[Webkit-unassigned] [Bug 202150] New: [JSC] Null dereference in propagateTransitions
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Sep 24 10:39:41 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=202150
Bug ID: 202150
Summary: [JSC] Null dereference in propagateTransitions
Product: WebKit
Version: WebKit Local Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: antoniogroza at gmail.com
Hello,
While fuzzing JSC i have found a test case that is able to reproduce the following issue: https://bugs.webkit.org/show_bug.cgi?id=200983 .
function hax() {
for (const v3 in "AAAAAAAAAAA") {
const v4 = createGlobalObject();
with (v4) {
v4.b = parseInt;
v4.length = v3;
const v6 = new Uint16Array();
}
}
}
hax();
Execute it on an ASAN build of JSC with the following options to repro:
./jsc --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --gcAtEnd=true poc.js
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190924/aa7b00f6/attachment.html>
More information about the webkit-unassigned
mailing list