32:23 PST
1. go to weather.com 2. in search type "Whistler" 3. wait for autocomplete of the site * RESULTS Crash Process: com.apple.WebKit.WebContent [663] Path: /System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent Identifier: com.apple.WebKit.WebContent Version: 10601 (10601.1.9) Build Info: WebKit2-7601001008001000~3 Code Type: X86-64 (Native) Parent Process: ??? [1] Responsible: Safari [559] User ID: 501 Date/Time: 2014-11-12 22:14:57.550 -0800 OS Version: Mac OS X 10.10.3 (14D31a) Report Version: 11 Anonymous UUID: 14FD5266-B6CC-9BD8-7A5C-722B5CF5D3DE Time Awake Since Boot: 1900 seconds Crashed Thread: 14 DFG Worklist Worker Thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef ... Thread 14 Crashed:: DFG Worklist Worker Thread 0 com.apple.JavaScriptCore 0x00007fff93049c9e WTFCrash + 62 1 com.apple.JavaScriptCore 0x00007fff9305ee39 WTF::CrashOnOverflow::overflowed() + 9 2 com.apple.JavaScriptCore 0x00007fff92f42e3c JSC::DFG::ByteCodeParser::handleGetById(int, unsigned int, JSC::DFG::Node*, unsigned int, JSC::GetByIdStatus const&) + 1708 3 com.apple.JavaScriptCore 0x00007fff92f3dd42 JSC::DFG::ByteCodeParser::parseBlock(unsigned int) + 2290 4 com.apple.JavaScriptCore 0x00007fff92f3c12b JSC::DFG::ByteCodeParser::parseCodeBlock() + 1579 5 com.apple.JavaScriptCore 0x00007fff92f3b959 JSC::DFG::ByteCodeParser::parse() + 681 6 com.apple.JavaScriptCore 0x00007fff930c6361 JSC::DFG::parse(JSC::DFG::Graph&) + 433 7 com.apple.JavaScriptCore 0x00007fff9315e1e3 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) + 259 8 com.apple.JavaScriptCore 0x00007fff9315de7d JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) + 493 9 com.apple.JavaScriptCore 0x00007fff9319d272 JSC::DFG::Worklist::runThread(JSC::DFG::ThreadData*) + 546 10 com.apple.JavaScriptCore 0x00007fff92e77623 WTF::threadEntryPoint(void*) + 179 11 com.apple.JavaScriptCore 0x00007fff92e7754f WTF::wtfThreadEntryPoint(void*) + 15 12 libsystem_pthread.dylib 0x00007fff9bd74268 _pthread_body + 131 13 libsystem_pthread.dylib 0x00007fff9bd741e5 _pthread_start + 176 14 libsystem_pthread.dylib 0x00007fff9bd7241d thread_start + 13 <rdar://problem/18966258>
Attachments
Patch (2.09 KB, patch)
2014-12-01 17:41 PST, Michael Saboff 		oliver: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2014-12-01 17:41:27 PST
Created attachment 242369 [details] Patch
Michael Saboff
Comment 2 2014-12-01 18:49:47 PST
Committed r176624: <http://trac.webkit.org/changeset/176624>
Andreas Kling
Comment 3 2014-12-02 12:56:56 PST
Bummer that we didn't get a test for this. Also, isn't this an out-of-bounds vector access rather than an integer overflow?
Michael Saboff
Comment 4 2014-12-02 13:50:04 PST
(In reply to comment #3) > Bummer that we didn't get a test for this. Also, isn't this an out-of-bounds > vector access rather than an integer overflow? Filed <https://bugs.webkit.org/show_bug.cgi?id=139195> for adding a test case. It was an out-of-bounds Vector access crash, accessing element 0 of an empty vector.
Note You need to log in before you can comment on or make changes to this bug.