Bug 243103

Summary: ASSERTION FAILED: bytecodeIndex.offset() < instructions().size()
Product: WebKit Reporter: Mikhail R. Gadelha <mikhail>
Component: JavaScriptCoreAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, hi, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Testcase none

Mikhail R. Gadelha
Reported 2022-07-22 10:50:26 PDT
Created attachment 461144 [details] Testcase Found by Igalia Fuzzing Campaign. The attached test case fails with the following message: ./WebKitBuildBase/Debug/bin/jsc foo.js.txt ASSERTION FAILED: bytecodeIndex.offset() < instructions().size() ../../Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp(225) : void JSC::UnlinkedCodeBlock::expressionRangeForBytecodeIndex(JSC::BytecodeIndex, int&, int&, int&, unsigned int&, unsigned int&) const Aborted (core dumped) Tested on Linux x86_64 and ARMv7. It seems like it was introduced in the last couple of days.
Attachments
Testcase (56.13 KB, text/javascript)
2022-07-22 10:50 PDT, Mikhail R. Gadelha 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-07-22 10:50:39 PDT
<rdar://problem/97445560>
Mikhail R. Gadelha
Comment 2 2022-07-22 10:55:47 PDT
I tried to bisect the issue, but I end up with another assertion failure: $ ./WebKitBuildBase/Debug/bin/jsc bar.js ASSERTION FAILED: results.size() == results.capacity() ../../Source/JavaScriptCore/interpreter/Interpreter.cpp(453) : void JSC::Interpreter::getStackTrace(JSC::JSCell*, WTF::Vector<JSC::StackFrame>&, size_t, size_t) Aborted (core dumped) This crash seems to have been introduced in https://github.com/WebKit/WebKit/pull/2607/files
Mikhail R. Gadelha
Comment 3 2022-07-22 10:59:43 PDT
I start to get the error after Yusuke's fix of the ASSERTION FAILED: bytecodeIndex.offset() < instructions().size() fix in 700b13b162339206b1308a3c774caf82c6676f91.
Yusuke Suzuki
Comment 4 2022-07-22 12:22:50 PDT
Let's make it non security since it is not shipped yet.
Yusuke Suzuki
Comment 5 2022-07-22 12:29:07 PDT
Pull request: https://github.com/WebKit/WebKit/pull/2666
EWS
Comment 6 2022-07-22 16:29:07 PDT
Committed 252751@main (87b1e4a822c7): <https://commits.webkit.org/252751@main> Reviewed commits have been landed. Closing PR #2666 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.