NEW178009
Null pointer crash under JSC::Lexer<wchar_t>::setCode. 
https://bugs.webkit.org/show_bug.cgi?id=178009
Summary Null pointer crash under JSC::Lexer<wchar_t>::setCode.
Per Arne Vollan
Reported 2017-10-06 07:50:54 PDT
0d47bdf4 6af567ed 1aa551b8 0d47d218 0d47e880 JavaScriptCore!JSC::Lexer<wchar_t>::setCode+0x11b 0d47be28 6abb292d 0574e0d8 1aa551b8 00000001 JavaScriptCore!JSC::Parser<JSC::Lexer<wchar_t> >::Parser<JSC::Lexer<wchar_t> >+0x2bd 0d47e7fc 6abd8a2d 0d47e880 0574e0d8 1aa551b8 JavaScriptCore!JSC::parse<JSC::ProgramNode>+0x18d 0d47e904 6abd163b 0574e0d8 1aa551b8 0d47e930 JavaScriptCore!JSC::BuiltinExecutables::createExecutable+0x1cd 0d47e938 6abb8e77 0574e0d8 1aa551b8 76eee400 JavaScriptCore!JSC::BuiltinExecutables::stringIteratorPrototypeNextCodeExecutable+0x6b 0d47e954 6b03c067 0574e0d8 0d47ea84 0574e0d8 JavaScriptCore!JSC::stringIteratorPrototypeNextCodeGenerator+0x27 0d47e974 6b0678b3 0574e0d8 00000000 0d47e9d4 JavaScriptCore!JSC::reifyStaticProperty+0x37 0d47e9bc 6b03af0b 0574e0d8 00000000 6b25d618 JavaScriptCore!JSC::setUpStaticFunctionSlot+0xc3 0d47ea04 6b02cc4f 0574e0d8 00000000 6b1e3a44 JavaScriptCore!JSC::getStaticPropertySlotFromTable+0x12b 0d47ea30 6b017efe 0574e0d8 0a04d0b0 0d47ea84 JavaScriptCore!JSC::JSObject::getOwnStaticPropertySlot+0x2f 0d47eac0 6b00c6e9 0d47ee88 09cb4160 0b591028 JavaScriptCore!<lambda_44573b79eef68b208cfc4e8544f09b9e>::operator()+0x1be 0d47fb10 6b0032a3 0574e0d8 0574e0d8 0571c0a0 JavaScriptCore!JSC::JSGlobalObject::init+0x5e79 0d47fb28 672b34d0 00000000 09e540a0 0571c0a0 JavaScriptCore!JSC::JSGlobalObject::finishCreation+0x53 0d47fb40 677eca84 0574e0d8 09e540a0 0571c0a0 WebKit!WebCore::JSWorkerGlobalScopeBase::finishCreation+0x40 0d47fb5c 672ae124 0574e0d8 09e540a0 09d2027c WebKit!WebCore::JSWorkerGlobalScope::finishCreation+0x14 0d47fba4 672ad87b 09d2027c 0a04e3f0 09d20270 WebKit!WebCore::WorkerScriptController::initScript+0x1a4 0d47fbe4 672ad7df 0d47fc1c 0d47fbfc 09d202b8 WebKit!WebCore::WorkerScriptController::evaluate+0x3b 0d47fc04 6739a425 0d47fc1c 1bac9508 19e38430 WebKit!WebCore::WorkerScriptController::evaluate+0x2f 0d47fc74 6ab13f89 1aa53b90 6ab39490 1aa53b90 WebKit!WebCore::WorkerThread::workerThread+0x1c5 0d47fc90 6ab3949b 09d5e4b0 0d47fcd8 6ab62b24 WTF!WTF::Thread::entryPoint+0xa9 0d47fc9c 6ab62b24 19e38420 cdd6bc28 00000000 WTF!WTF::wtfThreadEntryPoint+0xb 0d47fcd8 759a336a 1aa53b90 0d47fd24 76ef9902 WTF!thread_start<unsigned int (__stdcall*)(void *)>+0x57
Attachments
Patch (1.25 KB, patch)
2017-10-06 07:56 PDT, Per Arne Vollan 		mjs: review-
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Per Arne Vollan
Comment 1 2017-10-06 07:56:11 PDT
Created attachment 323016 [details] Patch
Alexey Proskuryakov
Comment 2 2017-10-06 09:35:29 PDT
Comment on attachment 323016 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=323016&action=review > Source/JavaScriptCore/ChangeLog:8 > + Add null pointer check. Can a regression test be added for this?
Per Arne Vollan
Comment 3 2017-10-06 09:51:38 PDT
(In reply to Alexey Proskuryakov from comment #2) > Comment on attachment 323016 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=323016&action=review > > > Source/JavaScriptCore/ChangeLog:8 > > + Add null pointer check. > > Can a regression test be added for this? It crashed during layout tests (on Windows), so I believe we have test coverage. But maybe we should add a specific test for this? Thanks for reviewing!
Saam Barati
Comment 4 2017-10-06 12:20:31 PDT
Comment on attachment 323016 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=323016&action=review > Source/JavaScriptCore/parser/Lexer.cpp:570 > + if (LIKELY(m_code < m_codeEnd && m_code)) I don’t see why this is needed. Why would m_codeEnd be > m_code if it’s null? I’d expect us to have these two pointers be equal in this case
Alexey Proskuryakov
Comment 5 2017-10-06 23:30:11 PDT
Yeah, this feels more like an actual bug than a missing null check.
Maciej Stachowiak
Comment 6 2020-05-30 19:50:24 PDT
Comment on attachment 323016 [details] Patch Even though this patch still builds and seems to pass tests, per prior comments, it seems like if there is a bug here it should be fixed at a higher level. m_codeEnd should also be null when m_code_is, so m_code shouldn't be less than.
Note You need to log in before you can comment on or make changes to this bug.