Bug 139165

Summary:

Crash (integer overflow) beneath ByteCodeParser::handleGetById typing in search field on weather.com

Product:

WebKit

Reporter:

Michael Saboff <msaboff>

Component:

JavaScriptCore

Assignee:

Michael Saboff <msaboff>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

kling

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Bug Depends on:

Bug Blocks:

139195

Attachments:

Description	Flags
Patch	oliver: review+

Description Michael Saboff 2014-12-01 17:32:23 PST

1. go to weather.com
2. in search type "Whistler"
3. wait for autocomplete of the site

* RESULTS
Crash

Process:               com.apple.WebKit.WebContent [663]
Path:                  /System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
Identifier:            com.apple.WebKit.WebContent
Version:               10601 (10601.1.9)
Build Info:            WebKit2-7601001008001000~3
Code Type:             X86-64 (Native)
Parent Process:        ??? [1]
Responsible:           Safari [559]
User ID:               501

Date/Time:             2014-11-12 22:14:57.550 -0800
OS Version:            Mac OS X 10.10.3 (14D31a)
Report Version:        11
Anonymous UUID:        14FD5266-B6CC-9BD8-7A5C-722B5CF5D3DE


Time Awake Since Boot: 1900 seconds

Crashed Thread:        14  DFG Worklist Worker Thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x00000000bbadbeef

...
 
Thread 14 Crashed:: DFG Worklist Worker Thread
0   com.apple.JavaScriptCore      	0x00007fff93049c9e WTFCrash + 62
1   com.apple.JavaScriptCore      	0x00007fff9305ee39 WTF::CrashOnOverflow::overflowed() + 9
2   com.apple.JavaScriptCore      	0x00007fff92f42e3c JSC::DFG::ByteCodeParser::handleGetById(int, unsigned int, JSC::DFG::Node*, unsigned int, JSC::GetByIdStatus const&) + 1708
3   com.apple.JavaScriptCore      	0x00007fff92f3dd42 JSC::DFG::ByteCodeParser::parseBlock(unsigned int) + 2290
4   com.apple.JavaScriptCore      	0x00007fff92f3c12b JSC::DFG::ByteCodeParser::parseCodeBlock() + 1579
5   com.apple.JavaScriptCore      	0x00007fff92f3b959 JSC::DFG::ByteCodeParser::parse() + 681
6   com.apple.JavaScriptCore      	0x00007fff930c6361 JSC::DFG::parse(JSC::DFG::Graph&) + 433
7   com.apple.JavaScriptCore      	0x00007fff9315e1e3 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) + 259
8   com.apple.JavaScriptCore      	0x00007fff9315de7d JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) + 493
9   com.apple.JavaScriptCore      	0x00007fff9319d272 JSC::DFG::Worklist::runThread(JSC::DFG::ThreadData*) + 546
10  com.apple.JavaScriptCore      	0x00007fff92e77623 WTF::threadEntryPoint(void*) + 179
11  com.apple.JavaScriptCore      	0x00007fff92e7754f WTF::wtfThreadEntryPoint(void*) + 15
12  libsystem_pthread.dylib       	0x00007fff9bd74268 _pthread_body + 131
13  libsystem_pthread.dylib       	0x00007fff9bd741e5 _pthread_start + 176
14  libsystem_pthread.dylib       	0x00007fff9bd7241d thread_start + 13

<rdar://problem/18966258>

Comment 1 Michael Saboff 2014-12-01 17:41:27 PST

Created attachment 242369 [details]
Patch

Comment 2 Michael Saboff 2014-12-01 18:49:47 PST

Committed r176624: <http://trac.webkit.org/changeset/176624>

Comment 3 Andreas Kling 2014-12-02 12:56:56 PST

Bummer that we didn't get a test for this. Also, isn't this an out-of-bounds vector access rather than an integer overflow?

Comment 4 Michael Saboff 2014-12-02 13:50:04 PST

(In reply to comment #3)
> Bummer that we didn't get a test for this. Also, isn't this an out-of-bounds
> vector access rather than an integer overflow?

Filed <https://bugs.webkit.org/show_bug.cgi?id=139195> for adding a test case.

It was an out-of-bounds Vector access crash, accessing element 0 of an empty vector.