Bug 242599

Summary: [AArch32][Aarch64] ASSERTION FAILED variant.intrinsic() == NoIntrinsic in void JSC::DFG::ByteCodeParser::handleGetById
Product: WebKit Reporter: Mikhail R. Gadelha <mikhail>
Component: JavaScriptCoreAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Testcase none

Description Mikhail R. Gadelha 2022-07-11 12:26:59 PDT 
Created attachment 460795 [details]
Testcase

Found by Igalia Fuzzing Campaign.

The attached test case fails with the following message:

ASSERTION FAILED: variant.intrinsic() == NoIntrinsic
WebKit//Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp(4788) : void JSC::DFG::ByteCodeParser::handleGetById(JSC::VirtualRegister, JSC::SpeculatedType, JSC::DFG::Node*, JSC::CacheableIdentifier, unsigned int, JSC::GetByStatus, JSC::AccessType, JSC::BytecodeIndex)
Comment 1 Radar WebKit Bug Importer 2022-07-11 12:27:11 PDT 
<rdar://problem/96836847>
Comment 2 Yusuke Suzuki 2022-07-12 13:30:22 PDT 
This is stale assertion. Let's drop it.
Comment 3 Yusuke Suzuki 2022-07-12 13:32:04 PDT 
Previously all intrinsic getters are handled. So at this point, it should be NoIntrinsic.
But 4GB wasm array work added a case which can fail.

But then, we should just continue using this generic path, invoking a getter. Thus, this assertion is stale. Let's just remove it.

And marking it non-security since the solution is just removing this assertion and this is debug assertion.
Comment 4 Yusuke Suzuki 2022-07-12 13:49:23 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/2333
Comment 5 EWS 2022-07-12 14:43:17 PDT 
Committed 252391@main (1f3e8b70b999): <https://commits.webkit.org/252391@main>

Reviewed commits have been landed. Closing PR #2333 and removing active labels.