jsc_fuz/wktr: null ptr deref in WebCore::invokeWritableStreamFunction…

…(...) (InternalWritableStream.cpp:49) https://bugs.webkit.org/show_bug.cgi\?id\=262865 rdar://116465595 Reviewed by Mark Lam. Return early when worker is terminated while trying to get function from globalObject. Set useDollarVM in test option initialization for cases when useDollarVM will be reset before injectInternalsObject is called in DRT. * LayoutTests/streams/writable-stream-create-within-multiple-workers-crash-expected.txt: Added. * LayoutTests/streams/writable-stream-create-within-multiple-workers-crash.html: Added. * Source/WebCore/bindings/js/InternalWritableStream.cpp: (WebCore::invokeWritableStreamFunction): * Tools/DumpRenderTree/mac/DumpRenderTree.mm: (testOptionsForTest): Originally-landed-as: 267815.398@safari-7617-branch (f11c81a). rdar://119596601 Canonical link: https://commits.webkit.org/272251@main
WebKit · Dec 19, 2023 · 8d90019 · 8d90019
1 parent a94a8a6
commit 8d90019
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 1 deletion.
diff --git a/LayoutTests/streams/writable-stream-create-within-multiple-workers-crash-expected.txt b/LayoutTests/streams/writable-stream-create-within-multiple-workers-crash-expected.txt
@@ -0,0 +1 @@
+This test passes if it doesn't crash.
diff --git a/LayoutTests/streams/writable-stream-create-within-multiple-workers-crash.html b/LayoutTests/streams/writable-stream-create-within-multiple-workers-crash.html
@@ -0,0 +1,19 @@
+<!-- webkit-test-runner [ jscOptions=--slowPathAllocsBetweenGCs=50 ] -->
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    internals.settings.setWebRTCSFrameTransformEnabled(true);
+    testRunner.waitUntilDone();
+}
+
+onload = () => {
+    for (let i = 0; i < 100; i++) {
+        new Worker(`data:text/javascript,for (let i = 0; i < 100; i++) new SFrameTransform().readable;`);
+    }
+    setTimeout(() => {
+        if (window.testRunner)
+            testRunner.notifyDone();
+    }, 100);
+};
+</script>
+<p>This test passes if it doesn't crash.</p>
diff --git a/Source/WebCore/bindings/js/InternalWritableStream.cpp b/Source/WebCore/bindings/js/InternalWritableStream.cpp
@@ -41,8 +41,8 @@ static ExceptionOr<JSC::JSValue> invokeWritableStreamFunction(JSC::JSGlobalObjec
     auto scope = DECLARE_CATCH_SCOPE(vm);
 
     auto function = globalObject.get(&globalObject, identifier);
+    RETURN_IF_EXCEPTION(scope, Exception { ExceptionCode::ExistingExceptionError });
     ASSERT(function.isCallable());
-    scope.assertNoExceptionExceptTermination();
 
     auto callData = JSC::getCallData(function);
 

diff --git a/Tools/DumpRenderTree/mac/DumpRenderTree.mm b/Tools/DumpRenderTree/mac/DumpRenderTree.mm
@@ -1892,6 +1892,8 @@ static void WebThreadLockAfterDelegateCallbacksHaveCompleted()
 
 static WTR::TestOptions testOptionsForTest(const WTR::TestCommand& command)
 {
+    // hack for cases when useDollarVM will be reset before injectInternalsObject is called in DRT
+    JSC::Options::useDollarVM() = true;
     WTR::TestFeatures features = WTR::TestOptions::defaults();
     WTR::merge(features, WTR::hardcodedFeaturesBasedOnPathForTest(command));
     WTR::merge(features, WTR::featureDefaultsFromTestHeaderForTest(command, WTR::TestOptions::keyTypeMapping()));