Bug 244546 - ASSERTION FAILED: baseValue.isObject()
Summary: ASSERTION FAILED: baseValue.isObject()
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Yusuke Suzuki
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2022-08-30 10:37 PDT by Mikhail R. Gadelha
Modified: 2022-10-14 14:14 PDT (History)
3 users (show)

See Also:

Attachments
Testcase (118 bytes, text/javascript)
2022-08-30 10:37 PDT, Mikhail R. Gadelha 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail R. Gadelha 2022-08-30 10:37:56 PDT 
Created attachment 462013 [details]
Testcase

Tested on linux intel 64 and ARMv7.

Running the attached test case fails with the following message:

#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737313221504) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=140737313221504) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=140737313221504, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007ffff755e476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007ffff75447f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x000055555562a8a7 in WTFCrashWithInfo () at /home/mgadelha/tools/WebKit/WebKitBuild/Debug/WTF/Headers/wtf/Assertions.h:754
#6  0x0000555556639b95 in JSC::LLInt::llint_slow_path_put_by_val_direct (callFrame=0x7fffffffd310, pc=0x55555939a17e) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1239
#7  0x00005555570f18e7 in llint_op_put_by_val_direct () at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:118
#8  0x0000000000000000 in ?? ()

When disabling LLInt, we get:

#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737313221504) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=140737313221504) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=140737313221504, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007ffff755e476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007ffff75447f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x000055555562a8a7 in WTFCrashWithInfo () at /home/mgadelha/tools/WebKit/WebKitBuild/Debug/WTF/Headers/wtf/Assertions.h:754
#6  0x000055555657ccf1 in JSC::directPutByValOptimize (globalObject=0x5555593132b8, codeBlock=0x5555593ac580, baseValue=..., subscript=..., value=..., stubInfo=0x5555593d3888, profile=0x5555593d3f98, 
    ecmaMode=...) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/jit/JITOperations.cpp:1168
#7  0x000055555657d3ab in JSC::operationDirectPutByValStrictOptimize (globalObject=0x5555593132b8, encodedBaseValue=10, encodedSubscript=-562949953421312, encodedValue=10, stubInfo=0x5555593d3888, 
    profile=0x5555593d3f98) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/jit/JITOperations.cpp:1218
...
#56 0x00005555570e2406 in vmEntryToJavaScript () at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:367

Found by Igalia Fuzzing Campaign.
Comment 1 Radar WebKit Bug Importer 2022-08-30 10:38:06 PDT 
<rdar://problem/99338799>
Comment 2 Yusuke Suzuki 2022-10-13 14:57:58 PDT 
Removing security tag since this is JSC shell only deterministic crash issue.
Comment 3 Yusuke Suzuki 2022-10-13 15:01:38 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/5343
Comment 4 EWS 2022-10-14 14:14:28 PDT 
Committed 255553@main (96ac9c31b19e): <https://commits.webkit.org/255553@main>

Reviewed commits have been landed. Closing PR #5343 and removing active labels.