247644 – Segfault in JSC::IdentifierArena::makeBigIntDecimalIdentifier

RESOLVED FIXED 247644

Segfault in JSC::IdentifierArena::makeBigIntDecimalIdentifier

https://bugs.webkit.org/show_bug.cgi?id=247644

Summary Segfault in JSC::IdentifierArena::makeBigIntDecimalIdentifier

David Degazio

Reported 2022-11-08 14:34:30 PST

Created attachment 463459 [details] Reproducing case The attached source fails with a segmentation fault when lexing the 0x1n bigint identifier. This seems to be because we use a JSBigInt value within the parser to handle converting non-decimal integer constants to decimal identifiers. When allocating this JSBigInt fails (in this case, because we have exhausted all memory in the previous invocation of foo), we try to throw an exception. In the lexer/parser however, there is no global object to throw an exception to, so the bigint implementation falls back to returning a null pointer, which causes the segfault when we use it later in makeBigIntDecimalIdentifier. rdar://98566429

Attachments
Reproducing case (218 bytes, text/plain) 2022-11-08 14:34 PST, David Degazio	d_degazio: commit-queue-	Details
View All Add attachment proposed patch, testcase, etc.

David Degazio

Comment 1 2022-11-08 15:11:34 PST

Pull request: https://github.com/WebKit/WebKit/pull/6271

EWS

Comment 2 2022-11-09 14:31:25 PST

Committed 256501@main (32b972813979): <https://commits.webkit.org/256501@main> Reviewed commits have been landed. Closing PR #6271 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

David Degazio

Reported

2022-11-08 14:34 PST

Modified

2022-11-09 14:31 PST History

CC List

1 user Show

URL

Keywords InRadar

Depends on

Blocks