Bug 202150
| Summary: | [JSC] Null dereference in propagateTransitions | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Antonio Groza <antoniogroza> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | fpizlo, mark.lam, prti, tzagallo, webkit-bug-importer, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Local Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| See Also: | https://bugs.webkit.org/show_bug.cgi?id=200983 | ||
Antonio Groza
Hello,
While fuzzing JSC i have found a test case that is able to reproduce the following issue: https://bugs.webkit.org/show_bug.cgi?id=200983 .
function hax() {
for (const v3 in "AAAAAAAAAAA") {
const v4 = createGlobalObject();
with (v4) {
v4.b = parseInt;
v4.length = v3;
const v6 = new Uint16Array();
}
}
}
hax();
Execute it on an ASAN build of JSC with the following options to repro:
./jsc --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --gcAtEnd=true poc.js
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/55721330>
Tadeu Zagallo
*** This bug has been marked as a duplicate of bug 202122 ***