WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
244546
ASSERTION FAILED: baseValue.isObject()
https://bugs.webkit.org/show_bug.cgi?id=244546
Summary
ASSERTION FAILED: baseValue.isObject()
Mikhail R. Gadelha
Reported
2022-08-30 10:37:56 PDT
Created
attachment 462013
[details]
Testcase Tested on linux intel 64 and ARMv7. Running the attached test case fails with the following message: #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737313221504) at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=140737313221504) at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=140737313221504, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007ffff755e476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007ffff75447f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x000055555562a8a7 in WTFCrashWithInfo () at /home/mgadelha/tools/WebKit/WebKitBuild/Debug/WTF/Headers/wtf/Assertions.h:754 #6 0x0000555556639b95 in JSC::LLInt::llint_slow_path_put_by_val_direct (callFrame=0x7fffffffd310, pc=0x55555939a17e) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1239 #7 0x00005555570f18e7 in llint_op_put_by_val_direct () at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:118 #8 0x0000000000000000 in ?? () When disabling LLInt, we get: #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737313221504) at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=140737313221504) at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=140737313221504, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007ffff755e476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007ffff75447f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x000055555562a8a7 in WTFCrashWithInfo () at /home/mgadelha/tools/WebKit/WebKitBuild/Debug/WTF/Headers/wtf/Assertions.h:754 #6 0x000055555657ccf1 in JSC::directPutByValOptimize (globalObject=0x5555593132b8, codeBlock=0x5555593ac580, baseValue=..., subscript=..., value=..., stubInfo=0x5555593d3888, profile=0x5555593d3f98, ecmaMode=...) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/jit/JITOperations.cpp:1168 #7 0x000055555657d3ab in JSC::operationDirectPutByValStrictOptimize (globalObject=0x5555593132b8, encodedBaseValue=10, encodedSubscript=-562949953421312, encodedValue=10, stubInfo=0x5555593d3888, profile=0x5555593d3f98) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/jit/JITOperations.cpp:1218 ... #56 0x00005555570e2406 in vmEntryToJavaScript () at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:367 Found by Igalia Fuzzing Campaign.
Attachments
Testcase
(118 bytes, text/javascript)
2022-08-30 10:37 PDT
,
Mikhail R. Gadelha
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2022-08-30 10:38:06 PDT
<
rdar://problem/99338799
>
Yusuke Suzuki
Comment 2
2022-10-13 14:57:58 PDT
Removing security tag since this is JSC shell only deterministic crash issue.
Yusuke Suzuki
Comment 3
2022-10-13 15:01:38 PDT
Pull request:
https://github.com/WebKit/WebKit/pull/5343
EWS
Comment 4
2022-10-14 14:14:28 PDT
Committed
255553@main
(96ac9c31b19e): <
https://commits.webkit.org/255553@main
> Reviewed commits have been landed. Closing PR #5343 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug