270934 – JSExecState::loadModule can dereference null result

RESOLVED FIXED 270934

JSExecState::loadModule can dereference null result

https://bugs.webkit.org/show_bug.cgi?id=270934

Summary JSExecState::loadModule can dereference null result

David Degazio

Reported 2024-03-13 15:24:45 PDT

rdar://121268593 JSModuleLoader::loadModule can return nullptr if there is an exception, but our WebCore bindings for this API (JSExecState::loadModule, which calls JSC::loadModule, which calls JSModuleLoader::loadModule) dereference the result unconditionally. This means that any callers of JSExecState::loadModule can be given a reference to a JSInternalPromise which is really a null pointer, and be unable to detect or respond to it. We can fix this by returning a pointer instead of a reference from JSExecState::loadModule and updating the callers to handle a null result appropriately.

Attachments
Add attachment proposed patch, testcase, etc.

David Degazio

Comment 1 2024-03-13 15:34:00 PDT

Pull request: https://github.com/WebKit/WebKit/pull/25841

EWS

Comment 2 2024-03-15 12:32:37 PDT

Committed 276190@main (20cd6e8fdcc8): <https://commits.webkit.org/276190@main> Reviewed commits have been landed. Closing PR #25841 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebCore JavaScript

Assignee

David Degazio

Reported

2024-03-13 15:24 PDT

Modified

2024-03-15 12:32 PDT History

CC List

1 user Show

URL

Keywords InRadar

Depends on

Blocks