Bug 229674

Summary: Null pointer dereference in JSC::GetByStatus
Product: WebKit Reporter: Mikhail R. Gadelha <mikhail>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, ews-feeder, mark.lam, product-security, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Test
none
Patch none

Mikhail R. Gadelha
Reported 2021-08-30 10:45:50 PDT
In GetByStatus::computeForStubInfoWithoutExitSiteFeedback, there are several places that dereference the stubInfo argument when calling the GetByStatus constructor. Here's the backtrace: #0 JSC::GetByStatus::GetByStatus (this=0xfffe9438, summary=JSC::StubInfoSummary::NoInformation, stubInfo=0x0) at ../../Source/JavaScriptCore/bytecode/GetByStatus.cpp:177 #1 0xf27896e6 in JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback (locker=..., profiledBlock=0xec49b560, stubInfo=0x0, callExitSiteData=...) at ../../Source/JavaScriptCore/bytecode/GetByStatus.cpp:207 #2 0xf2788fa4 in JSC::GetByStatus::computeFor (profiledBlock=0xec49b560, map=..., bytecodeIndex=..., didExit=..., callExitSiteData=...) at ../../Source/JavaScriptCore/bytecode/GetByStatus.cpp:155 #3 0xf278aeb4 in JSC::GetByStatus::computeFor (profiledBlock=0xec49b560, baselineMap=..., icContextStack=..., codeOrigin=...) at ../../Source/JavaScriptCore/bytecode/GetByStatus.cpp:402 #4 0xf2c1d286 in JSC::DFG::ByteCodeParser::parseBlock (this=0xfffecd6c, limit=251) at ../../Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:6278 #5 0xf2c60b34 in JSC::DFG::ByteCodeParser::parseCodeBlock (this=0xfffecd6c) at ../../Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:8804 #6 0xf2c61c18 in JSC::DFG::ByteCodeParser::parse (this=0xfffecd6c) at ../../Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:9006 #7 0xf2c64000 in JSC::DFG::parse (graph=...) at ../../Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:9165 #8 0xf31f490a in JSC::DFG::Plan::compileInThreadImpl (this=0xeb01e8d0) at ../../Source/JavaScriptCore/dfg/DFGPlan.cpp:199 #9 0xf4055450 in JSC::JITPlan::compileInThread (this=0xeb01e8d0, thread=0x0) at ../../Source/JavaScriptCore/jit/JITPlan.cpp:165 #10 0xf40ed054 in JSC::JITWorklist::enqueue (this=0xedcc71b0, plan=...) at ../../Source/JavaScriptCore/jit/JITWorklist.cpp:83 #11 0xf2f5931a in JSC::DFG::compileImpl (vm=..., codeBlock=0xec49aca0, profiledDFGCodeBlock=0x0, mode=JSC::JITCompilationMode::DFG, osrEntryBytecodeIndex=..., mustHandleValues=..., callback=...) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:90 #12 0xf2f5944a in JSC::DFG::compile (vm=..., codeBlock=0xec49aca0, profiledDFGCodeBlock=0x0, mode=JSC::JITCompilationMode::DFG, osrEntryBytecodeIndex=..., mustHandleValues=..., callback=...) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:106 #13 0xf4045c08 in JSC::operationOptimize (vmPointer=0xecaf5000, bytecodeIndexBits=0) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:2096 #14 0xecc320aa in ?? ()
Attachments
Patch (9.64 KB, patch)
2021-08-30 10:53 PDT, Mikhail R. Gadelha 		no flags
DetailsFormatted DiffDiff
Test (78.63 KB, text/javascript)
2021-09-20 13:26 PDT, Mikhail R. Gadelha 		no flags
Details
Patch (9.63 KB, patch)
2021-09-21 11:06 PDT, Mikhail R. Gadelha 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2021-08-30 10:46:04 PDT
<rdar://problem/82535652>
Mikhail R. Gadelha
Comment 2 2021-08-30 10:53:06 PDT
Created attachment 436793 [details] Patch
Yusuke Suzuki
Comment 3 2021-09-20 13:04:05 PDT
Comment on attachment 436793 [details] Patch Can you upload a test for review too? (while, maybe, we should not land it together)
Yusuke Suzuki
Comment 4 2021-09-20 13:05:01 PDT
(In reply to Yusuke Suzuki from comment #3) > Comment on attachment 436793 [details] > Patch > > Can you upload a test for review too? (while, maybe, we should not land it > together) I'm assuming that you found this bug based on some tests.
Mikhail R. Gadelha
Comment 5 2021-09-20 13:26:13 PDT
Created attachment 438719 [details] Test Sure, that's the testcase.
Mikhail R. Gadelha
Comment 6 2021-09-20 13:31:43 PDT
It was found by our fuzzer, let me know if you need a reduced testcase. I reproduced the null pointer dereference in mips, armv7 and x86_64. I didn't test it in arm 64.
Yusuke Suzuki
Comment 7 2021-09-21 10:53:37 PDT
Comment on attachment 436793 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=436793&action=review r=me > Source/JavaScriptCore/bytecode/GetByStatus.cpp:184 > + RELEASE_ASSERT(stubInfo); Make it ASSERT. I don't think it is worth RELEASE_ASSERT. > Source/JavaScriptCore/bytecode/GetByStatus.cpp:188 > + RELEASE_ASSERT(stubInfo); Ditto.
Mikhail R. Gadelha
Comment 8 2021-09-21 11:06:24 PDT
Created attachment 438837 [details] Patch
Mark Lam
Comment 9 2021-09-22 23:31:22 PDT
Is this patch ready to land?
Yusuke Suzuki
Comment 10 2021-09-22 23:42:00 PDT
This crash does not happen in usual build, so changing it to non security issue.
EWS
Comment 11 2021-09-22 23:58:59 PDT
Committed r282950 (242040@main): <https://commits.webkit.org/242040@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 438837 [details].
Note You need to log in before you can comment on or make changes to this bug.