229674 – Null pointer dereference in JSC::GetByStatus

Bug 229674 - Null pointer dereference in JSC::GetByStatus

Summary: Null pointer dereference in JSC::GetByStatus

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2021-08-30 10:45 PDT by Mikhail R. Gadelha
Modified:	2021-09-22 23:59 PDT (History)
CC List:	6 users (show)

See Also:

Attachments
Patch (9.64 KB, patch) 2021-08-30 10:53 PDT, Mikhail R. Gadelha	no flags	Details \| Formatted Diff \| Diff
Test (78.63 KB, text/javascript) 2021-09-20 13:26 PDT, Mikhail R. Gadelha	no flags	Details
Patch (9.63 KB, patch) 2021-09-21 11:06 PDT, Mikhail R. Gadelha	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mikhail R. Gadelha 2021-08-30 10:45:50 PDT

In GetByStatus::computeForStubInfoWithoutExitSiteFeedback, there are several places that dereference the stubInfo argument when calling the GetByStatus constructor. Here's the backtrace:


#0  JSC::GetByStatus::GetByStatus (this=0xfffe9438, summary=JSC::StubInfoSummary::NoInformation, stubInfo=0x0) at ../../Source/JavaScriptCore/bytecode/GetByStatus.cpp:177
#1  0xf27896e6 in JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback (locker=..., profiledBlock=0xec49b560, stubInfo=0x0, callExitSiteData=...)
    at ../../Source/JavaScriptCore/bytecode/GetByStatus.cpp:207
#2  0xf2788fa4 in JSC::GetByStatus::computeFor (profiledBlock=0xec49b560, map=..., bytecodeIndex=..., didExit=..., callExitSiteData=...) at ../../Source/JavaScriptCore/bytecode/GetByStatus.cpp:155
#3  0xf278aeb4 in JSC::GetByStatus::computeFor (profiledBlock=0xec49b560, baselineMap=..., icContextStack=..., codeOrigin=...) at ../../Source/JavaScriptCore/bytecode/GetByStatus.cpp:402
#4  0xf2c1d286 in JSC::DFG::ByteCodeParser::parseBlock (this=0xfffecd6c, limit=251) at ../../Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:6278
#5  0xf2c60b34 in JSC::DFG::ByteCodeParser::parseCodeBlock (this=0xfffecd6c) at ../../Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:8804
#6  0xf2c61c18 in JSC::DFG::ByteCodeParser::parse (this=0xfffecd6c) at ../../Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:9006
#7  0xf2c64000 in JSC::DFG::parse (graph=...) at ../../Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:9165
#8  0xf31f490a in JSC::DFG::Plan::compileInThreadImpl (this=0xeb01e8d0) at ../../Source/JavaScriptCore/dfg/DFGPlan.cpp:199
#9  0xf4055450 in JSC::JITPlan::compileInThread (this=0xeb01e8d0, thread=0x0) at ../../Source/JavaScriptCore/jit/JITPlan.cpp:165
#10 0xf40ed054 in JSC::JITWorklist::enqueue (this=0xedcc71b0, plan=...) at ../../Source/JavaScriptCore/jit/JITWorklist.cpp:83
#11 0xf2f5931a in JSC::DFG::compileImpl (vm=..., codeBlock=0xec49aca0, profiledDFGCodeBlock=0x0, mode=JSC::JITCompilationMode::DFG, osrEntryBytecodeIndex=..., mustHandleValues=..., callback=...)
    at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:90
#12 0xf2f5944a in JSC::DFG::compile (vm=..., codeBlock=0xec49aca0, profiledDFGCodeBlock=0x0, mode=JSC::JITCompilationMode::DFG, osrEntryBytecodeIndex=..., mustHandleValues=..., callback=...)
    at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:106
#13 0xf4045c08 in JSC::operationOptimize (vmPointer=0xecaf5000, bytecodeIndexBits=0) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:2096
#14 0xecc320aa in ?? ()

Comment 1 Radar WebKit Bug Importer 2021-08-30 10:46:04 PDT

<rdar://problem/82535652>

Comment 2 Mikhail R. Gadelha 2021-08-30 10:53:06 PDT

Created attachment 436793 [details]
Patch

Comment 3 Yusuke Suzuki 2021-09-20 13:04:05 PDT

Comment on attachment 436793 [details]
Patch

Can you upload a test for review too? (while, maybe, we should not land it together)

Comment 4 Yusuke Suzuki 2021-09-20 13:05:01 PDT

(In reply to Yusuke Suzuki from comment #3)
> Comment on attachment 436793 [details]
> Patch
> 
> Can you upload a test for review too? (while, maybe, we should not land it
> together)

I'm assuming that you found this bug based on some tests.

Comment 5 Mikhail R. Gadelha 2021-09-20 13:26:13 PDT

Created attachment 438719 [details]
Test

Sure, that's the testcase.

Comment 6 Mikhail R. Gadelha 2021-09-20 13:31:43 PDT

It was found by our fuzzer, let me know if you need a reduced testcase.

I reproduced the null pointer dereference in mips, armv7 and x86_64. I didn't test it in arm 64.

Comment 7 Yusuke Suzuki 2021-09-21 10:53:37 PDT

Comment on attachment 436793 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=436793&action=review

r=me

> Source/JavaScriptCore/bytecode/GetByStatus.cpp:184
> +        RELEASE_ASSERT(stubInfo);

Make it ASSERT. I don't think it is worth RELEASE_ASSERT.

> Source/JavaScriptCore/bytecode/GetByStatus.cpp:188
> +        RELEASE_ASSERT(stubInfo);

Ditto.

Comment 8 Mikhail R. Gadelha 2021-09-21 11:06:24 PDT

Created attachment 438837 [details]
Patch

Comment 9 Mark Lam 2021-09-22 23:31:22 PDT

Is this patch ready to land?

Comment 10 Yusuke Suzuki 2021-09-22 23:42:00 PDT

This crash does not happen in usual build, so changing it to non security issue.

Comment 11 EWS 2021-09-22 23:58:59 PDT

Committed r282950 (242040@main): <https://commits.webkit.org/242040@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 438837 [details].