202150 – [JSC] Null dereference in propagateTransitions

RESOLVED DUPLICATE of bug 202122 Bug 202150

[JSC] Null dereference in propagateTransitions

https://bugs.webkit.org/show_bug.cgi?id=202150

Summary [JSC] Null dereference in propagateTransitions

Antonio Groza

Reported 2019-09-24 10:39:41 PDT

Hello, While fuzzing JSC i have found a test case that is able to reproduce the following issue: https://bugs.webkit.org/show_bug.cgi?id=200983 . function hax() { for (const v3 in "AAAAAAAAAAA") { const v4 = createGlobalObject(); with (v4) { v4.b = parseInt; v4.length = v3; const v6 = new Uint16Array(); } } } hax(); Execute it on an ASAN build of JSC with the following options to repro: ./jsc --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --gcAtEnd=true poc.js

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2019-09-25 15:26:54 PDT

<rdar://problem/55721330>

Tadeu Zagallo

Comment 2 2019-09-26 11:09:08 PDT

*** This bug has been marked as a duplicate of bug 202122 ***

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution DUPLICATE

of bug 202122

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Local Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2019-09-24 10:39 PDT

Modified

2019-09-26 11:09 PDT History

CC List

6 users Show

URL

Keywords InRadar

Depends on

Blocks