[Webkit-unassigned] [Bug 247419] New: Nullptr dereference during forEachInIterable

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Nov 3 04:30:12 PDT 2022 

https://bugs.webkit.org/show_bug.cgi?id=247419

            Bug ID: 247419
           Summary: Nullptr dereference during forEachInIterable
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: saelo at google.com

The following sample triggers a nullptr dereference on JSC build from latest HEAD

    function main() {
        function v1(v2,v3) {
            return v1;
        }
        Object.defineProperty(v1, "done", { configurable: true, enumerable: true, get: WeakMap })
        v1.return = v1
        v1.next = v1;
        Object.defineProperty(WeakMap, Symbol.iterator, { configurable: true, value: v1 })
        const v24 = new WeakMap(WeakMap);
    }
    noDFG(main);
    noFTL(main);
    main();
    // CRASH INFO
    // ==========
    // TERMSIG: 11

Here is the backtrace from gdb:

    #0  JSC::JSCell::isString (this=0x0) at Source/JavaScriptCore/runtime/JSCellInlines.h:219
    #1  0x00007ffff544f2bd in JSC::JSCell::toBoolean (this=0x0, globalObject=0x7fffa541a068) at Source/JavaScriptCore/runtime/JSCellInlines.h:371
    #2  0x00007ffff5447d55 in JSC::JSValue::toBoolean (this=0x7fffffffc248, globalObject=0x7fffa541a068) at Source/JavaScriptCore/runtime/JSCJSValueInlines.h:935
    #3  0x00007ffff6bfffea in JSC::iteratorComplete (globalObject=0x7fffa541a068, iterResult=...) at Source/JavaScriptCore/runtime/IteratorOperations.cpp:68
    #4  0x00007ffff6c0020c in JSC::iteratorStep (globalObject=0x7fffa541a068, iterationRecord=...) at Source/JavaScriptCore/runtime/IteratorOperations.cpp:78
    #5  0x00007ffff6f8ecab in JSC::forEachInIterable<JSC::constructWeakMap(JSC::JSGlobalObject*, JSC::CallFrame*)::$_4>(JSC::JSGlobalObject*, JSC::JSValue, JSC::constructWeakMap(JSC::JSGlobalObject*, JSC::CallFrame*)::$_4 const&) (globalObject=0x7fffa541a068, iterable=..., callback=...)
        at Source/JavaScriptCore/runtime/IteratorOperations.h:87
    #6  0x00007ffff6f8d0a5 in JSC::constructWeakMap (globalObject=0x7fffa541a068, callFrame=0x7fffffffc6e0) at Source/JavaScriptCore/runtime/WeakMapConstructor.cpp:83
    #7  0x00007fffa6a000c7 in ?? ()
    #8  0x00007fffffffc7b0 in ?? ()
    #9  0x00007ffff5333fbb in js_trampoline_op_construct () from WebKitBuild/Debug/lib/libJavaScriptCore.so.1
    #10 0x0000000000000000 in ?? ()

I think the issue has to do with the (invalid) getter for v1.done, which will raise an exception (as `WeakMap` cannot be called, but must be constructed using `new`).

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221103/0b5a98b6/attachment.htm>

More information about the webkit-unassigned mailing list