In GetByStatus::computeForStubInfoWithoutExitSiteFeedback, there are several places that dereference the stubInfo argument when calling the GetByStatus constructor. Here's the backtrace: #0 JSC::GetByStatus::GetByStatus (this=0xfffe9438, summary=JSC::StubInfoSummary::NoInformation, stubInfo=0x0) at ../../Source/JavaScriptCore/bytecode/GetByStatus.cpp:177 #1 0xf27896e6 in JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback (locker=..., profiledBlock=0xec49b560, stubInfo=0x0, callExitSiteData=...) at ../../Source/JavaScriptCore/bytecode/GetByStatus.cpp:207 #2 0xf2788fa4 in JSC::GetByStatus::computeFor (profiledBlock=0xec49b560, map=..., bytecodeIndex=..., didExit=..., callExitSiteData=...) at ../../Source/JavaScriptCore/bytecode/GetByStatus.cpp:155 #3 0xf278aeb4 in JSC::GetByStatus::computeFor (profiledBlock=0xec49b560, baselineMap=..., icContextStack=..., codeOrigin=...) at ../../Source/JavaScriptCore/bytecode/GetByStatus.cpp:402 #4 0xf2c1d286 in JSC::DFG::ByteCodeParser::parseBlock (this=0xfffecd6c, limit=251) at ../../Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:6278 #5 0xf2c60b34 in JSC::DFG::ByteCodeParser::parseCodeBlock (this=0xfffecd6c) at ../../Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:8804 #6 0xf2c61c18 in JSC::DFG::ByteCodeParser::parse (this=0xfffecd6c) at ../../Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:9006 #7 0xf2c64000 in JSC::DFG::parse (graph=...) at ../../Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:9165 #8 0xf31f490a in JSC::DFG::Plan::compileInThreadImpl (this=0xeb01e8d0) at ../../Source/JavaScriptCore/dfg/DFGPlan.cpp:199 #9 0xf4055450 in JSC::JITPlan::compileInThread (this=0xeb01e8d0, thread=0x0) at ../../Source/JavaScriptCore/jit/JITPlan.cpp:165 #10 0xf40ed054 in JSC::JITWorklist::enqueue (this=0xedcc71b0, plan=...) at ../../Source/JavaScriptCore/jit/JITWorklist.cpp:83 #11 0xf2f5931a in JSC::DFG::compileImpl (vm=..., codeBlock=0xec49aca0, profiledDFGCodeBlock=0x0, mode=JSC::JITCompilationMode::DFG, osrEntryBytecodeIndex=..., mustHandleValues=..., callback=...) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:90 #12 0xf2f5944a in JSC::DFG::compile (vm=..., codeBlock=0xec49aca0, profiledDFGCodeBlock=0x0, mode=JSC::JITCompilationMode::DFG, osrEntryBytecodeIndex=..., mustHandleValues=..., callback=...) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:106 #13 0xf4045c08 in JSC::operationOptimize (vmPointer=0xecaf5000, bytecodeIndexBits=0) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:2096 #14 0xecc320aa in ?? ()
<rdar://problem/82535652>
Created attachment 436793 [details] Patch
Comment on attachment 436793 [details] Patch Can you upload a test for review too? (while, maybe, we should not land it together)
(In reply to Yusuke Suzuki from comment #3) > Comment on attachment 436793 [details] > Patch > > Can you upload a test for review too? (while, maybe, we should not land it > together) I'm assuming that you found this bug based on some tests.
Created attachment 438719 [details] Test Sure, that's the testcase.
It was found by our fuzzer, let me know if you need a reduced testcase. I reproduced the null pointer dereference in mips, armv7 and x86_64. I didn't test it in arm 64.
Comment on attachment 436793 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=436793&action=review r=me > Source/JavaScriptCore/bytecode/GetByStatus.cpp:184 > + RELEASE_ASSERT(stubInfo); Make it ASSERT. I don't think it is worth RELEASE_ASSERT. > Source/JavaScriptCore/bytecode/GetByStatus.cpp:188 > + RELEASE_ASSERT(stubInfo); Ditto.
Created attachment 438837 [details] Patch
Is this patch ready to land?
This crash does not happen in usual build, so changing it to non security issue.
Committed r282950 (242040@main): <https://commits.webkit.org/242040@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 438837 [details].