247644 – Segfault in JSC::IdentifierArena::makeBigIntDecimalIdentifier

Bug 247644 - Segfault in JSC::IdentifierArena::makeBigIntDecimalIdentifier

Summary: Segfault in JSC::IdentifierArena::makeBigIntDecimalIdentifier

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	David Degazio

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2022-11-08 14:34 PST by David Degazio
Modified:	2022-11-09 14:31 PST (History)
CC List:	1 user (show)

See Also:

Attachments
Reproducing case (218 bytes, text/plain) 2022-11-08 14:34 PST, David Degazio	d_degazio: commit-queue-	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Degazio 2022-11-08 14:34:30 PST

Created attachment 463459 [details]
Reproducing case

The attached source fails with a segmentation fault when lexing the 0x1n bigint identifier. This seems to be because we use a JSBigInt value within the parser to handle converting non-decimal integer constants to decimal identifiers. When allocating this JSBigInt fails (in this case, because we have exhausted all memory in the previous invocation of foo), we try to throw an exception. In the lexer/parser however, there is no global object to throw an exception to, so the bigint implementation falls back to returning a null pointer, which causes the segfault when we use it later in makeBigIntDecimalIdentifier.

rdar://98566429

Comment 1 David Degazio 2022-11-08 15:11:34 PST

Pull request: https://github.com/WebKit/WebKit/pull/6271

Comment 2 EWS 2022-11-09 14:31:25 PST

Committed 256501@main (32b972813979): <https://commits.webkit.org/256501@main>

Reviewed commits have been landed. Closing PR #6271 and removing active labels.