Created attachment 309352 [details] POC to trigger null pointer dereference (jsc) Affected SVN revision: 216356 To reproduce the problem: ./jsc jsc_null_ptr_ref_ptr.js ASAN Output: ==21363==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f1a0150fc49 bp 0x7ffec7ffda30 sp 0x7ffec7ffd7c0 T0) ==21363==The signal is caused by a READ memory access. ==21363==Hint: address points to the zero page. #0 0x7f1a0150fc48 in WTF::RefPtr<WTF::StringImpl>::operator!() const /XYZ/WebKit/Source/WTF/wtf/RefPtr.h:76:38 #1 0x7f1a0150fc48 in WTF::String::isNull() const /XYZ/WebKit/Source/WTF/wtf/text/WTFString.h:150 #2 0x7f1a0150fc48 in JSC::JSString::isRope() const /XYZ/WebKit/Source/JavaScriptCore/runtime/JSString.h:208 #3 0x7f1a0150fc48 in JSC::JSString::toAtomicString(JSC::ExecState*) const /XYZ/WebKit/Source/JavaScriptCore/runtime/JSString.h:529 #4 0x7f1a0150fc48 in JSC::JSString::toIdentifier(JSC::ExecState*) const /XYZ/WebKit/Source/JavaScriptCore/runtime/JSString.h:524 #5 0x7f1a0150fc48 in slow_path_get_direct_pname /XYZ/WebKit/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:732 #6 0x7f1a00ce76d9 (/XYZ/WebKit/WebKitBuild/Release/lib/libJavaScriptCore.so.1+0x2b9f6d9) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /XYZ/WebKit/Source/WTF/wtf/RefPtr.h:76:38 in WTF::RefPtr<WTF::StringImpl>::operator!() const ==21363==ABORTING