Summary: | Null pointer dereference in JSC::GetByStatus | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Mikhail R. Gadelha <mikhail> | ||||||||
Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | Normal | CC: | bfulgham, ews-feeder, mark.lam, product-security, webkit-bug-importer, ysuzuki | ||||||||
Priority: | P2 | Keywords: | InRadar | ||||||||
Version: | WebKit Nightly Build | ||||||||||
Hardware: | Unspecified | ||||||||||
OS: | Unspecified | ||||||||||
Attachments: |
|
Description
Mikhail R. Gadelha
2021-08-30 10:45:50 PDT
Created attachment 436793 [details]
Patch
Comment on attachment 436793 [details]
Patch
Can you upload a test for review too? (while, maybe, we should not land it together)
(In reply to Yusuke Suzuki from comment #3) > Comment on attachment 436793 [details] > Patch > > Can you upload a test for review too? (while, maybe, we should not land it > together) I'm assuming that you found this bug based on some tests. Created attachment 438719 [details]
Test
Sure, that's the testcase.
It was found by our fuzzer, let me know if you need a reduced testcase. I reproduced the null pointer dereference in mips, armv7 and x86_64. I didn't test it in arm 64. Comment on attachment 436793 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=436793&action=review r=me > Source/JavaScriptCore/bytecode/GetByStatus.cpp:184 > + RELEASE_ASSERT(stubInfo); Make it ASSERT. I don't think it is worth RELEASE_ASSERT. > Source/JavaScriptCore/bytecode/GetByStatus.cpp:188 > + RELEASE_ASSERT(stubInfo); Ditto. Created attachment 438837 [details]
Patch
Is this patch ready to land? This crash does not happen in usual build, so changing it to non security issue. Committed r282950 (242040@main): <https://commits.webkit.org/242040@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 438837 [details]. |