REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject...
authorrmorisset@apple.com <rmorisset@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 16 Nov 2017 15:04:37 +0000 (15:04 +0000)
committerrmorisset@apple.com <rmorisset@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 16 Nov 2017 15:04:37 +0000 (15:04 +0000)
https://bugs.webkit.org/show_bug.cgi?id=179763
<rdar://problem/35550513>

Reviewed by Keith Miller.

JSTests:

Just adding a slightly cleaned-up version of the original fuzzer-found test.

* stress/tdz-this-in-try-catch.js: Added.
(__v_6388):
(__v_6392):

Source/JavaScriptCore:

Fix null pointer dereference caused by an eliminated tdz_check

The problem was when doing an OSR entry in DFG while |this| was null
(because super() had not yet been called in the constructor of this
subclass), it would be marked as non-null, and the tdz_check eliminated.

* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::initialize):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@224915 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/tdz-this-in-try-catch.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.cpp

index a6cef43..2cc1e8d 100644 (file)
@@ -1,3 +1,17 @@
+2017-11-16  Robin Morisset  <rmorisset@apple.com>
+
+        REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
+        https://bugs.webkit.org/show_bug.cgi?id=179763
+        <rdar://problem/35550513>
+
+        Reviewed by Keith Miller.
+
+        Just adding a slightly cleaned-up version of the original fuzzer-found test.
+
+        * stress/tdz-this-in-try-catch.js: Added.
+        (__v_6388):
+        (__v_6392):
+
 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
 
         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
diff --git a/JSTests/stress/tdz-this-in-try-catch.js b/JSTests/stress/tdz-this-in-try-catch.js
new file mode 100644 (file)
index 0000000..89f22ba
--- /dev/null
@@ -0,0 +1,22 @@
+var __v_6388 = class __c_95 {
+};
+var __v_6392 = class __c_97 extends __v_6388 {
+  constructor() {
+    var __v_6407 = () => {
+        try {
+          __v_6386();
+        } catch (e) {}
+        try {
+          super.foo = 'q';
+        } catch (e) {}
+        super()
+        try {
+          this.idValue
+        } catch (e) {}
+    };
+    __v_6407();
+  }
+};
+for (var i = 0; i < 1000; ++i) {
+    new __v_6392()
+}
index e818ffe..55f10e9 100644 (file)
@@ -1,3 +1,20 @@
+2017-11-16  Robin Morisset  <rmorisset@apple.com>
+
+        REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
+        https://bugs.webkit.org/show_bug.cgi?id=179763
+        <rdar://problem/35550513>
+
+        Reviewed by Keith Miller.
+
+        Fix null pointer dereference caused by an eliminated tdz_check
+
+        The problem was when doing an OSR entry in DFG while |this| was null
+        (because super() had not yet been called in the constructor of this
+        subclass), it would be marked as non-null, and the tdz_check eliminated.
+
+        * dfg/DFGInPlaceAbstractState.cpp:
+        (JSC::DFG::InPlaceAbstractState::initialize):
+
 2017-11-15  Ryan Haddad  <ryanhaddad@apple.com>
 
         Unreviewed, rolling out r224863.
index b49cb4c..8d84990 100644 (file)
@@ -129,7 +129,7 @@ void InPlaceAbstractState::initialize()
                     entrypoint->valuesAtHead.argument(i).setType(SpecBoolean);
                     break;
                 case FlushedCell:
-                    entrypoint->valuesAtHead.argument(i).setType(m_graph, SpecCell);
+                    entrypoint->valuesAtHead.argument(i).setType(m_graph, SpecCellCheck);
                     break;
                 case FlushedJSValue:
                     entrypoint->valuesAtHead.argument(i).makeBytecodeTop();