Bug 172754

Summary: Crash in JSC::Lexer<unsigned char>::setCode
Product: WebKit Reporter: june901116
Component: JavaScriptCoreAssignee: Saam Barati <saam>
Status: RESOLVED FIXED    
Severity: Normal CC: bugs-noreply, buildbot, cedric.bellegarde, cgarcia, clopez, commit-queue, ggaren, june901116, keith_miller, mark.lam, mcatanzaro, msaboff, saam, ysuzuki
Priority: P2    
Version: Other   
Hardware: Unspecified   
OS: Linux   
Attachments:
Description Flags
PoC
none
gdb backtrace
none
GDB backtrace when running jsc (r218481) over the PoC
none
patch none

june901116
Reported 2017-05-31 08:38:24 PDT
Created attachment 311595 [details] PoC How to reproduce? 1. Run JavaScriptCore in Webgtk2.16.3 releases with Poc. $ ./jsc reproduce.js
Attachments
PoC (735 bytes, application/javascript)
2017-05-31 08:38 PDT, june901116 		no flags
Details
gdb backtrace (2.64 KB, text/plain)
2017-06-06 22:45 PDT, june901116 		no flags
Details
GDB backtrace when running jsc (r218481) over the PoC (21.88 KB, text/plain)
2017-06-19 04:50 PDT, Carlos Alberto Lopez Perez 		no flags
Details
patch (3.12 KB, patch)
2017-06-26 10:46 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
june901116
Comment 1 2017-06-06 22:45:42 PDT
Created attachment 312163 [details] gdb backtrace
Cédric Bellegarde
Comment 2 2017-06-19 04:25:12 PDT
*** Bug 173539 has been marked as a duplicate of this bug. ***
Carlos Alberto Lopez Perez
Comment 3 2017-06-19 04:45:48 PDT
Crash reproducible also with trunk (r218482) but the backtrace looks different
Carlos Alberto Lopez Perez
Comment 4 2017-06-19 04:50:58 PDT
Created attachment 313276 [details] GDB backtrace when running jsc (r218481) over the PoC
Cédric Bellegarde
Comment 5 2017-06-21 05:27:15 PDT
Same with 2.16.4
Saam Barati
Comment 6 2017-06-26 10:34:40 PDT
Looks like this line of code: m_buffer16.reserveInitialCapacity((m_codeEnd - m_code) / 2); Not sure why we're reserving this much memory. This change was done in r59061, so a long time ago.
Saam Barati
Comment 7 2017-06-26 10:46:13 PDT
Created attachment 313851 [details] patch
Mark Lam
Comment 8 2017-06-26 10:52:38 PDT
Comment on attachment 313851 [details] patch r=me
WebKit Commit Bot
Comment 9 2017-06-26 12:34:25 PDT
Comment on attachment 313851 [details] patch Clearing flags on attachment: 313851 Committed r218819: <http://trac.webkit.org/changeset/218819>
WebKit Commit Bot
Comment 10 2017-06-26 12:34:27 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.