Bug 171801 - Null pointer dereference in WTF::RefPtr<WTF::StringImpl>::operator!() under slow_path_get_direct_pname
Summary: Null pointer dereference in WTF::RefPtr<WTF::StringImpl>::operator!() under s...
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Filip Pizlo
Keywords: InRadar
Depends on:
Reported: 2017-05-08 03:49 PDT by Kamil Frankowicz
Modified: 2017-05-10 10:00 PDT (History)
9 users (show)

See Also:

POC to trigger null pointer dereference (jsc) (87 bytes, application/javascript)
2017-05-08 03:49 PDT, Kamil Frankowicz
no flags Details
the patch (5.13 KB, patch)
2017-05-10 09:04 PDT, Filip Pizlo
msaboff: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Kamil Frankowicz 2017-05-08 03:49:13 PDT
Created attachment 309352 [details]
POC to trigger null pointer dereference (jsc)

Affected SVN revision: 216356

To reproduce the problem:
./jsc jsc_null_ptr_ref_ptr.js

ASAN Output:

==21363==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f1a0150fc49 bp 0x7ffec7ffda30 sp 0x7ffec7ffd7c0 T0)
==21363==The signal is caused by a READ memory access.
==21363==Hint: address points to the zero page.
    #0 0x7f1a0150fc48 in WTF::RefPtr<WTF::StringImpl>::operator!() const /XYZ/WebKit/Source/WTF/wtf/RefPtr.h:76:38
    #1 0x7f1a0150fc48 in WTF::String::isNull() const /XYZ/WebKit/Source/WTF/wtf/text/WTFString.h:150
    #2 0x7f1a0150fc48 in JSC::JSString::isRope() const /XYZ/WebKit/Source/JavaScriptCore/runtime/JSString.h:208
    #3 0x7f1a0150fc48 in JSC::JSString::toAtomicString(JSC::ExecState*) const /XYZ/WebKit/Source/JavaScriptCore/runtime/JSString.h:529
    #4 0x7f1a0150fc48 in JSC::JSString::toIdentifier(JSC::ExecState*) const /XYZ/WebKit/Source/JavaScriptCore/runtime/JSString.h:524
    #5 0x7f1a0150fc48 in slow_path_get_direct_pname /XYZ/WebKit/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:732
    #6 0x7f1a00ce76d9  (/XYZ/WebKit/WebKitBuild/Release/lib/libJavaScriptCore.so.1+0x2b9f6d9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /XYZ/WebKit/Source/WTF/wtf/RefPtr.h:76:38 in WTF::RefPtr<WTF::StringImpl>::operator!() const
Comment 1 Radar WebKit Bug Importer 2017-05-08 19:53:34 PDT
Comment 2 Filip Pizlo 2017-05-10 09:04:55 PDT
Created attachment 309611 [details]
the patch
Comment 3 Michael Saboff 2017-05-10 09:11:10 PDT
Comment on attachment 309611 [details]
the patch

Comment 4 Filip Pizlo 2017-05-10 10:00:41 PDT
Landed in https://trac.webkit.org/changeset/216593/webkit