Bug 231252 - Speculative fix for a null pointer dereference in ByteCodeParser::handlePutByVal.
Summary: Speculative fix for a null pointer dereference in ByteCodeParser::handlePutBy...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mark Lam
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-10-05 14:06 PDT by Mark Lam
Modified: 2021-10-06 10:31 PDT (History)
7 users (show)

See Also:

Attachments
proposed patch. (1.90 KB, patch)
2021-10-05 14:14 PDT, Mark Lam 		ysuzuki: review+
Details | Formatted Diff | Diff
[fast-cq] patch for landing. (2.80 KB, patch)
2021-10-05 14:35 PDT, Mark Lam 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Lam 2021-10-05 14:06:20 PDT 
We're seeing a null pointer dereference in ByteCodeParser::handlePutByVal().  Adding a null check here as a speculative fix to mitigate crashes while we investigate further.

rdar://83310320
Comment 1 Mark Lam 2021-10-05 14:14:45 PDT 
Created attachment 440265 [details]
proposed patch.
Comment 2 Yusuke Suzuki 2021-10-05 14:20:57 PDT 
Comment on attachment 440265 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=440265&action=review

r=me

> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:8881
> +                auto* impl = string->tryGetValueImpl();
> +                ASSERT(impl); // FIXME: rdar://83902782
> +                if (impl && impl->isAtom() && !parseIndex(*const_cast<StringImpl*>(impl))) {

Similar thing exists on op_put_private_name. Please change all of these things in DFG::ByteCodeParser.
Comment 3 Mark Lam 2021-10-05 14:35:04 PDT 
Created attachment 440271 [details]
[fast-cq] patch for landing.

Thanks for the review.
Comment 4 EWS 2021-10-06 10:31:52 PDT 
Committed r283632 (242583@main): <https://commits.webkit.org/242583@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 440271 [details].