Bug 285158

Summary:	Null dereference under JSC::Structure::shouldConvertToPolyProto()
Product:	WebKit	Reporter:	Chris Dumez <cdumez>
Component:	JavaScriptCore	Assignee:	Chris Dumez <cdumez>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	darin, webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

Chris Dumez

Reported 2024-12-25 19:46:29 PST

Null deference under JSC::Structure::shouldConvertToPolyProto(), which is undefined behavior. This was found by adding a RELEASE_ASSERT() under `RefPtr::operator->()`: ``` Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 JavaScriptCore 0x12ede77f4 WTFCrashWithInfo(int, char const*, char const*, int) + 132 (Assertions.h:902) 1 JavaScriptCore 0x12f58f1c4 WTF::RefPtr<WTF::Box<JSC::InlineWatchpointSet>::Data, WTF::RawPtrTraits<WTF::Box<JSC::InlineWatchpointSet>::Data>, WTF::DefaultRefDerefTraits<WTF::Box<JSC::InlineWatchpointSet>::Data>>::operator->() const + 140 (RefPtr.h:69) 2 JavaScriptCore 0x12f642378 WTF::Box<JSC::InlineWatchpointSet>::get() const + 28 (Box.h:58) 3 JavaScriptCore 0x12f64209c JSC::Structure::shouldConvertToPolyProto(JSC::Structure const*, JSC::Structure const*) + 284 (StructureInlines.h:727) 4 JavaScriptCore 0x12f6d0090 JSC::StructureStubInfo::upgradeForPolyProtoIfNecessary(JSC::GCSafeConcurrentJSLocker const&, JSC::VM&, JSC::CodeBlock*, WTF::Vector<JSC::AccessCase*, 16ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, JSC::AccessCase&)::$_0::operator()(JSC::Structure*, JSC::Structure*) const + 48 (StructureStubInfo.cpp:119) 5 JavaScriptCore 0x12f6cff70 JSC::StructureStubInfo::upgradeForPolyProtoIfNecessary(JSC::GCSafeConcurrentJSLocker const&, JSC::VM&, JSC::CodeBlock*, WTF::Vector<JSC::AccessCase*, 16ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, JSC::AccessCase&) + 252 (StructureStubInfo.cpp:135) 6 JavaScriptCore 0x12f6d05a0 JSC::StructureStubInfo::addAccessCase(JSC::GCSafeConcurrentJSLocker const&, JSC::JSGlobalObject*, JSC::CodeBlock*, JSC::ECMAMode, JSC::CacheableIdentifier, WTF::RefPtr<JSC::AccessCase, WTF::RawPtrTraits<JSC::AccessCase>, WTF::DefaultRefDerefTraits<JSC::AccessCase>>)::$_0::operator()(WTF::Ref<JSC::AccessCase, WTF::RawPtrTraits<JSC::AccessCase>, WTF::DefaultRefDerefTraits<JSC::AccessCase>>&&) const + 196 (StructureStubInfo.cpp:159) ```

Attachments
Add attachment proposed patch, testcase, etc.

Chris Dumez

Comment 1 2024-12-25 19:48:05 PST

Pull request: https://github.com/WebKit/WebKit/pull/38379

EWS

Comment 2 2024-12-26 11:58:03 PST

Committed 288298@main (b88f3785dca4): <https://commits.webkit.org/288298@main> Reviewed commits have been landed. Closing PR #38379 and removing active labels.

Radar WebKit Bug Importer

Comment 3 2024-12-26 11:59:13 PST

<rdar://problem/142069909>

Note You need to log in before you can comment on or make changes to this bug.