Bug 200388

Summary: [JSC] LazyJSValue should be robust for empty JSValue
Product: WebKit Reporter: zhunkibatu
Component: JavaScriptCoreAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, fpizlo, keith_miller, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch saam: review+

zhunkibatu
Reported 2019-08-02 03:43:10 PDT
the following poc can trigger an null pointer deref in DFGCFGSimplificationPhase.cpp function foo(x) { switch (x) { case "a": case "a": case "a": for (let j = 0; j <100; j++) { let j=foo(j); } default: return 2; } } for (let i = 0; i <100000; i++) { foo("ab"); }
Attachments
Patch (6.66 KB, patch)
2019-08-02 14:49 PDT, Yusuke Suzuki 		saam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2019-08-02 13:26:43 PDT
REproduces in shipping Safari. Thread 9 Crashed:: DFG Worklist Worker Thread 0 com.apple.JavaScriptCore 0x00007fff30522a78 JSC::DFG::LazyJSValue::strictEqual(JSC::DFG::LazyJSValue const&) const + 408 1 com.apple.JavaScriptCore 0x00007fff2febf028 JSC::DFG::CFGSimplificationPhase::run() + 2504 2 com.apple.JavaScriptCore 0x00007fff30471ca8 bool JSC::DFG::runPhase<JSC::DFG::CFGSimplificationPhase>(JSC::DFG::Graph&) + 72 3 com.apple.JavaScriptCore 0x00007fff305c2aa9 JSC::DFG::Plan::compileInThreadImpl() + 2633 4 com.apple.JavaScriptCore 0x00007fff305c17fe JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*) + 382 5 com.apple.JavaScriptCore 0x00007fff3060fa8c JSC::DFG::Worklist::ThreadBody::work() + 300 6 com.apple.JavaScriptCore 0x00007fff2ffa2a00 WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call() + 304 7 com.apple.JavaScriptCore 0x00007fff2ffd57f2 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 194 8 com.apple.JavaScriptCore 0x00007fff2fdf4c39 WTF::wtfThreadEntryPoint(void*) + 9 9 libsystem_pthread.dylib 0x00007fff58cb62eb _pthread_body + 126 10 libsystem_pthread.dylib 0x00007fff58cb9249 _pthread_start + 66 11 libsystem_pthread.dylib 0x00007fff58cb540d thread_start + 13
Radar WebKit Bug Importer
Comment 2 2019-08-02 13:26:57 PDT
<rdar://problem/53876863>
Yusuke Suzuki
Comment 3 2019-08-02 14:49:41 PDT
Created attachment 375460 [details] Patch
Yusuke Suzuki
Comment 4 2019-08-02 15:20:59 PDT
Committed r248185: <https://trac.webkit.org/changeset/248185>
Note You need to log in before you can comment on or make changes to this bug.