179364 – null pointer dereference in JSC::DFG::operationNewArrayWithSize

NEW179364

null pointer dereference in JSC::DFG::operationNewArrayWithSize

https://bugs.webkit.org/show_bug.cgi?id=179364

Summary null pointer dereference in JSC::DFG::operationNewArrayWithSize

zhunkibatu

Reported 2017-11-06 23:35:06 PST

The following poc can lead to a crash in a 32-bit build of Webkit. ########################################## var array = new Array(10000); for (var i = 0; i < 20000; ++i) { var newArray = new Array(10000); array[i % array.length] = newArray; } ########################################## To trigger a crash in a 64-bit safari, the poc need to change to ########################################## var array = new Array(100000); for (var i = 0; i < 200000; ++i) { var newArray = new Array(100000); array[i % array.length] = newArray; } ##########################################

Attachments
Add attachment proposed patch, testcase, etc.

Alexey Proskuryakov

Comment 1 2017-11-08 19:23:07 PST

I cannot reproduce this in Safari 11. I suspect that the page gets killed for using too much memory before this crash occurs, so not sure if the underlying problem is still present.

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version Safari 10

Hardware PC

OS macOS 10.12.4

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2017-11-06 23:35 PST

Modified

2019-04-12 00:11 PDT History

CC List

2 users Show

URL

Keywords

Depends on

Blocks