250024 – [WASM][ARM64] Type confused of StackVisitor in JSC::StackVisitor::visit

Bug 250024 - [WASM][ARM64] Type confused of StackVisitor in JSC::StackVisitor::visit

Summary: [WASM][ARM64] Type confused of StackVisitor in JSC::StackVisitor::visit

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Local Build
Hardware:	Mac (Apple Silicon) Unspecified

Importance:	P1 Critical
Assignee:	Yusuke Suzuki

URL:
Keywords:	InRadar

Duplicates (3):	249700 249762 250008 (view as bug list)
Depends on:
Blocks:

Reported:	2023-01-03 07:37 PST by CAO ZONG
Modified:	2023-01-17 16:17 PST (History)
CC List:	6 users (show)

See Also:

Attachments
Reproducible poc (1.25 KB, text/javascript) 2023-01-03 07:37 PST, CAO ZONG	no flags	Details
Simple poc (162 bytes, text/plain) 2023-01-09 17:38 PST, Justin Michaud	no flags	Details
Simple poc driver (226 bytes, application/x-javascript) 2023-01-09 17:38 PST, Justin Michaud	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description CAO ZONG 2023-01-03 07:37:51 PST

Created attachment 464306 [details]
Reproducible poc

ASSERTION FAILED: cell
/Users/x/Desktop/AFL-WASM-main/WebKit_patch/Source/JavaScriptCore/runtime/JSObject.h(1363) : JSC::JSObject *JSC::asObject(JSC::JSCell *)
1   0x10bf45b58 WTFCrash
2   0x109cebd30 JSC::ARM64Assembler::insn(int)
3   0x109cbbfd8 JSC::asObject(JSC::JSCell*)
4   0x109cbbf60 JSC::asObject(JSC::JSValue)
5   0x10b542ea4 JSC::Register::object() const
6   0x109c9f524 JSC::CallFrame::jsCallee() const
7   0x10b396b88 JSC::CallFrame::isStackOverflowFrame() const
8   0x10afd8460 JSC::StackVisitor::StackVisitor(JSC::CallFrame*, JSC::VM&)
9   0x10afd888c JSC::StackVisitor::StackVisitor(JSC::CallFrame*, JSC::VM&)
10  0x10afcfd6c void JSC::StackVisitor::visit<(JSC::StackVisitor::EmptyEntryFrameAction)0, JSC::Interpreter::getStackTrace(JSC::JSCell*, WTF::Vector<JSC::StackFrame, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, unsigned long, unsigned long)::$_6>(JSC::CallFrame*, JSC::VM&, JSC::Interpreter::getStackTrace(JSC::JSCell*, WTF::Vector<JSC::StackFrame, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, unsigned long, unsigned long)::$_6 const&)
11  0x10afcfc14 JSC::Interpreter::getStackTrace(JSC::JSCell*, WTF::Vector<JSC::StackFrame, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, unsigned long, unsigned long)
12  0x10b48e128 JSC::getStackTrace(JSC::JSGlobalObject*, JSC::VM&, JSC::JSObject*, bool)
13  0x10b4908bc JSC::ErrorInstance::finishCreation(JSC::VM&, JSC::JSGlobalObject*, WTF::String const&, JSC::JSValue, WTF::String (*)(WTF::String const&, WTF::StringView, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType, bool)
14  0x10bdf56a0 JSC::ErrorInstance::create(JSC::JSGlobalObject*, JSC::VM&, JSC::Structure*, WTF::String const&, JSC::JSValue, WTF::String (*)(WTF::String const&, WTF::StringView, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType, JSC::ErrorType, bool)
15  0x10bdf889c JSC::createJSWebAssemblyRuntimeError(JSC::JSGlobalObject*, JSC::VM&, JSC::Wasm::ExceptionType)
16  0x10bd5c394 operationWasmToJSException
17  0x10bd8cfb0 slow_path_wasm_throw_exception
18  0x109b77f44 wasmLLIntPCRangeStart
19  0x100000000 (null)

Comment 1 Radar WebKit Bug Importer 2023-01-03 07:38:03 PST

<rdar://problem/103834422>

Comment 2 CAO ZONG 2023-01-03 07:40:38 PST

This poc crashes the jsc on ARM64
commit: 8bacbc1a234b

Comment 3 Radar WebKit Bug Importer 2023-01-03 07:40:47 PST

<rdar://problem/103834490>

Comment 4 CAO ZONG 2023-01-07 07:35:24 PST

friendly ping

Comment 5 Justin Michaud 2023-01-09 17:38:19 PST

Created attachment 464433 [details]
Simple poc

Nice catch! 

1) This test case requires both SIMD and tail calls

2) I am guessing that many of these bugs all stem from the same source

3) I have attached a super simple poc:

(module
  (func $start (export "start")
    (call $f1))
  (func $f1
    (local v128)
    (try
      (do)
      (catch_all))
    (return_call $f2))
  (func $f2)
)

Comment 6 Justin Michaud 2023-01-09 17:38:34 PST

Created attachment 464434 [details]
Simple poc driver

Comment 7 Yusuke Suzuki 2023-01-10 02:18:14 PST

This is tail-call specific issue. Let's just fix it in public repository since it isn't shipped yet.

Comment 8 Yusuke Suzuki 2023-01-10 02:22:26 PST

Pull request: https://github.com/WebKit/WebKit/pull/8450

Comment 9 CAO ZONG 2023-01-10 02:46:00 PST

All the spec this POC required is enabled by DEFAULT, so I think the spec is READY to ship. The security label need to be kept anyway.

Comment 10 EWS 2023-01-10 08:40:20 PST

Committed 258725@main (0eced4e49803): <https://commits.webkit.org/258725@main>

Reviewed commits have been landed. Closing PR #8450 and removing active labels.

Comment 11 Mark Lam 2023-01-10 10:17:52 PST

(In reply to CAO ZONG from comment #9)
> All the spec this POC required is enabled by DEFAULT, so I think the spec is
> READY to ship. The security label need to be kept anyway.

Hi Cao, it's not considered a security issue because this is newly developed code that has not been deployed on any platforms yet.  Thanks for reporting the bug.

Comment 12 CAO ZONG 2023-01-10 10:37:21 PST

(In reply to Mark Lam from comment #11)
> (In reply to CAO ZONG from comment #9)
> > All the spec this POC required is enabled by DEFAULT, so I think the spec is
> > READY to ship. The security label need to be kept anyway.
> 
> Hi Cao, it's not considered a security issue because this is newly developed
> code that has not been deployed on any platforms yet.  Thanks for reporting
> the bug.

Hello Mark! 
Well, According to Apple Security Bounty Guidelines "For example, security issues that are unique to newly added features or code in developer or public beta releases — including newly introduced regressions...", I think the bug in newly developed code need also considered for security impact. So will this issue be assigned CVE or any acknowledge?

Comment 13 Mark Lam 2023-01-10 10:44:13 PST

(In reply to CAO ZONG from comment #12)
> (In reply to Mark Lam from comment #11)
> > (In reply to CAO ZONG from comment #9)
> > > All the spec this POC required is enabled by DEFAULT, so I think the spec is
> > > READY to ship. The security label need to be kept anyway.
> > 
> > Hi Cao, it's not considered a security issue because this is newly developed
> > code that has not been deployed on any platforms yet.  Thanks for reporting
> > the bug.
> 
> Hello Mark! 
> Well, According to Apple Security Bounty Guidelines "For example, security
> issues that are unique to newly added features or code in developer or
> public beta releases — including newly introduced regressions...", I think
> the bug in newly developed code need also considered for security impact. So
> will this issue be assigned CVE or any acknowledge?

The WebKit open source project does not and cannot speak for Apple Security. Please contact them for clarification.  Thanks.

Comment 14 Mark Lam 2023-01-10 10:45:20 PST

<rdar://problem/103834422>

Comment 15 CAO ZONG 2023-01-10 10:49:40 PST

(In reply to Mark Lam from comment #13)
> (In reply to CAO ZONG from comment #12)
> > (In reply to Mark Lam from comment #11)
> > > (In reply to CAO ZONG from comment #9)
> > > > All the spec this POC required is enabled by DEFAULT, so I think the spec is
> > > > READY to ship. The security label need to be kept anyway.
> > > 
> > > Hi Cao, it's not considered a security issue because this is newly developed
> > > code that has not been deployed on any platforms yet.  Thanks for reporting
> > > the bug.
> > 
> > Hello Mark! 
> > Well, According to Apple Security Bounty Guidelines "For example, security
> > issues that are unique to newly added features or code in developer or
> > public beta releases — including newly introduced regressions...", I think
> > the bug in newly developed code need also considered for security impact. So
> > will this issue be assigned CVE or any acknowledge?
> 
> The WebKit open source project does not and cannot speak for Apple Security.
> Please contact them for clarification.  Thanks.


OK, and thanks for your patient reply :)

Comment 16 Yusuke Suzuki 2023-01-17 15:53:00 PST

*** Bug 249700 has been marked as a duplicate of this bug. ***

Comment 17 Yusuke Suzuki 2023-01-17 16:05:12 PST

*** Bug 249935 has been marked as a duplicate of this bug. ***

Comment 18 Yusuke Suzuki 2023-01-17 16:08:40 PST

*** Bug 250008 has been marked as a duplicate of this bug. ***

Comment 19 Yusuke Suzuki 2023-01-17 16:17:51 PST

*** Bug 249762 has been marked as a duplicate of this bug. ***