Bug 297812

Summary:	resultArray should be fully initialized when returning due to termination exception in operationJSToWasmEntryWrapperBuildReturnFrame
Product:	WebKit	Reporter:	Shu-yu Guo <syg>
Component:	JavaScriptCore	Assignee:	WebKit Security Group <webkit-security-unassigned>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	bfulgham, webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

Shu-yu Guo

Reported 2025-08-22 16:33:26 PDT

rdar://158847247 In `operationJSToWasmEntryWrapperBuildReturnFrame`, `resultArray` is allocated uninitialized. If the allocation fails, the operation early returns. Usually, the allocation failing means `resultArray` is never allocated and thus it's okay to return without initializing its memory. In the case of termination exceptions, the call to the allocation function can fail despite having successfully allocated, so we need to initialize the memory.

Attachments
Add attachment proposed patch, testcase, etc.

Shu-yu Guo

Comment 1 2025-08-22 16:48:28 PDT

Pull request: https://github.com/apple/WebKit/pull/3523

Shu-yu Guo

Comment 2 2025-08-25 21:13:30 PDT

Pull request: https://github.com/WebKit/WebKit/pull/49871

EWS

Comment 3 2025-08-27 10:26:48 PDT

Committed 299210@main (9aa33190dfc1): <https://commits.webkit.org/299210@main> Reviewed commits have been landed. Closing PR #49871 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.