172754 – Crash in JSC::Lexer<unsigned char>::setCode

Bug 172754 - Crash in JSC::Lexer<unsigned char>::setCode

Summary: Crash in JSC::Lexer<unsigned char>::setCode

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	Other
Hardware:	Unspecified Linux

Importance:	P2 Normal
Assignee:	Saam Barati

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-05-31 08:38 PDT by june901116
Modified:	2017-06-26 12:34 PDT (History)
CC List:	14 users (show)

See Also:

Attachments
PoC (735 bytes, application/javascript) 2017-05-31 08:38 PDT, june901116	no flags	Details
gdb backtrace (2.64 KB, text/plain) 2017-06-06 22:45 PDT, june901116	no flags	Details
GDB backtrace when running jsc (r218481) over the PoC (21.88 KB, text/plain) 2017-06-19 04:50 PDT, Carlos Alberto Lopez Perez	no flags	Details
patch (3.12 KB, patch) 2017-06-26 10:46 PDT, Saam Barati	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description june901116 2017-05-31 08:38:24 PDT

Created attachment 311595 [details]
PoC

How to reproduce?
1. Run JavaScriptCore in Webgtk2.16.3 releases with Poc. 
   $ ./jsc reproduce.js

Comment 1 june901116 2017-06-06 22:45:42 PDT

Created attachment 312163 [details]
gdb backtrace

Comment 2 Cédric Bellegarde 2017-06-19 04:25:12 PDT

*** Bug 173539 has been marked as a duplicate of this bug. ***

Comment 3 Carlos Alberto Lopez Perez 2017-06-19 04:45:48 PDT

Crash reproducible also with trunk (r218482) but the backtrace looks different

Comment 4 Carlos Alberto Lopez Perez 2017-06-19 04:50:58 PDT

Created attachment 313276 [details]
GDB backtrace when running jsc (r218481) over the PoC

Comment 5 Cédric Bellegarde 2017-06-21 05:27:15 PDT

Same with 2.16.4

Comment 6 Saam Barati 2017-06-26 10:34:40 PDT

Looks like this line of code:
    m_buffer16.reserveInitialCapacity((m_codeEnd - m_code) / 2);

Not sure why we're reserving this much memory. This change was done in r59061, so a long time ago.

Comment 7 Saam Barati 2017-06-26 10:46:13 PDT

Created attachment 313851 [details]
patch

Comment 8 Mark Lam 2017-06-26 10:52:38 PDT

Comment on attachment 313851 [details]
patch

r=me

Comment 9 WebKit Commit Bot 2017-06-26 12:34:25 PDT

Comment on attachment 313851 [details]
patch

Clearing flags on attachment: 313851

Committed r218819: <http://trac.webkit.org/changeset/218819>

Comment 10 WebKit Commit Bot 2017-06-26 12:34:27 PDT

All reviewed patches have been landed.  Closing bug.