[Webkit-unassigned] [Bug 179763] New: REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Nov 16 05:46:44 PST 2017 

https://bugs.webkit.org/show_bug.cgi?id=179763

            Bug ID: 179763
           Summary: REGRESSION (r224592): oss-fuzz: jsc: Null-dereference
                    READ in JSC::JSCell::isObject (4216)
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: rmorisset at apple.com

<rdar://problem/35550513>, this problem has been found by David Kilzer through fuzzing.
The bug was exposed by a change in r224592 (the addition of phantomLocalDirect(virtualRegisterForArgument(0)) in flush) but is not directly related otherwise.
The root cause of the bug was found by Saam Barati: when doing an OSR enter, |this| would be assumed to be a valid, non-null cell. This would then lead to the removal of tdz_check, making the next operation (pushByVal in this case) dereference the null value.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20171116/e8bfa66b/attachment.html>

More information about the webkit-unassigned mailing list