200388 – [JSC] LazyJSValue should be robust for empty JSValue

RESOLVED FIXED 200388

[JSC] LazyJSValue should be robust for empty JSValue

https://bugs.webkit.org/show_bug.cgi?id=200388

Summary [JSC] LazyJSValue should be robust for empty JSValue

zhunkibatu

Reported 2019-08-02 03:43:10 PDT

the following poc can trigger an null pointer deref in DFGCFGSimplificationPhase.cpp function foo(x) { switch (x) { case "a": case "a": case "a": for (let j = 0; j <100; j++) { let j=foo(j); } default: return 2; } } for (let i = 0; i <100000; i++) { foo("ab"); }

Attachments
Patch (6.66 KB, patch) 2019-08-02 14:49 PDT, Yusuke Suzuki	saam: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Alexey Proskuryakov

Comment 1 2019-08-02 13:26:43 PDT

REproduces in shipping Safari. Thread 9 Crashed:: DFG Worklist Worker Thread 0 com.apple.JavaScriptCore 0x00007fff30522a78 JSC::DFG::LazyJSValue::strictEqual(JSC::DFG::LazyJSValue const&) const + 408 1 com.apple.JavaScriptCore 0x00007fff2febf028 JSC::DFG::CFGSimplificationPhase::run() + 2504 2 com.apple.JavaScriptCore 0x00007fff30471ca8 bool JSC::DFG::runPhase<JSC::DFG::CFGSimplificationPhase>(JSC::DFG::Graph&) + 72 3 com.apple.JavaScriptCore 0x00007fff305c2aa9 JSC::DFG::Plan::compileInThreadImpl() + 2633 4 com.apple.JavaScriptCore 0x00007fff305c17fe JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*) + 382 5 com.apple.JavaScriptCore 0x00007fff3060fa8c JSC::DFG::Worklist::ThreadBody::work() + 300 6 com.apple.JavaScriptCore 0x00007fff2ffa2a00 WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call() + 304 7 com.apple.JavaScriptCore 0x00007fff2ffd57f2 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 194 8 com.apple.JavaScriptCore 0x00007fff2fdf4c39 WTF::wtfThreadEntryPoint(void*) + 9 9 libsystem_pthread.dylib 0x00007fff58cb62eb _pthread_body + 126 10 libsystem_pthread.dylib 0x00007fff58cb9249 _pthread_start + 66 11 libsystem_pthread.dylib 0x00007fff58cb540d thread_start + 13

Radar WebKit Bug Importer

Comment 2 2019-08-02 13:26:57 PDT

<rdar://problem/53876863>

Yusuke Suzuki

Comment 3 2019-08-02 14:49:41 PDT

Created attachment 375460 [details] Patch

Yusuke Suzuki

Comment 4 2019-08-02 15:20:59 PDT

Committed r248185: <https://trac.webkit.org/changeset/248185>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Local Build

Hardware All

OS All

Product WebKit

Component JavaScriptCore

Assignee

Yusuke Suzuki

Reported

2019-08-02 03:43 PDT

Modified

2019-08-02 15:20 PDT History

CC List

9 users Show

URL

Keywords InRadar

Depends on

Blocks