[Webkit-unassigned] [Bug 171801] New: Null pointer dereference in WTF::RefPtr<WTF::StringImpl>::operator!()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon May 8 03:49:13 PDT 2017 

https://bugs.webkit.org/show_bug.cgi?id=171801

            Bug ID: 171801
           Summary: Null pointer dereference in
                    WTF::RefPtr<WTF::StringImpl>::operator!()
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore JavaScript
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: fumfi.255 at gmail.com

Created attachment 309352

  --> https://bugs.webkit.org/attachment.cgi?id=309352&action=review

POC to trigger null pointer dereference (jsc)

Affected SVN revision: 216356

To reproduce the problem:
./jsc jsc_null_ptr_ref_ptr.js

ASAN Output:

==21363==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f1a0150fc49 bp 0x7ffec7ffda30 sp 0x7ffec7ffd7c0 T0)
==21363==The signal is caused by a READ memory access.
==21363==Hint: address points to the zero page.
    #0 0x7f1a0150fc48 in WTF::RefPtr<WTF::StringImpl>::operator!() const /XYZ/WebKit/Source/WTF/wtf/RefPtr.h:76:38
    #1 0x7f1a0150fc48 in WTF::String::isNull() const /XYZ/WebKit/Source/WTF/wtf/text/WTFString.h:150
    #2 0x7f1a0150fc48 in JSC::JSString::isRope() const /XYZ/WebKit/Source/JavaScriptCore/runtime/JSString.h:208
    #3 0x7f1a0150fc48 in JSC::JSString::toAtomicString(JSC::ExecState*) const /XYZ/WebKit/Source/JavaScriptCore/runtime/JSString.h:529
    #4 0x7f1a0150fc48 in JSC::JSString::toIdentifier(JSC::ExecState*) const /XYZ/WebKit/Source/JavaScriptCore/runtime/JSString.h:524
    #5 0x7f1a0150fc48 in slow_path_get_direct_pname /XYZ/WebKit/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:732
    #6 0x7f1a00ce76d9  (/XYZ/WebKit/WebKitBuild/Release/lib/libJavaScriptCore.so.1+0x2b9f6d9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /XYZ/WebKit/Source/WTF/wtf/RefPtr.h:76:38 in WTF::RefPtr<WTF::StringImpl>::operator!() const
==21363==ABORTING

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170508/39fa7de0/attachment.html>

More information about the webkit-unassigned mailing list