Bug 250024

Summary: [WASM][ARM64] Type confused of StackVisitor in JSC::StackVisitor::visit
Product: WebKit Reporter: CAO ZONG <cz18811105578>
Component: JavaScriptCoreAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Critical CC: bfulgham, hackerzheng666, justin_michaud, mark.lam, webkit-bug-importer, ysuzuki
Priority: P1 Keywords: InRadar
Version: WebKit Local Build   
Hardware: Mac (Apple Silicon)   
OS: Unspecified   
Attachments:
Description Flags
Reproducible poc
none
Simple poc
none
Simple poc driver none

CAO ZONG
Reported 2023-01-03 07:37:51 PST
Created attachment 464306 [details] Reproducible poc ASSERTION FAILED: cell /Users/x/Desktop/AFL-WASM-main/WebKit_patch/Source/JavaScriptCore/runtime/JSObject.h(1363) : JSC::JSObject *JSC::asObject(JSC::JSCell *) 1 0x10bf45b58 WTFCrash 2 0x109cebd30 JSC::ARM64Assembler::insn(int) 3 0x109cbbfd8 JSC::asObject(JSC::JSCell*) 4 0x109cbbf60 JSC::asObject(JSC::JSValue) 5 0x10b542ea4 JSC::Register::object() const 6 0x109c9f524 JSC::CallFrame::jsCallee() const 7 0x10b396b88 JSC::CallFrame::isStackOverflowFrame() const 8 0x10afd8460 JSC::StackVisitor::StackVisitor(JSC::CallFrame*, JSC::VM&) 9 0x10afd888c JSC::StackVisitor::StackVisitor(JSC::CallFrame*, JSC::VM&) 10 0x10afcfd6c void JSC::StackVisitor::visit<(JSC::StackVisitor::EmptyEntryFrameAction)0, JSC::Interpreter::getStackTrace(JSC::JSCell*, WTF::Vector<JSC::StackFrame, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, unsigned long, unsigned long)::$_6>(JSC::CallFrame*, JSC::VM&, JSC::Interpreter::getStackTrace(JSC::JSCell*, WTF::Vector<JSC::StackFrame, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, unsigned long, unsigned long)::$_6 const&) 11 0x10afcfc14 JSC::Interpreter::getStackTrace(JSC::JSCell*, WTF::Vector<JSC::StackFrame, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, unsigned long, unsigned long) 12 0x10b48e128 JSC::getStackTrace(JSC::JSGlobalObject*, JSC::VM&, JSC::JSObject*, bool) 13 0x10b4908bc JSC::ErrorInstance::finishCreation(JSC::VM&, JSC::JSGlobalObject*, WTF::String const&, JSC::JSValue, WTF::String (*)(WTF::String const&, WTF::StringView, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType, bool) 14 0x10bdf56a0 JSC::ErrorInstance::create(JSC::JSGlobalObject*, JSC::VM&, JSC::Structure*, WTF::String const&, JSC::JSValue, WTF::String (*)(WTF::String const&, WTF::StringView, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType, JSC::ErrorType, bool) 15 0x10bdf889c JSC::createJSWebAssemblyRuntimeError(JSC::JSGlobalObject*, JSC::VM&, JSC::Wasm::ExceptionType) 16 0x10bd5c394 operationWasmToJSException 17 0x10bd8cfb0 slow_path_wasm_throw_exception 18 0x109b77f44 wasmLLIntPCRangeStart 19 0x100000000 (null)
Attachments
Reproducible poc (1.25 KB, text/javascript)
2023-01-03 07:37 PST, CAO ZONG
no flags
Simple poc (162 bytes, text/plain)
2023-01-09 17:38 PST, Justin Michaud
no flags
Simple poc driver (226 bytes, application/x-javascript)
2023-01-09 17:38 PST, Justin Michaud
no flags
Radar WebKit Bug Importer
Comment 1 2023-01-03 07:38:03 PST
CAO ZONG
Comment 2 2023-01-03 07:40:38 PST
This poc crashes the jsc on ARM64 commit: 8bacbc1a234b
Radar WebKit Bug Importer
Comment 3 2023-01-03 07:40:47 PST
CAO ZONG
Comment 4 2023-01-07 07:35:24 PST
friendly ping
Justin Michaud
Comment 5 2023-01-09 17:38:19 PST
Created attachment 464433 [details] Simple poc Nice catch! 1) This test case requires both SIMD and tail calls 2) I am guessing that many of these bugs all stem from the same source 3) I have attached a super simple poc: (module (func $start (export "start") (call $f1)) (func $f1 (local v128) (try (do) (catch_all)) (return_call $f2)) (func $f2) )
Justin Michaud
Comment 6 2023-01-09 17:38:34 PST
Created attachment 464434 [details] Simple poc driver
Yusuke Suzuki
Comment 7 2023-01-10 02:18:14 PST
This is tail-call specific issue. Let's just fix it in public repository since it isn't shipped yet.
Yusuke Suzuki
Comment 8 2023-01-10 02:22:26 PST
CAO ZONG
Comment 9 2023-01-10 02:46:00 PST
All the spec this POC required is enabled by DEFAULT, so I think the spec is READY to ship. The security label need to be kept anyway.
EWS
Comment 10 2023-01-10 08:40:20 PST
Committed 258725@main (0eced4e49803): <https://commits.webkit.org/258725@main> Reviewed commits have been landed. Closing PR #8450 and removing active labels.
Mark Lam
Comment 11 2023-01-10 10:17:52 PST
(In reply to CAO ZONG from comment #9) > All the spec this POC required is enabled by DEFAULT, so I think the spec is > READY to ship. The security label need to be kept anyway. Hi Cao, it's not considered a security issue because this is newly developed code that has not been deployed on any platforms yet. Thanks for reporting the bug.
CAO ZONG
Comment 12 2023-01-10 10:37:21 PST
(In reply to Mark Lam from comment #11) > (In reply to CAO ZONG from comment #9) > > All the spec this POC required is enabled by DEFAULT, so I think the spec is > > READY to ship. The security label need to be kept anyway. > > Hi Cao, it's not considered a security issue because this is newly developed > code that has not been deployed on any platforms yet. Thanks for reporting > the bug. Hello Mark! Well, According to Apple Security Bounty Guidelines "For example, security issues that are unique to newly added features or code in developer or public beta releases — including newly introduced regressions...", I think the bug in newly developed code need also considered for security impact. So will this issue be assigned CVE or any acknowledge?
Mark Lam
Comment 13 2023-01-10 10:44:13 PST
(In reply to CAO ZONG from comment #12) > (In reply to Mark Lam from comment #11) > > (In reply to CAO ZONG from comment #9) > > > All the spec this POC required is enabled by DEFAULT, so I think the spec is > > > READY to ship. The security label need to be kept anyway. > > > > Hi Cao, it's not considered a security issue because this is newly developed > > code that has not been deployed on any platforms yet. Thanks for reporting > > the bug. > > Hello Mark! > Well, According to Apple Security Bounty Guidelines "For example, security > issues that are unique to newly added features or code in developer or > public beta releases — including newly introduced regressions...", I think > the bug in newly developed code need also considered for security impact. So > will this issue be assigned CVE or any acknowledge? The WebKit open source project does not and cannot speak for Apple Security. Please contact them for clarification. Thanks.
Mark Lam
Comment 14 2023-01-10 10:45:20 PST
CAO ZONG
Comment 15 2023-01-10 10:49:40 PST
(In reply to Mark Lam from comment #13) > (In reply to CAO ZONG from comment #12) > > (In reply to Mark Lam from comment #11) > > > (In reply to CAO ZONG from comment #9) > > > > All the spec this POC required is enabled by DEFAULT, so I think the spec is > > > > READY to ship. The security label need to be kept anyway. > > > > > > Hi Cao, it's not considered a security issue because this is newly developed > > > code that has not been deployed on any platforms yet. Thanks for reporting > > > the bug. > > > > Hello Mark! > > Well, According to Apple Security Bounty Guidelines "For example, security > > issues that are unique to newly added features or code in developer or > > public beta releases — including newly introduced regressions...", I think > > the bug in newly developed code need also considered for security impact. So > > will this issue be assigned CVE or any acknowledge? > > The WebKit open source project does not and cannot speak for Apple Security. > Please contact them for clarification. Thanks. OK, and thanks for your patient reply :)
Yusuke Suzuki
Comment 16 2023-01-17 15:53:00 PST
*** Bug 249700 has been marked as a duplicate of this bug. ***
Yusuke Suzuki
Comment 17 2023-01-17 16:05:12 PST
*** Bug 249935 has been marked as a duplicate of this bug. ***
Yusuke Suzuki
Comment 18 2023-01-17 16:08:40 PST
*** Bug 250008 has been marked as a duplicate of this bug. ***
Yusuke Suzuki
Comment 19 2023-01-17 16:17:51 PST
*** Bug 249762 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.