Bug 246405

Summary: [JSC] Use storage node in ArrayPush for SlowPutArray
Product: WebKit Reporter: Mikhail R. Gadelha <mikhail>
Component: JavaScriptCoreAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Testcase none

Description Mikhail R. Gadelha 2022-10-12 09:14:48 PDT 
Created attachment 462944 [details]
Testcase

Tested on linux intel 64 and ARMv7.

$ ./WebKitBuild/Debug/bin/jsc bar.js --useConcurrentGC=0 --returnEarlyFromInfiniteLoopsForFuzzing=1 --earlyReturnFromInfiniteLoopsLimit=1000000 --verifyGC=true --forceGCSlowPaths=true --forceEagerCompilation=1 --jitPolicyScale=0 --useConcurrentJIT=0
ASSERTION FAILED: node()
/home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGEdge.h(82) : JSC::DFG::UseKind JSC::DFG::Edge::useKind() const
Aborted (core dumped)

Backtrace:

#6  0x0000555555a440fd in JSC::DFG::Edge::useKind (this=0x7fffffff6738) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGEdge.h:82
#7  0x0000555555f2be73 in JSC::DFG::StorageOperand::emplace (this=0x7fffffff6a20, jit=0x555558bc4190, edge=...) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:2048
#8  0x0000555555f03cc0 in JSC::DFG::StorageOperand::StorageOperand (this=0x7fffffff6a20, jit=0x555558bc4190, edge=...) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:2016
#9  0x0000555555ec8f5b in JSC::DFG::SpeculativeJIT::compileGetArrayLength (this=0x555558bc4190, node=0x555558bd6c00) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:8702
#10 0x000055555605f403 in JSC::DFG::SpeculativeJIT::compile (this=0x555558bc4190, node=0x555558bd6c00) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:4411
#11 0x0000555555e91097 in JSC::DFG::SpeculativeJIT::compileCurrentBlock (this=0x555558bc4190) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2370
#12 0x0000555555ea4a66 in JSC::DFG::SpeculativeJIT::compile (this=0x555558bc4190) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2480
#13 0x0000555555c8c304 in JSC::DFG::JITCompiler::compileBody (this=0x7fffffffa808) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:182
#14 0x0000555555c8ef8e in JSC::DFG::JITCompiler::compileFunction (this=0x7fffffffa808) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:485
#15 0x0000555555d58729 in JSC::DFG::Plan::compileInThreadImpl (this=0x555558c0d1f0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGPlan.cpp:343
#16 0x000055555659287f in JSC::JITPlan::compileInThread (this=0x555558c0d1f0, thread=0x0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/jit/JITPlan.cpp:172
#17 0x00005555565fb007 in JSC::JITWorklist::enqueue (this=0x555558bc4010, plan=...) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/jit/JITWorklist.cpp:84
#18 0x0000555555c10096 in JSC::DFG::compileImpl (vm=..., codeBlock=0x555558c23dc0, profiledDFGCodeBlock=0x0, mode=JSC::JITCompilationMode::DFG, osrEntryBytecodeIndex=..., mustHandleValues=..., callback=...)
    at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGDriver.cpp:90
#19 0x0000555555c0fc63 in JSC::DFG::compile (vm=..., codeBlock=0x555558c23dc0, profiledDFGCodeBlock=0x0, mode=JSC::JITCompilationMode::DFG, osrEntryBytecodeIndex=..., mustHandleValues=..., callback=...)
    at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGDriver.cpp:106
#20 0x0000555556571732 in operationOptimize (vmPointer=0x555558b3fd90, bytecodeIndexBits=0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/jit/JITOperations.cpp:2000

Found by Igalia Fuzzing Campaign.
Comment 1 Radar WebKit Bug Importer 2022-10-12 09:15:02 PDT 
<rdar://problem/101081844>
Comment 2 Mikhail R. Gadelha 2022-10-12 09:15:57 PDT 
Git bisect shows it was introduced by commit 8f662d8b6ea7f62e9c04fbeb9c9cafb15c7fbd91.
Comment 3 Yusuke Suzuki 2022-10-12 10:02:29 PDT 
This is just a crash bug, so not a security issue.
Comment 4 Mikhail R. Gadelha 2022-10-12 10:05:19 PDT 
It was aligned with us that all the fuzzing bugs should be opened as security bugs. I'm simply following what was agreed.
Comment 5 Yusuke Suzuki 2022-10-12 10:18:48 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/5292
Comment 6 EWS 2022-10-12 14:49:39 PDT 
Committed 255454@main (1b4792d4d366): <https://commits.webkit.org/255454@main>

Reviewed commits have been landed. Closing PR #5292 and removing active labels.