[Webkit-unassigned] [Bug 191252] New: Null pointer dereference in JSC::WriteBarrierBase()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Nov 5 01:25:44 PST 2018
https://bugs.webkit.org/show_bug.cgi?id=191252
Bug ID: 191252
Summary: Null pointer dereference in JSC::WriteBarrierBase()
Product: WebKit
Version: WebKit Nightly Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: WebCore JavaScript
Assignee: webkit-unassigned at lists.webkit.org
Reporter: kamil.frankowicz at cert.pl
Created attachment 353836
--> https://bugs.webkit.org/attachment.cgi?id=353836&action=review
Crashing test case (jsc)
After some fuzz testing I found a crashing test case.
Git HEAD: 43cf251237d5c47f1d0fd8978fd1254870af6721
To reproduce: jsc jsc_nullptr_WriteBarrierBase
Compiler: Clang 4.0
OS: Ubuntu 18.04 x64
ASAN:
==21789==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x7f0ed74c493e bp 0x7ffddeadda70 sp 0x7ffddeadd900 T0)
==21789==The signal is caused by a READ memory access.
==21789==Hint: address points to the zero page.
#0 0x7f0ed74c493d in JSC::WriteBarrierBase<JSC::JSFunction, WTF::DumbPtrTraits<JSC::JSFunction> >::get() const XYZ/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/runtime/WriteBarrier.h:102:28
#1 0x7f0ed74c493d in JSC::JSPromiseDeferred::reject(JSC::ExecState*, JSC::JSValue) XYZ/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/runtime/JSPromiseDeferred.cpp:118
#2 0x7f0ed73d3588 in JSC::JSInternalPromiseDeferred::reject(JSC::ExecState*, JSC::JSValue) XYZ/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/runtime/JSInternalPromiseDeferred.cpp:71:11
#3 0x526ef1 in GlobalObject::moduleLoaderFetch(JSC::JSGlobalObject*, JSC::ExecState*, JSC::JSModuleLoader*, JSC::JSValue, JSC::JSValue, JSC::JSValue) XYZ/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/jsc.cpp:1000:26
#4 0x7f0ed73f05d6 in JSC::JSModuleLoader::fetch(JSC::ExecState*, JSC::JSValue, JSC::JSValue, JSC::JSValue) XYZ/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/runtime/JSModuleLoader.cpp:285:16
#5 0x7f0ed7406103 in JSC::moduleLoaderFetch(JSC::ExecState*) XYZ/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/runtime/JSModuleLoader.cpp:461:36
#6 0x7f0e8c1fe176 (<unknown module>)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/webkit_asan/WebKitBuild/Release/../../Source/JavaScriptCore/runtime/WriteBarrier.h:102:28 in JSC::WriteBarrierBase<JSC::JSFunction, WTF::DumbPtrTraits<JSC::JSFunction> >::get() const
==21789==ABORTING
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181105/d6c8054c/attachment.html>
More information about the webkit-unassigned
mailing list