Bug 245628

Summary:

[JSC] Mark Intl.DurationFormat structure

Product:

WebKit

Reporter:

Mikhail R. Gadelha <mikhail>

Component:

JavaScriptCore

Assignee:

Yusuke Suzuki <ysuzuki>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bfulgham, webkit-bug-importer, ysuzuki

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Testcase	none

Description Mikhail R. Gadelha 2022-09-24 12:31:27 PDT

Created attachment 462586 [details]
Testcase

Tested on linux intel 64 and ARMv7.

The regression seems to have been introduced by commit 0a1408274330aa1999490790cee7d2b9b3b8ac2b.

Running the attached test case fails with the following message:

$ ./WebKitBuild/Debug/bin/jsc bar.js
ASSERTION FAILED: decontaminate()
/home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/StructureID.h(130) : JSC::Structure *JSC::StructureID::decode() const
Aborted (core dumped)

The backtrace:

#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737246848832) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=140737246848832) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=140737246848832, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007ffff19f5476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007ffff19db7f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007ffff427127b in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:754
#6  0x00007ffff42e529e in JSC::StructureID::decode (this=0x7ffe00007dd0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/StructureID.h:130
#7  0x00007ffff42e4b75 in JSC::JSCell::structure (this=0x7ffe00007dd0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/JSCellInlines.h:137
#8  0x00007ffff42e8dd9 in JSC::Heap::writeBarrier (this=0x7fffa6000080, from=0x7fffe8020668) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/heap/HeapInlines.h:121
#9  0x00007ffff42e8d44 in JSC::VM::writeBarrier (this=0x7fffa6000000, from=0x7fffe8020668) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/VM.h:894
#10 0x00007ffff42e8973 in JSC::AuxiliaryBarrier<JSC::Butterfly*>::AuxiliaryBarrier<JSC::Butterfly*&> (this=0x7fffe8020670, vm=..., owner=0x7fffe8020668, value=@0x7fffffffc820: 0x0)
    at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/AuxiliaryBarrierInlines.h:39
#11 0x00007ffff42e8775 in JSC::JSObject::JSObject (this=0x7fffe8020668, vm=..., structure=0x7ffe00007dd0, butterfly=0x0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/JSObject.h:1374
#12 0x00007ffff42dd7bd in JSC::JSNonFinalObject::JSNonFinalObject (this=0x7fffe8020668, vm=..., structure=0x7ffe00007dd0, butterfly=0x0)
    at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/JSObject.h:1202
#13 0x00007ffff5a0a04d in JSC::IntlDurationFormat::IntlDurationFormat (this=0x7fffe8020668, vm=..., structure=0x7ffe00007dd0)
    at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/IntlDurationFormat.cpp:74
#14 0x00007ffff5a09ef1 in JSC::IntlDurationFormat::create (vm=..., structure=0x7ffe00007dd0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/IntlDurationFormat.cpp:63
#15 0x00007ffff5a51da2 in JSC::constructIntlDurationFormat (globalObject=0x7fffa641a068, callFrame=0x7fffffffca40)
    at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/IntlDurationFormatConstructor.cpp:90
#16 0x00007fffa71ac0c7 in ?? ()
#17 0x00007fffffffcae0 in ?? ()
#18 0x00007ffff4231e37 in js_trampoline_op_construct_varargs () from /home/mgadelha/tools/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1
#19 0x0000000000000000 in ?? ()
(gdb) 
#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737246848832) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=140737246848832) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=140737246848832, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007ffff19f5476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007ffff19db7f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007ffff427127b in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:754
#6  0x00007ffff42e529e in JSC::StructureID::decode (this=0x7ffe00007dd0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/StructureID.h:130
#7  0x00007ffff42e4b75 in JSC::JSCell::structure (this=0x7ffe00007dd0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/JSCellInlines.h:137
#8  0x00007ffff42e8dd9 in JSC::Heap::writeBarrier (this=0x7fffa6000080, from=0x7fffe8020668) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/heap/HeapInlines.h:121
#9  0x00007ffff42e8d44 in JSC::VM::writeBarrier (this=0x7fffa6000000, from=0x7fffe8020668) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/VM.h:894
#10 0x00007ffff42e8973 in JSC::AuxiliaryBarrier<JSC::Butterfly*>::AuxiliaryBarrier<JSC::Butterfly*&> (this=0x7fffe8020670, vm=..., owner=0x7fffe8020668, value=@0x7fffffffc820: 0x0)
    at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/AuxiliaryBarrierInlines.h:39
#11 0x00007ffff42e8775 in JSC::JSObject::JSObject (this=0x7fffe8020668, vm=..., structure=0x7ffe00007dd0, butterfly=0x0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/JSObject.h:1374
#12 0x00007ffff42dd7bd in JSC::JSNonFinalObject::JSNonFinalObject (this=0x7fffe8020668, vm=..., structure=0x7ffe00007dd0, butterfly=0x0)
    at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/JSObject.h:1202
#13 0x00007ffff5a0a04d in JSC::IntlDurationFormat::IntlDurationFormat (this=0x7fffe8020668, vm=..., structure=0x7ffe00007dd0)
    at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/IntlDurationFormat.cpp:74
#14 0x00007ffff5a09ef1 in JSC::IntlDurationFormat::create (vm=..., structure=0x7ffe00007dd0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/IntlDurationFormat.cpp:63
#15 0x00007ffff5a51da2 in JSC::constructIntlDurationFormat (globalObject=0x7fffa641a068, callFrame=0x7fffffffca40)
    at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/IntlDurationFormatConstructor.cpp:90
#16 0x00007fffa71ac0c7 in ?? ()
#17 0x00007fffffffcae0 in ?? ()
#18 0x00007ffff4231e37 in js_trampoline_op_construct_varargs () from /home/mgadelha/tools/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1
#19 0x0000000000000000 in ?? ()

Found by Igalia Fuzzing Campaign.

Comment 1 Radar WebKit Bug Importer 2022-09-24 12:31:41 PDT

<rdar://problem/100365199>

Comment 2 Yusuke Suzuki 2022-09-24 19:33:55 PDT

Will fix it.

Comment 3 Yusuke Suzuki 2022-09-24 19:36:58 PDT

Changing it to non security since it is ToT issue, not shipped into any branches.

Comment 4 Yusuke Suzuki 2022-09-24 19:40:28 PDT

Pull request: https://github.com/WebKit/WebKit/pull/4673

Comment 5 EWS 2022-09-24 23:07:10 PDT

Committed 254837@main (3440aeb31ed3): <https://commits.webkit.org/254837@main>

Reviewed commits have been landed. Closing PR #4673 and removing active labels.