Bug 250024

Summary:

[WASM][ARM64] Type confused of StackVisitor in JSC::StackVisitor::visit

Product:

WebKit

Reporter:

CAO ZONG <cz18811105578>

Component:

JavaScriptCore

Assignee:

Yusuke Suzuki <ysuzuki>

Status:

RESOLVED FIXED

Severity:

Critical

CC:

bfulgham, hackerzheng666, justin_michaud, mark.lam, webkit-bug-importer, ysuzuki

Priority:

Keywords:

InRadar

Version:

WebKit Local Build

Hardware:

Mac (Apple Silicon)

OS:

Unspecified

Attachments:

Description	Flags
Reproducible poc	none
Simple poc	none
Simple poc driver	none

CAO ZONG

Reported 2023-01-03 07:37:51 PST

Created attachment 464306 [details] Reproducible poc ASSERTION FAILED: cell /Users/x/Desktop/AFL-WASM-main/WebKit_patch/Source/JavaScriptCore/runtime/JSObject.h(1363) : JSC::JSObject *JSC::asObject(JSC::JSCell *) 1 0x10bf45b58 WTFCrash 2 0x109cebd30 JSC::ARM64Assembler::insn(int) 3 0x109cbbfd8 JSC::asObject(JSC::JSCell*) 4 0x109cbbf60 JSC::asObject(JSC::JSValue) 5 0x10b542ea4 JSC::Register::object() const 6 0x109c9f524 JSC::CallFrame::jsCallee() const 7 0x10b396b88 JSC::CallFrame::isStackOverflowFrame() const 8 0x10afd8460 JSC::StackVisitor::StackVisitor(JSC::CallFrame*, JSC::VM&) 9 0x10afd888c JSC::StackVisitor::StackVisitor(JSC::CallFrame*, JSC::VM&) 10 0x10afcfd6c void JSC::StackVisitor::visit<(JSC::StackVisitor::EmptyEntryFrameAction)0, JSC::Interpreter::getStackTrace(JSC::JSCell*, WTF::Vector<JSC::StackFrame, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, unsigned long, unsigned long)::$_6>(JSC::CallFrame*, JSC::VM&, JSC::Interpreter::getStackTrace(JSC::JSCell*, WTF::Vector<JSC::StackFrame, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, unsigned long, unsigned long)::$_6 const&) 11 0x10afcfc14 JSC::Interpreter::getStackTrace(JSC::JSCell*, WTF::Vector<JSC::StackFrame, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, unsigned long, unsigned long) 12 0x10b48e128 JSC::getStackTrace(JSC::JSGlobalObject*, JSC::VM&, JSC::JSObject*, bool) 13 0x10b4908bc JSC::ErrorInstance::finishCreation(JSC::VM&, JSC::JSGlobalObject*, WTF::String const&, JSC::JSValue, WTF::String (*)(WTF::String const&, WTF::StringView, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType, bool) 14 0x10bdf56a0 JSC::ErrorInstance::create(JSC::JSGlobalObject*, JSC::VM&, JSC::Structure*, WTF::String const&, JSC::JSValue, WTF::String (*)(WTF::String const&, WTF::StringView, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType, JSC::ErrorType, bool) 15 0x10bdf889c JSC::createJSWebAssemblyRuntimeError(JSC::JSGlobalObject*, JSC::VM&, JSC::Wasm::ExceptionType) 16 0x10bd5c394 operationWasmToJSException 17 0x10bd8cfb0 slow_path_wasm_throw_exception 18 0x109b77f44 wasmLLIntPCRangeStart 19 0x100000000 (null)

Attachments
Reproducible poc (1.25 KB, text/javascript) 2023-01-03 07:37 PST, CAO ZONG	no flags	Details
Simple poc (162 bytes, text/plain) 2023-01-09 17:38 PST, Justin Michaud	no flags	Details
Simple poc driver (226 bytes, application/x-javascript) 2023-01-09 17:38 PST, Justin Michaud	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2023-01-03 07:38:03 PST

<rdar://problem/103834422>

CAO ZONG

Comment 2 2023-01-03 07:40:38 PST

This poc crashes the jsc on ARM64 commit: 8bacbc1a234b

Radar WebKit Bug Importer

Comment 3 2023-01-03 07:40:47 PST

<rdar://problem/103834490>

CAO ZONG

Comment 4 2023-01-07 07:35:24 PST

friendly ping

Justin Michaud

Comment 5 2023-01-09 17:38:19 PST

Created attachment 464433 [details] Simple poc Nice catch! 1) This test case requires both SIMD and tail calls 2) I am guessing that many of these bugs all stem from the same source 3) I have attached a super simple poc: (module (func $start (export "start") (call $f1)) (func $f1 (local v128) (try (do) (catch_all)) (return_call $f2)) (func $f2) )

Justin Michaud

Comment 6 2023-01-09 17:38:34 PST

Created attachment 464434 [details] Simple poc driver

Yusuke Suzuki

Comment 7 2023-01-10 02:18:14 PST

This is tail-call specific issue. Let's just fix it in public repository since it isn't shipped yet.

Yusuke Suzuki

Comment 8 2023-01-10 02:22:26 PST

Pull request: https://github.com/WebKit/WebKit/pull/8450

CAO ZONG

Comment 9 2023-01-10 02:46:00 PST

All the spec this POC required is enabled by DEFAULT, so I think the spec is READY to ship. The security label need to be kept anyway.

EWS

Comment 10 2023-01-10 08:40:20 PST

Committed 258725@main (0eced4e49803): <https://commits.webkit.org/258725@main> Reviewed commits have been landed. Closing PR #8450 and removing active labels.

Mark Lam

Comment 11 2023-01-10 10:17:52 PST

(In reply to CAO ZONG from comment #9) > All the spec this POC required is enabled by DEFAULT, so I think the spec is > READY to ship. The security label need to be kept anyway. Hi Cao, it's not considered a security issue because this is newly developed code that has not been deployed on any platforms yet. Thanks for reporting the bug.

CAO ZONG

Comment 12 2023-01-10 10:37:21 PST

(In reply to Mark Lam from comment #11) > (In reply to CAO ZONG from comment #9) > > All the spec this POC required is enabled by DEFAULT, so I think the spec is > > READY to ship. The security label need to be kept anyway. > > Hi Cao, it's not considered a security issue because this is newly developed > code that has not been deployed on any platforms yet. Thanks for reporting > the bug. Hello Mark! Well, According to Apple Security Bounty Guidelines "For example, security issues that are unique to newly added features or code in developer or public beta releases — including newly introduced regressions...", I think the bug in newly developed code need also considered for security impact. So will this issue be assigned CVE or any acknowledge?

Mark Lam

Comment 13 2023-01-10 10:44:13 PST

(In reply to CAO ZONG from comment #12) > (In reply to Mark Lam from comment #11) > > (In reply to CAO ZONG from comment #9) > > > All the spec this POC required is enabled by DEFAULT, so I think the spec is > > > READY to ship. The security label need to be kept anyway. > > > > Hi Cao, it's not considered a security issue because this is newly developed > > code that has not been deployed on any platforms yet. Thanks for reporting > > the bug. > > Hello Mark! > Well, According to Apple Security Bounty Guidelines "For example, security > issues that are unique to newly added features or code in developer or > public beta releases — including newly introduced regressions...", I think > the bug in newly developed code need also considered for security impact. So > will this issue be assigned CVE or any acknowledge? The WebKit open source project does not and cannot speak for Apple Security. Please contact them for clarification. Thanks.

Mark Lam

Comment 14 2023-01-10 10:45:20 PST

<rdar://problem/103834422>

CAO ZONG

Comment 15 2023-01-10 10:49:40 PST

(In reply to Mark Lam from comment #13) > (In reply to CAO ZONG from comment #12) > > (In reply to Mark Lam from comment #11) > > > (In reply to CAO ZONG from comment #9) > > > > All the spec this POC required is enabled by DEFAULT, so I think the spec is > > > > READY to ship. The security label need to be kept anyway. > > > > > > Hi Cao, it's not considered a security issue because this is newly developed > > > code that has not been deployed on any platforms yet. Thanks for reporting > > > the bug. > > > > Hello Mark! > > Well, According to Apple Security Bounty Guidelines "For example, security > > issues that are unique to newly added features or code in developer or > > public beta releases — including newly introduced regressions...", I think > > the bug in newly developed code need also considered for security impact. So > > will this issue be assigned CVE or any acknowledge? > > The WebKit open source project does not and cannot speak for Apple Security. > Please contact them for clarification. Thanks. OK, and thanks for your patient reply :)

Yusuke Suzuki

Comment 16 2023-01-17 15:53:00 PST

*** Bug 249700 has been marked as a duplicate of this bug. ***

Yusuke Suzuki

Comment 17 2023-01-17 16:05:12 PST

*** Bug 249935 has been marked as a duplicate of this bug. ***

Yusuke Suzuki

Comment 18 2023-01-17 16:08:40 PST

*** Bug 250008 has been marked as a duplicate of this bug. ***

Yusuke Suzuki

Comment 19 2023-01-17 16:17:51 PST

*** Bug 249762 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.