202150 – [JSC] Null dereference in propagateTransitions

Bug 202150 - [JSC] Null dereference in propagateTransitions

Summary: [JSC] Null dereference in propagateTransitions

Status:	RESOLVED DUPLICATE of bug 202122

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Local Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2019-09-24 10:39 PDT by Antonio Groza
Modified:	2019-09-26 11:09 PDT (History)
CC List:	6 users (show)

See Also:	200983

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Antonio Groza 2019-09-24 10:39:41 PDT

Hello, 
While fuzzing JSC i have found a test case that is able to reproduce the following issue: https://bugs.webkit.org/show_bug.cgi?id=200983 .

function hax() {
for (const v3 in "AAAAAAAAAAA") {
    const v4 = createGlobalObject();
    with (v4) {
        v4.b = parseInt;
        v4.length = v3;
        const v6 = new Uint16Array();
    }
}
}

hax();

Execute it on an ASAN build of JSC with the following options to repro: 

./jsc --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --gcAtEnd=true poc.js

Comment 1 Radar WebKit Bug Importer 2019-09-25 15:26:54 PDT

<rdar://problem/55721330>

Comment 2 Tadeu Zagallo 2019-09-26 11:09:08 PDT


*** This bug has been marked as a duplicate of bug 202122 ***