RESOLVED FIXED 285158
Null dereference under JSC::Structure::shouldConvertToPolyProto() 
https://bugs.webkit.org/show_bug.cgi?id=285158
Summary Null dereference under JSC::Structure::shouldConvertToPolyProto()
Chris Dumez
Reported 2024-12-25 19:46:29 PST
Null deference under JSC::Structure::shouldConvertToPolyProto(), which is undefined behavior. This was found by adding a RELEASE_ASSERT() under `RefPtr::operator->()`: ``` Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 JavaScriptCore 0x12ede77f4 WTFCrashWithInfo(int, char const*, char const*, int) + 132 (Assertions.h:902) 1 JavaScriptCore 0x12f58f1c4 WTF::RefPtr<WTF::Box<JSC::InlineWatchpointSet>::Data, WTF::RawPtrTraits<WTF::Box<JSC::InlineWatchpointSet>::Data>, WTF::DefaultRefDerefTraits<WTF::Box<JSC::InlineWatchpointSet>::Data>>::operator->() const + 140 (RefPtr.h:69) 2 JavaScriptCore 0x12f642378 WTF::Box<JSC::InlineWatchpointSet>::get() const + 28 (Box.h:58) 3 JavaScriptCore 0x12f64209c JSC::Structure::shouldConvertToPolyProto(JSC::Structure const*, JSC::Structure const*) + 284 (StructureInlines.h:727) 4 JavaScriptCore 0x12f6d0090 JSC::StructureStubInfo::upgradeForPolyProtoIfNecessary(JSC::GCSafeConcurrentJSLocker const&, JSC::VM&, JSC::CodeBlock*, WTF::Vector<JSC::AccessCase*, 16ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, JSC::AccessCase&)::$_0::operator()(JSC::Structure*, JSC::Structure*) const + 48 (StructureStubInfo.cpp:119) 5 JavaScriptCore 0x12f6cff70 JSC::StructureStubInfo::upgradeForPolyProtoIfNecessary(JSC::GCSafeConcurrentJSLocker const&, JSC::VM&, JSC::CodeBlock*, WTF::Vector<JSC::AccessCase*, 16ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, JSC::AccessCase&) + 252 (StructureStubInfo.cpp:135) 6 JavaScriptCore 0x12f6d05a0 JSC::StructureStubInfo::addAccessCase(JSC::GCSafeConcurrentJSLocker const&, JSC::JSGlobalObject*, JSC::CodeBlock*, JSC::ECMAMode, JSC::CacheableIdentifier, WTF::RefPtr<JSC::AccessCase, WTF::RawPtrTraits<JSC::AccessCase>, WTF::DefaultRefDerefTraits<JSC::AccessCase>>)::$_0::operator()(WTF::Ref<JSC::AccessCase, WTF::RawPtrTraits<JSC::AccessCase>, WTF::DefaultRefDerefTraits<JSC::AccessCase>>&&) const + 196 (StructureStubInfo.cpp:159) ```
Attachments
Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2024-12-25 19:48:05 PST
Pull request: https://github.com/WebKit/WebKit/pull/38379
EWS
Comment 2 2024-12-26 11:58:03 PST
Committed 288298@main (b88f3785dca4): <https://commits.webkit.org/288298@main> Reviewed commits have been landed. Closing PR #38379 and removing active labels.
Radar WebKit Bug Importer
Comment 3 2024-12-26 11:59:13 PST
<rdar://problem/142069909>
Note You need to log in before you can comment on or make changes to this bug.