[Webkit-unassigned] [Bug 222452] New: JSC Crash in makeString()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Feb 25 19:11:21 PST 2021
https://bugs.webkit.org/show_bug.cgi?id=222452
Bug ID: 222452
Summary: JSC Crash in makeString()
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: sunlili at ict.ac.cn
Created attachment 421597
--> https://bugs.webkit.org/attachment.cgi?id=421597&action=review
the test case causing a crash
Hello, following test case can cause a crash in the latest jsc.
bar_693 = '2.3023e-320';
foo_508 = bar_693.padEnd(2147483620, 1);
var newInstance = new foo_508(1, 2);
crash output:
Aborted (core dumped)
The JSC(WebKit-2.30.5) is compiled with static, debug option.
We do some simple analysis for this crash. 'foo_508' is a large string. When 'foo_508' is used as a contructor, a TypeError should be thrown. However, during creating error message, 'foo_508' is evaluated in DerivedSources/ForwardingHeaders/wtf/text/StringConcatenate.h:makeString(). Since the foo_508's length is overflowed, a null string is returned and assigned to 'result' in makeString(), and causes the crash. I'm not sure this crash is a bug or a deliberate design.
ISec Lab.
2021.2.26
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210226/388ad9fb/attachment.htm>
More information about the webkit-unassigned
mailing list