Bug 171801 - Null pointer dereference in WTF::RefPtr<WTF::StringImpl>::operator!() under slow_path_get_direct_pname
Summary: Null pointer dereference in WTF::RefPtr<WTF::StringImpl>::operator!() under s...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Filip Pizlo
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2017-05-08 03:49 PDT by Kamil Frankowicz
Modified: 2017-05-10 10:00 PDT (History)
9 users (show)

See Also:

Attachments
POC to trigger null pointer dereference (jsc) (87 bytes, application/javascript)
2017-05-08 03:49 PDT, Kamil Frankowicz 		no flags Details
the patch (5.13 KB, patch)
2017-05-10 09:04 PDT, Filip Pizlo 		msaboff: review+
Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kamil Frankowicz 2017-05-08 03:49:13 PDT 
Created attachment 309352 [details]
POC to trigger null pointer dereference (jsc)

Affected SVN revision: 216356

To reproduce the problem:
./jsc jsc_null_ptr_ref_ptr.js

ASAN Output:

==21363==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f1a0150fc49 bp 0x7ffec7ffda30 sp 0x7ffec7ffd7c0 T0)
==21363==The signal is caused by a READ memory access.
==21363==Hint: address points to the zero page.
    #0 0x7f1a0150fc48 in WTF::RefPtr<WTF::StringImpl>::operator!() const /XYZ/WebKit/Source/WTF/wtf/RefPtr.h:76:38
    #1 0x7f1a0150fc48 in WTF::String::isNull() const /XYZ/WebKit/Source/WTF/wtf/text/WTFString.h:150
    #2 0x7f1a0150fc48 in JSC::JSString::isRope() const /XYZ/WebKit/Source/JavaScriptCore/runtime/JSString.h:208
    #3 0x7f1a0150fc48 in JSC::JSString::toAtomicString(JSC::ExecState*) const /XYZ/WebKit/Source/JavaScriptCore/runtime/JSString.h:529
    #4 0x7f1a0150fc48 in JSC::JSString::toIdentifier(JSC::ExecState*) const /XYZ/WebKit/Source/JavaScriptCore/runtime/JSString.h:524
    #5 0x7f1a0150fc48 in slow_path_get_direct_pname /XYZ/WebKit/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:732
    #6 0x7f1a00ce76d9  (/XYZ/WebKit/WebKitBuild/Release/lib/libJavaScriptCore.so.1+0x2b9f6d9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /XYZ/WebKit/Source/WTF/wtf/RefPtr.h:76:38 in WTF::RefPtr<WTF::StringImpl>::operator!() const
==21363==ABORTING
Comment 1 Radar WebKit Bug Importer 2017-05-08 19:53:34 PDT 
<rdar://problem/32066936>
Comment 2 Filip Pizlo 2017-05-10 09:04:55 PDT 
Created attachment 309611 [details]
the patch
Comment 3 Michael Saboff 2017-05-10 09:11:10 PDT 
Comment on attachment 309611 [details]
the patch

r=me
Comment 4 Filip Pizlo 2017-05-10 10:00:41 PDT 
Landed in https://trac.webkit.org/changeset/216593/webkit