Title: [224915] trunk
- Revision
- 224915
- Author
- [email protected]
- Date
- 2017-11-16 07:04:37 -0800 (Thu, 16 Nov 2017)
Log Message
REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
https://bugs.webkit.org/show_bug.cgi?id=179763
<rdar://problem/35550513>
Reviewed by Keith Miller.
JSTests:
Just adding a slightly cleaned-up version of the original fuzzer-found test.
* stress/tdz-this-in-try-catch.js: Added.
(__v_6388):
(__v_6392):
Source/_javascript_Core:
Fix null pointer dereference caused by an eliminated tdz_check
The problem was when doing an OSR entry in DFG while |this| was null
(because super() had not yet been called in the constructor of this
subclass), it would be marked as non-null, and the tdz_check eliminated.
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::initialize):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (224914 => 224915)
--- trunk/JSTests/ChangeLog 2017-11-16 13:49:02 UTC (rev 224914)
+++ trunk/JSTests/ChangeLog 2017-11-16 15:04:37 UTC (rev 224915)
@@ -1,3 +1,17 @@
+2017-11-16 Robin Morisset <[email protected]>
+
+ REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
+ https://bugs.webkit.org/show_bug.cgi?id=179763
+ <rdar://problem/35550513>
+
+ Reviewed by Keith Miller.
+
+ Just adding a slightly cleaned-up version of the original fuzzer-found test.
+
+ * stress/tdz-this-in-try-catch.js: Added.
+ (__v_6388):
+ (__v_6392):
+
2017-11-14 Yusuke Suzuki <[email protected]>
[DFG][FTL] Support Array::DirectArguments with OutOfBounds
Added: trunk/JSTests/stress/tdz-this-in-try-catch.js (0 => 224915)
--- trunk/JSTests/stress/tdz-this-in-try-catch.js (rev 0)
+++ trunk/JSTests/stress/tdz-this-in-try-catch.js 2017-11-16 15:04:37 UTC (rev 224915)
@@ -0,0 +1,22 @@
+var __v_6388 = class __c_95 {
+};
+var __v_6392 = class __c_97 extends __v_6388 {
+ constructor() {
+ var __v_6407 = () => {
+ try {
+ __v_6386();
+ } catch (e) {}
+ try {
+ super.foo = 'q';
+ } catch (e) {}
+ super()
+ try {
+ this.idValue
+ } catch (e) {}
+ };
+ __v_6407();
+ }
+};
+for (var i = 0; i < 1000; ++i) {
+ new __v_6392()
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (224914 => 224915)
--- trunk/Source/_javascript_Core/ChangeLog 2017-11-16 13:49:02 UTC (rev 224914)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-11-16 15:04:37 UTC (rev 224915)
@@ -1,3 +1,20 @@
+2017-11-16 Robin Morisset <[email protected]>
+
+ REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
+ https://bugs.webkit.org/show_bug.cgi?id=179763
+ <rdar://problem/35550513>
+
+ Reviewed by Keith Miller.
+
+ Fix null pointer dereference caused by an eliminated tdz_check
+
+ The problem was when doing an OSR entry in DFG while |this| was null
+ (because super() had not yet been called in the constructor of this
+ subclass), it would be marked as non-null, and the tdz_check eliminated.
+
+ * dfg/DFGInPlaceAbstractState.cpp:
+ (JSC::DFG::InPlaceAbstractState::initialize):
+
2017-11-15 Ryan Haddad <[email protected]>
Unreviewed, rolling out r224863.
Modified: trunk/Source/_javascript_Core/dfg/DFGInPlaceAbstractState.cpp (224914 => 224915)
--- trunk/Source/_javascript_Core/dfg/DFGInPlaceAbstractState.cpp 2017-11-16 13:49:02 UTC (rev 224914)
+++ trunk/Source/_javascript_Core/dfg/DFGInPlaceAbstractState.cpp 2017-11-16 15:04:37 UTC (rev 224915)
@@ -129,7 +129,7 @@
entrypoint->valuesAtHead.argument(i).setType(SpecBoolean);
break;
case FlushedCell:
- entrypoint->valuesAtHead.argument(i).setType(m_graph, SpecCell);
+ entrypoint->valuesAtHead.argument(i).setType(m_graph, SpecCellCheck);
break;
case FlushedJSValue:
entrypoint->valuesAtHead.argument(i).makeBytecodeTop();
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
