135155 2014-07-22 02:29:51 -0700 ASSERTION FAILED: info.spillFormat() & DataFormatJS in JSC::DFG::SpeculativeJIT::fillSpeculateCell 2014-07-22 14:44:53 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) All All RESOLVED FIXED InRadar P2 Normal --- 116980 1 rhodovan.u-szeged fpizlo fpizlo llango.u-szeged mhahnenberg oliver webkit-bug-importer oldest_to_newest 1023923 0 235280 rhodovan.u-szeged 2014-07-22 02:29:51 -0700 Created attachment 235280 Test case Release assert was hit in DFGSpeculativeJIT with the following script: function run() { for (var t = 1; 1 <= 2; t++) { t.length = function() { var foo = iv.charCodeAt(foo, undefined); }; } } run(); The test was run on Ubuntu 13.10, x86_64. The related backtrace: ASSERTION FAILED: info.spillFormat() & DataFormatJS ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp(1022) : JSC::GPRReg JSC::DFG::SpeculativeJIT::fillSpeculateCell(JSC::DFG::Edge) 1 0x7ffff73b4662 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcoregtk-3.0.so.0(WTFCrash+0x1e) [0x7ffff73b4662] 2 0x7ffff70643c7 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcoregtk-3.0.so.0(_ZN3JSC3DFG14SpeculativeJIT17fillSpeculateCellENS0_4EdgeE+0x24f) [0x7ffff70643c7] 3 0x7ffff704c695 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcoregtk-3.0.so.0(_ZN3JSC3DFG20SpeculateCellOperand3gprEv+0x71) [0x7ffff704c695] 4 0x7ffff7041382 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcoregtk-3.0.so.0(_ZN3JSC3DFG14SpeculativeJIT19compileStoreBarrierEPNS0_4NodeE+0xa6) [0x7ffff7041382] 5 0x7ffff7077cc9 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcoregtk-3.0.so.0(_ZN3JSC3DFG14SpeculativeJIT7compileEPNS0_4NodeE+0xf771) [0x7ffff7077cc9] 6 0x7ffff702f4d5 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcoregtk-3.0.so.0(_ZN3JSC3DFG14SpeculativeJIT19compileCurrentBlockEv+0x613) [0x7ffff702f4d5] 7 0x7ffff702fa8a /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcoregtk-3.0.so.0(_ZN3JSC3DFG14SpeculativeJIT7compileEv+0x98) [0x7ffff702fa8a] 8 0x7ffff6fc43a2 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcoregtk-3.0.so.0(_ZN3JSC3DFG11JITCompiler11compileBodyEv+0x26) [0x7ffff6fc43a2] 9 0x7ffff6fc5b4e /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcoregtk-3.0.so.0(_ZN3JSC3DFG11JITCompiler15compileFunctionEv+0x19a) [0x7ffff6fc5b4e] 10 0x7ffff7018d35 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcoregtk-3.0.so.0(_ZN3JSC3DFG4Plan19compileInThreadImplERNS0_14LongLivedStateE+0x5af) [0x7ffff7018d35] 11 0x7ffff7018514 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcoregtk-3.0.so.0(_ZN3JSC3DFG4Plan15compileInThreadERNS0_14LongLivedStateEPNS0_10ThreadDataE+0x148) [0x7ffff7018514] 12 0x7ffff6f95e36 /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcoregtk-3.0.so.0(+0xab8e36) [0x7ffff6f95e36] 13 0x7ffff6f95ecd /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcoregtk-3.0.so.0(_ZN3JSC3DFG7compileERNS_2VMEPNS_9CodeBlockES4_NS0_15CompilationModeEjRKNS_8OperandsINS_7JSValueENS_18OperandValueTraitsIS7_EEEEN3WTF10PassRefPtrINS_27DeferredCompilationCallbackEEE+0x6a) [0x7ffff6f95ecd] 14 0x7ffff715b80a /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcoregtk-3.0.so.0(+0xc7e80a) [0x7ffff715b80a] 15 0x7ffff2914d66 [0x7ffff2914d66] Program received signal SIGSEGV, Segmentation fault. 0x00007ffff73b4667 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:329 329 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff73b4667 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:329 #1 0x00007ffff70643c7 in JSC::DFG::SpeculativeJIT::fillSpeculateCell (this=0x68e8d0, edge=...) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:1022 #2 0x00007ffff704c695 in JSC::DFG::SpeculateCellOperand::gpr (this=0x7fffffffb4b0) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:3064 #3 0x00007ffff7041382 in JSC::DFG::SpeculativeJIT::compileStoreBarrier (this=0x68e8d0, node=0x7fffb08a0e80) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:5359 #4 0x00007ffff7077cc9 in JSC::DFG::SpeculativeJIT::compile (this=0x68e8d0, node=0x7fffb08a0e80) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:4687 #5 0x00007ffff702f4d5 in JSC::DFG::SpeculativeJIT::compileCurrentBlock (this=0x68e8d0) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1453 #6 0x00007ffff702fa8a in JSC::DFG::SpeculativeJIT::compile (this=0x68e8d0) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1565 #7 0x00007ffff6fc43a2 in JSC::DFG::JITCompiler::compileBody (this=0x7fffffffbc40) at ../../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:113 #8 0x00007ffff6fc5b4e in JSC::DFG::JITCompiler::compileFunction (this=0x7fffffffbc40) at ../../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:347 #9 0x00007ffff7018d35 in JSC::DFG::Plan::compileInThreadImpl (this=0x68a7b0, longLivedState=...) at ../../Source/JavaScriptCore/dfg/DFGPlan.cpp:290 #10 0x00007ffff7018514 in JSC::DFG::Plan::compileInThread (this=0x68a7b0, longLivedState=..., threadData=0x0) at ../../Source/JavaScriptCore/dfg/DFGPlan.cpp:159 #11 0x00007ffff6f95e36 in JSC::DFG::compileImpl (vm=..., codeBlock=0x68c010, profiledDFGCodeBlock=0x0, mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=8, mustHandleValues=..., callback=...) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:104 #12 0x00007ffff6f95ecd in JSC::DFG::compile (vm=..., codeBlock=0x68c010, profiledDFGCodeBlock=0x0, mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=8, mustHandleValues=..., passedCallback=...) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:124 #13 0x00007ffff715b80a in JSC::operationOptimize (exec=0x7fffffffcc40, bytecodeIndex=8) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:1195 #14 0x00007ffff2914d66 in ?? () #15 0x0000000000654490 in ?? () #16 0x00007fffb08c53f0 in ?? () #17 0xffff0000000005d5 in ?? () #18 0xffff0000000005d6 in ?? () #19 0x00007fffffffcc90 in ?? () #20 0x00007ffff739e0c8 in llint_entry () from /home/reni/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcoregtk-3.0.so.0 Backtrace stopped: frame did not save the PC 1023971 1 webkit-bug-importer 2014-07-22 10:06:06 -0700 <rdar://problem/17763909> 1023996 2 fpizlo 2014-07-22 11:03:58 -0700 This is not a security bug. In the future, please don't put compiler release asserts into the security component. It is misleading. 1023998 3 235299 fpizlo 2014-07-22 11:07:32 -0700 Created attachment 235299 the patch 1024003 4 235299 ggaren 2014-07-22 11:19:28 -0700 Comment on attachment 235299 the patch View in context: https://bugs.webkit.org/attachment.cgi?id=235299&action=review Does the 32_64 path need this change too? Maybe not because 32_64 already has an explicit int path? > Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:1028 > RELEASE_ASSERT(info.spillFormat() & DataFormatJS); This ASSERT seems redundant now, since the clause above checks the same condition. 1024005 5 fpizlo 2014-07-22 11:24:21 -0700 (In reply to comment #4) > (From update of attachment 235299 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=235299&action=review > > Does the 32_64 path need this change too? Maybe not because 32_64 already has an explicit int path? > > > Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:1028 > > RELEASE_ASSERT(info.spillFormat() & DataFormatJS); > > This ASSERT seems redundant now, since the clause above checks the same condition. Yup, removed. 1024037 6 fpizlo 2014-07-22 12:48:27 -0700 Landed in http://trac.webkit.org/changeset/171354 1024070 7 rhodovan.u-szeged 2014-07-22 14:36:14 -0700 (In reply to comment #2) > This is not a security bug. In the future, please don't put compiler release asserts into the security component. It is misleading. I'm sorry. It seems that two weeks of vacation had bad effect on my memory. I remembered that release asserts should be reported as security in WebKit too. Next time I'll be more careful. 1024074 8 fpizlo 2014-07-22 14:44:53 -0700 (In reply to comment #7) > (In reply to comment #2) > > This is not a security bug. In the future, please don't put compiler release asserts into the security component. It is misleading. > > I'm sorry. It seems that two weeks of vacation had bad effect on my memory. I remembered that release asserts should be reported as security in WebKit too. Next time I'll be more careful. No problem. I believe that there is an ASSERT_WITH_SECURITY_IMPLICATIONS macro somewhere, which is meant to help disambiguate. Release assertions in JSC are almost never security-related. 235280 2014-07-22 02:29:51 -0700 2014-07-22 11:07:32 -0700 Test case crash.js application/javascript 163 rhodovan.u-szeged ZnVuY3Rpb24gcnVuKCkgewogICAgZm9yICh2YXIgdCA9IDE7IDEgPD0gMjsgdCsrKSB7CiAgICAg ICAgdC5sZW5ndGggPSBmdW5jdGlvbigpIHsKICAgICAgICAgICAgdmFyIGZvbyA9IGl2LmNoYXJD b2RlQXQoZm9vLCB1bmRlZmluZWQpOwogICAgICAgIH07CiAgICB9Cn0KCnJ1bigpOw== 235299 2014-07-22 11:07:32 -0700 2014-07-22 11:19:28 -0700 the patch blah.patch text/plain 2313 fpizlo SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTcxMzQ4KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE5IEBA CisyMDE0LTA3LTIyICBGaWxpcCBQaXpsbyAgPGZwaXpsb0BhcHBsZS5jb20+CisKKyAgICAgICAg QVNTRVJUSU9OIEZBSUxFRDogaW5mby5zcGlsbEZvcm1hdCgpICYgRGF0YUZvcm1hdEpTIGluIEpT Qzo6REZHOjpTcGVjdWxhdGl2ZUpJVDo6ZmlsbFNwZWN1bGF0ZUNlbGwKKyAgICAgICAgaHR0cHM6 Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTEzNTE1NQorCisgICAgICAgIFJldmll d2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorICAgICAgICAKKyAgICAgICAgVGhlIERGRyBmaWxsU3Bl Y3VsYXRlIGNvZGUgcGF0aHMgYWxsIG5lZWQgdG8gYmUgbWluZGZ1bCBvZiB0aGUgZmFjdCB0aGF0 IHRoZXkgbWF5IGJlIHN0dW1ibGluZyB1cG9uIGEKKyAgICAgICAgY29udHJhZGljdGlvbiwgYW5k IHRoYXQgdGhpcyBpcyBPSy4gSW4gdGhpcyBjYXNlLCB3ZSB3ZXJlIHNwZWN1bGF0aW5nIGNlbGwg b24gYW4gaW50LgorCisgICAgICAgICogZGZnL0RGR1NwZWN1bGF0aXZlSklUNjQuY3BwOgorICAg ICAgICAoSlNDOjpERkc6OlNwZWN1bGF0aXZlSklUOjpmaWxsU3BlY3VsYXRlQ2VsbCk6CisgICAg ICAgICogdGVzdHMvc3RyZXNzL3JlZ3Jlc3MtMTM1MTU1LmpzOiBBZGRlZC4KKyAgICAgICAgKHJ1 bi50Lmxlbmd0aCk6CisgICAgICAgIChydW4pOgorCiAyMDE0LTA3LTIxICBNYXJrIExhbSAgPG1h cmsubGFtQGFwcGxlLmNvbT4KIAogICAgICAgICBSZWZhY3RvciBBcnJheVByb3RvdHlwZSB0byB1 c2UgZ2V0TGVuZ3RoKCkgYW5kIHB1dExlbmd0aCgpIHV0aWxpdHkgZnVuY3Rpb25zLgpJbmRleDog U291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdTcGVjdWxhdGl2ZUpJVDY0LmNwcAo9PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09Ci0tLSBTb3VyY2UvSmF2YVNjcmlwdENvcmUvZGZnL0RGR1NwZWN1bGF0aXZlSklUNjQuY3Bw CShyZXZpc2lvbiAxNzEzNDcpCisrKyBTb3VyY2UvSmF2YVNjcmlwdENvcmUvZGZnL0RGR1NwZWN1 bGF0aXZlSklUNjQuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC0xMDE5LDYgKzEwMTksMTIgQEAgR1BS UmVnIFNwZWN1bGF0aXZlSklUOjpmaWxsU3BlY3VsYXRlQ2VsbAogICAgICAgICAgICAgdGVybWlu YXRlU3BlY3VsYXRpdmVFeGVjdXRpb24oVW5jb3VudGFibGUsIEpTVmFsdWVSZWdzKCksIDApOwog ICAgICAgICAgICAgcmV0dXJuIGdwcjsKICAgICAgICAgfQorICAgICAgICAKKyAgICAgICAgaWYg KCEoaW5mby5zcGlsbEZvcm1hdCgpICYgRGF0YUZvcm1hdEpTKSkgeworICAgICAgICAgICAgdGVy bWluYXRlU3BlY3VsYXRpdmVFeGVjdXRpb24oVW5jb3VudGFibGUsIEpTVmFsdWVSZWdzKCksIDAp OworICAgICAgICAgICAgcmV0dXJuIGdwcjsKKyAgICAgICAgfQorICAgICAgICAKICAgICAgICAg UkVMRUFTRV9BU1NFUlQoaW5mby5zcGlsbEZvcm1hdCgpICYgRGF0YUZvcm1hdEpTKTsKICAgICAg ICAgbV9ncHJzLnJldGFpbihncHIsIHZpcnR1YWxSZWdpc3RlciwgU3BpbGxPcmRlclNwaWxsZWQp OwogICAgICAgICBtX2ppdC5sb2FkNjQoSklUQ29tcGlsZXI6OmFkZHJlc3NGb3IodmlydHVhbFJl Z2lzdGVyKSwgZ3ByKTsKSW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS90ZXN0cy9zdHJlc3Mv cmVncmVzcy0xMzUxNTUuanMKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL3Rl c3RzL3N0cmVzcy9yZWdyZXNzLTEzNTE1NS5qcwkocmV2aXNpb24gMCkKKysrIFNvdXJjZS9KYXZh U2NyaXB0Q29yZS90ZXN0cy9zdHJlc3MvcmVncmVzcy0xMzUxNTUuanMJKHdvcmtpbmcgY29weSkK QEAgLTAsMCArMSw5IEBACitmdW5jdGlvbiBydW4oKSB7CisgICAgZm9yICh2YXIgdCA9IDEsIGkg PSAwOyBpIDwgMTAwMDA7IHQrKywgaSsrKSB7CisgICAgICAgIHQubGVuZ3RoID0gZnVuY3Rpb24o KSB7CisgICAgICAgICAgICB2YXIgZm9vID0gaXYuY2hhckNvZGVBdChmb28sIHVuZGVmaW5lZCk7 CisgICAgICAgIH07CisgICAgfQorfQorCitydW4oKTsK