[Webkit-unassigned] [Bug 261037] New: nullptr dereference in WebCore::WebSocket::close()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Sep 1 10:21:47 PDT 2023
https://bugs.webkit.org/show_bug.cgi?id=261037
Bug ID: 261037
Summary: nullptr dereference in WebCore::WebSocket::close()
Product: WebKit
Version: Other
Hardware: Unspecified
OS: Unspecified
Status: NEW
Keywords: InRadar
Severity: Normal
Priority: P2
Component: WebCore Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: ddkilzer at webkit.org
nullptr dereference in WebCore::WebSocket::close().
```
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x0000000000000000
Exception Codes: 0x0000000000000001, 0x0000000000000000
VM Region Info: 0 is not in any region. Bytes before following region: 4369219584
REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL
UNUSED SPACE AT START
--->
__TEXT 1046d0000-1046d4000 [ 16K] r-x/r-x SM=COW ...it.WebContent
Termination Reason: SIGNAL 11 Segmentation fault: 11
Terminating Process: exc handler [7349]
Triggered by Thread: 0
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 WebCore 0x1c1d0ff84 WebCore::WebSocket::close(std::__1::optional<unsigned short>, WTF::String const&) + 360 (WebSocket.cpp:440)
1 WebCore 0x1c18acd14 WebCore::jsWebSocketPrototypeFunction_closeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebSocket*)::'lambda'()::operator()() const + 24 (JSWebSocket.cpp:561) [inlined]
2 WebCore 0x1c18acd14 JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsWebSocketPrototypeFunction_closeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebSocket*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsWebSocketPrototypeFunction_closeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebSocket*)::'lambda'()&&) + 24 (JSDOMConvertBase.h:168) [inlined]
3 WebCore 0x1c18acd14 WebCore::jsWebSocketPrototypeFunction_closeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebSocket*) + 308 (JSWebSocket.cpp:561) [inlined]
4 WebCore 0x1c18acd14 long long WebCore::IDLOperation<WebCore::JSWebSocket>::call<&(WebCore::jsWebSocketPrototypeFunction_closeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebSocket*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) + 520 (JSDOMOperation.h:63) [inlined]
5 WebCore 0x1c18acd14 WebCore::jsWebSocketPrototypeFunction_close(JSC::JSGlobalObject*, JSC::CallFrame*) + 560 (JSWebSocket.cpp:566)
6 0x12000c654
7 0x120004268
8 0x120004748
9 JavaScriptCore 0x1c507bdd0 JSC::Interpreter::executeCallImpl(JSC::VM&, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 144 (Interpreter.cpp:1119) [inlined]
10 JavaScriptCore 0x1c507bdd0 JSC::Interpreter::executeCall(JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 576 (Interpreter.cpp:1128)
11 JavaScriptCore 0x1c5251890 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 28 (CallData.cpp:57) [inlined]
12 JavaScriptCore 0x1c5251890 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 32 (CallData.cpp:64) [inlined]
13 JavaScriptCore 0x1c5251890 JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 120 (CallData.cpp:85)
14 WebCore 0x1c1e26dc0 WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 104 (JSExecState.h:91) [inlined]
15 WebCore 0x1c1e26dc0 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 976 (JSEventListener.cpp:224)
16 WebCore 0x1c21fa698 WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 2ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) + 448 (EventTarget.cpp:372)
17 WebCore 0x1c21ee208 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 364 (EventTarget.cpp:304)
18 WebCore 0x1c21fa330 WebCore::EventTarget::dispatchEvent(WebCore::Event&) + 212 (EventTarget.cpp:258)
19 WebCore 0x1c1d10cac WebCore::WebSocket::dispatchErrorEventIfNeeded() + 212 (WebSocket.cpp:691)
20 WebCore 0x1c1d151d0 WebCore::WebSocket::failAsynchronously()::$_10::operator()() const + 8 (WebSocket.cpp:220) [inlined]
21 WebCore 0x1c1d151d0 WTF::Detail::CallableWrapper<WebCore::WebSocket::failAsynchronously()::$_10, void>::call() + 28 (Function.h:53)
22 WebCore 0x1c21f5a68 WebCore::EventLoop::run() + 172 (EventLoop.cpp:124)
23 WebCore 0x1c2296678 WebCore::WindowEventLoop::didReachTimeToRun() + 36 (WindowEventLoop.cpp:121)
24 WebCore 0x1c2a5ebd8 WebCore::ThreadTimers::sharedTimerFiredInternal() + 152 (ThreadTimers.cpp:127) [inlined]
25 WebCore 0x1c2a5ebd8 WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0::operator()() const + 160 (ThreadTimers.cpp:67) [inlined]
26 WebCore 0x1c2a5ebd8 WTF::Detail::CallableWrapper<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0, void>::call() + 192 (Function.h:53)
27 WebCore 0x1c2a8ffe4 WTF::Function<void ()>::operator()() const + 44 (Function.h:82) [inlined]
28 WebCore 0x1c2a8ffe4 WebCore::MainThreadSharedTimer::fired() + 44 (MainThreadSharedTimer.cpp:83) [inlined]
29 WebCore 0x1c2a8ffe4 WebCore::timerFired(__CFRunLoopTimer*, void*) + 68 (cf/MainThreadSharedTimerCF.cpp:85)
30 CoreFoundation 0x1aed402b0 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 32
31 CoreFoundation 0x1aed3ff58 __CFRunLoopDoTimer + 1004
32 CoreFoundation 0x1aecc9624 __CFRunLoopDoTimers + 288
33 CoreFoundation 0x1aecc663c __CFRunLoopRun + 1856
34 CoreFoundation 0x1aecc5e18 CFRunLoopRunSpecific + 608
35 Foundation 0x1adc5c82c -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 212
36 Foundation 0x1adc5ac24 -[NSRunLoop(NSRunLoop) run] + 64
37 libxpc.dylib 0x216c01e80 _xpc_objc_main + 336
38 libxpc.dylib 0x216c0418c _xpc_main + 64
39 libxpc.dylib 0x216c0436c xpc_main + 64
40 WebKit 0x1c39535d0 WebKit::XPCServiceMain(int, char const**) + 48 (XPCServiceMain.mm:241)
41 dyld 0x1d1460d44 start + 2104
```
<rdar://75425816>
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230901/44cc7ab6/attachment-0001.htm>
More information about the webkit-unassigned
mailing list