199796 2019-07-15 04:29:35 -0700 Found a bug while fuzzing 2019-07-30 10:54:02 -0700 1 1 1 Unclassified WebKit JavaScriptCore Other Unspecified All RESOLVED DUPLICATE 197634 InRadar P2 Normal --- 1 nine.twelve webkit-unassigned webkit-bug-importer ysuzuki oldest_to_newest 1552818 0 nine.twelve 2019-07-15 04:29:35 -0700 # env ubuntu 18.04 webkit cb9ca26 # bug it crashed in the function WTF::SymbolImpl 0x1ef6345 <WTF::SymbolImpl::create(WTF::StringImpl&)+5> push r12 0x1ef6347 <WTF::SymbolImpl::create(WTF::StringImpl&)+7> push rbx 0x1ef6348 <WTF::SymbolImpl::create(WTF::StringImpl&)+8> mov r15, rsi → 0x1ef634b <WTF::SymbolImpl::create(WTF::StringImpl&)+11> mov r14, rdi 0x1ef634e <WTF::SymbolImpl::create(WTF::StringImpl&)+14> lea rdi, [rip+0x9104a7] # 0x28067fc 0x1ef6355 <WTF::SymbolImpl::create(WTF::StringImpl&)+21> call 0x7b2890 <__sanitizer_cov_trace_pc_guard> 0x1ef635a <WTF::SymbolImpl::create(WTF::StringImpl&)+26> mov ebp, DWORD PTR [r15+0x10] 0x1ef635e <WTF::SymbolImpl::create(WTF::StringImpl&)+30> mov eax, ebp 0x1ef6360 <WTF::SymbolImpl::create(WTF::StringImpl&)+32> and eax, 0x3 the r15 here is NULL, this is passed from the PrivateName function. The rsi it passed into the chunk is a value from stack, and its NULL. $r14 : 0x00007fffffffc400 → 0x0000000000000000 When we check the source code, we found that the javascript code triggered the javascript's internal method Symbol::create(), this function will new a symbol object, and will call Symbol function inside it. Symbol* Symbol::create(ExecState* exec, JSString* description) { VM& vm = exec->vm(); String desc = description->value(exec); Symbol* symbol = new (NotNull, allocateCell<Symbol>(vm.heap)) Symbol(vm, desc); symbol->finishCreation(vm); return symbol; } In this Symbol function, it will call another create function 45 enum DescriptionTag { Description }; 46 explicit PrivateName(DescriptionTag, const String& description) 47 : m_uid(SymbolImpl::create(*description.impl())) 48 { 49 } how ever the rsi is NULL... # poc function main() { function v3(v4,v5,v6,v7,v8) { 'use strict' const v10 = Symbol(v6); function v12(v13,v14,v15,v16,v17) { 'use strict' const v20 = [-268435456,-3654755103]; const v21 = [-3654755103,v20]; let v24 = v21; const v25 = v24.toLocaleString(); const v26 = v25.padEnd(2147483647,Promise); const v27 = v3(Promise,"gBxRp/rynU",v26); } const v28 = new Promise(v12); } const v29 = new Promise(v3); } noDFG(main); noFTL(main); main(); 1553018 1 webkit-bug-importer 2019-07-15 16:14:24 -0700 <rdar://problem/53127278> 1557010 2 ysuzuki 2019-07-30 10:54:02 -0700 *** This bug has been marked as a duplicate of bug 197634 ***