Bug 200388

Summary:

[JSC] LazyJSValue should be robust for empty JSValue

Product:

WebKit

Reporter:

zhunkibatu

Component:

JavaScriptCore

Assignee:

Yusuke Suzuki <ysuzuki>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ews-watchlist, fpizlo, keith_miller, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer, ysuzuki

Priority:

Keywords:

InRadar

Version:

WebKit Local Build

Hardware:

All

OS:

All

Attachments:

Description	Flags
Patch	saam: review+

Description zhunkibatu 2019-08-02 03:43:10 PDT

the following poc can trigger an null pointer deref in DFGCFGSimplificationPhase.cpp




function foo(x) {
	switch (x) {
		case "a":
		case "a":
		case "a":
        		for (let j = 0; j <100; j++) {
    				let j=foo(j);
			}
		default:
			return 2;
	}
}


for (let i = 0; i <100000; i++) {
    foo("ab");
}

Comment 1 Alexey Proskuryakov 2019-08-02 13:26:43 PDT

REproduces in shipping Safari.

Thread 9 Crashed:: DFG Worklist Worker Thread
0   com.apple.JavaScriptCore      	0x00007fff30522a78 JSC::DFG::LazyJSValue::strictEqual(JSC::DFG::LazyJSValue const&) const + 408
1   com.apple.JavaScriptCore      	0x00007fff2febf028 JSC::DFG::CFGSimplificationPhase::run() + 2504
2   com.apple.JavaScriptCore      	0x00007fff30471ca8 bool JSC::DFG::runPhase<JSC::DFG::CFGSimplificationPhase>(JSC::DFG::Graph&) + 72
3   com.apple.JavaScriptCore      	0x00007fff305c2aa9 JSC::DFG::Plan::compileInThreadImpl() + 2633
4   com.apple.JavaScriptCore      	0x00007fff305c17fe JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*) + 382
5   com.apple.JavaScriptCore      	0x00007fff3060fa8c JSC::DFG::Worklist::ThreadBody::work() + 300
6   com.apple.JavaScriptCore      	0x00007fff2ffa2a00 WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call() + 304
7   com.apple.JavaScriptCore      	0x00007fff2ffd57f2 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 194
8   com.apple.JavaScriptCore      	0x00007fff2fdf4c39 WTF::wtfThreadEntryPoint(void*) + 9
9   libsystem_pthread.dylib       	0x00007fff58cb62eb _pthread_body + 126
10  libsystem_pthread.dylib       	0x00007fff58cb9249 _pthread_start + 66
11  libsystem_pthread.dylib       	0x00007fff58cb540d thread_start + 13

Comment 2 Radar WebKit Bug Importer 2019-08-02 13:26:57 PDT

<rdar://problem/53876863>

Comment 3 Yusuke Suzuki 2019-08-02 14:49:41 PDT

Created attachment 375460 [details]
Patch

Comment 4 Yusuke Suzuki 2019-08-02 15:20:59 PDT

Committed r248185: <https://trac.webkit.org/changeset/248185>