199997 2019-07-22 02:44:04 -0700 JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray 2019-08-05 13:02:53 -0700 1 1 1 Unclassified WebKit JavaScriptCore Safari 12 Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 saelo msaboff bfulgham commit-queue darin ews-feeder fpizlo mark.lam msaboff product-security rmorisset saam tzagallo webkit-bug-importer ysuzuki oldest_to_newest 1554661 0 saelo 2019-07-22 02:44:04 -0700 The following JavaScript program crashes current JSC built in debug configurations: function v0(v1, t) { let v5 = v1; for (let v10 = 0; v10 < 8; v10++) { const v11 = v1 instanceof Uint32Array; const v12 = v1[65537]; } const v13 = v5[0]; } const v15 = new Uint32Array(1024); for (let v19 = 0; v19 < 10000; v19++) { const v20 = v0(v15); } Crashes with: ASSERTION FAILED: node->arrayMode().alreadyChecked(m_jit.graph(), node, m_state.forNode(m_graph.varArgChild(node, 0))) ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp(2966) : void JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray(JSC::DFG::Node *, JSC::TypedArrayType) 1 0x107f95d29 WTFCrash 2 0x10652311b WTFCrashWithInfo(int, char const*, char const*, int) 3 0x1070bfc5f JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray(JSC::DFG::Node*, JSC::TypedArrayType) 4 0x1072711e1 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*) 5 0x1070b7f79 JSC::DFG::SpeculativeJIT::compileCurrentBlock() 6 0x1070b8d52 JSC::DFG::SpeculativeJIT::compile() 7 0x106f1d954 JSC::DFG::JITCompiler::compileBody() 8 0x106f211fa JSC::DFG::JITCompiler::compileFunction() 9 0x10705f813 JSC::DFG::Plan::compileInThreadImpl() 10 0x10705d256 JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*) 11 0x107312c6b JSC::DFG::Worklist::ThreadBody::work() 12 0x107f9bf19 WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const 13 0x107f9bb59 WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() 14 0x1070ac5ea WTF::Function<void ()>::operator()() const 15 0x107fd8600 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) 16 0x10806d7d5 WTF::wtfThreadEntryPoint(void*) 17 0x7fff5b3d72eb _pthread_body 18 0x7fff5b3da249 _pthread_start 19 0x7fff5b3d640d thread_start Roughly what seems to happen here is that during structure check hoisting, the structure check for the Uint32Array is moved to the beginning of the function and is replaced with a CheckStructureOrEmpty node (presumably due to the addition variable v5). Afterwards, AI types the argument as `Uint32Array | Empty`. This doesn't change until SpeculativeJIT lowering at which point the assertion triggers as the type of the input should just be `Uint32Array` but still is `Uint32Array | Empty`. However, I don't think the empty value can occur at this point in the program (an argument to a function). Moreover, even if it did this would probably only result in a nullpointer dereference. I'm reporting this as a security bug just in case I'm missing something here, but I do not believe this bug to be exploitable. 1554662 1 webkit-bug-importer 2019-07-22 02:44:16 -0700 <rdar://problem/53388642> 1558225 2 saam 2019-08-02 17:36:48 -0700 Thanks for the report. This is not a security issue. Our static analysis in AI is conservative, the bug here is we're asserting that AI is precise. We shouldn't assert such things. 1558477 3 375534 msaboff 2019-08-05 10:41:48 -0700 Created attachment 375534 Patch 1558482 4 ysuzuki 2019-08-05 11:00:23 -0700 r=me too. 1558499 5 darin 2019-08-05 11:47:45 -0700 Since this is not a security issue, should we move it out of the security-sensitive component? 1558514 6 msaboff 2019-08-05 13:02:53 -0700 Committed r248271: <https://trac.webkit.org/changeset/248271> 375534 2019-08-05 10:41:48 -0700 2019-08-05 10:55:35 -0700 Patch 199997.patch text/plain 3757 msaboff SW5kZXg6IEpTVGVzdHMvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIEpTVGVzdHMvQ2hhbmdlTG9n CShyZXZpc2lvbiAyNDgyNzApCisrKyBKU1Rlc3RzL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpA QCAtMSwzICsxLDE2IEBACisyMDE5LTA4LTA1ICBNaWNoYWVsIFNhYm9mZiAgPG1zYWJvZmZAYXBw bGUuY29tPgorCisgICAgICAgIEpTQzogYXNzZXJ0aW9uIGZhaWx1cmUgaW4gU3BlY3VsYXRpdmVK SVQ6OmNvbXBpbGVHZXRCeVZhbE9uSW50VHlwZWRBcnJheQorICAgICAgICBodHRwczovL2J1Z3Mu d2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTk5OTk3CisKKyAgICAgICAgUmV2aWV3ZWQgYnkg Tk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgTmV3IHRlc3QuCisKKyAgICAgICAgKiBzdHJlc3Mv dHlwZWRhcnJheS1uby1hbHJlYWR5Q2hlY2tlZC1hc3NlcnQuanM6IEFkZGVkLgorICAgICAgICAo Y2hlY2tJbnRBcnJheSk6CisgICAgICAgIChjaGVja0Zsb2F0QXJyYXkpOgorCiAyMDE5LTA4LTAy ICBZdXN1a2UgU3V6dWtpICA8eXN1enVraUBhcHBsZS5jb20+CiAKICAgICAgICAgW0pTQ10gU3Vw cG9ydCBXZWJBc3NlbWJseSBpbiBTYW1wbGluZ1Byb2ZpbGVyCkluZGV4OiBKU1Rlc3RzL3N0cmVz cy90eXBlZGFycmF5LW5vLWFscmVhZHlDaGVja2VkLWFzc2VydC5qcwo9PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBK U1Rlc3RzL3N0cmVzcy90eXBlZGFycmF5LW5vLWFscmVhZHlDaGVja2VkLWFzc2VydC5qcwkobm9u ZXhpc3RlbnQpCisrKyBKU1Rlc3RzL3N0cmVzcy90eXBlZGFycmF5LW5vLWFscmVhZHlDaGVja2Vk LWFzc2VydC5qcwkod29ya2luZyBjb3B5KQpAQCAtMCwwICsxLDI2IEBACisvLyBUaGlzIHRlc3Qg c2hvdWxkIG5vdCBjYXVzZSBhbiBBU1NFUlQgaW4gRGVidWcgYnVpbGRzLgorCitmdW5jdGlvbiBj aGVja0ludEFycmF5KGFycikgeworICAgIGxldCB4ID0gYXJyOworICAgIGFyciBpbnN0YW5jZW9m IFVpbnQzMkFycmF5OworICAgIGFycls2NTUzN107CisgICAgeFswXTsKK30KKworZnVuY3Rpb24g Y2hlY2tGbG9hdEFycmF5KGFycikgeworICAgIGxldCB4ID0gYXJyOworICAgIGFyciBpbnN0YW5j ZW9mIEZsb2F0NjRBcnJheTsKKyAgICBhcnJbNjU1MzddOworICAgIHhbMF07Cit9CisKKwordmFy IGludEFycmF5ID0gbmV3IFVpbnQzMkFycmF5KDEwMjQpOworZm9yIChsZXQgaSA9IDA7IGkgPCAx MDAwMDsgaSsrKQorICAgIGNoZWNrSW50QXJyYXkoaW50QXJyYXkpOworCit2YXIgZmxvYXRBcnJh eSA9IG5ldyBGbG9hdDY0QXJyYXkoMTAyNCk7Citmb3IgKGxldCBpID0gMDsgaSA8IDEwMDAwOyBp KyspCisgICAgY2hlY2tGbG9hdEFycmF5KGZsb2F0QXJyYXkpOworCisKSW5kZXg6IFNvdXJjZS9K YXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRD b3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMjQ4MjcwKQorKysgU291cmNlL0phdmFTY3JpcHRDb3Jl L0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDIwIEBACisyMDE5LTA4LTA1ICBN aWNoYWVsIFNhYm9mZiAgPG1zYWJvZmZAYXBwbGUuY29tPgorCisgICAgICAgIEpTQzogYXNzZXJ0 aW9uIGZhaWx1cmUgaW4gU3BlY3VsYXRpdmVKSVQ6OmNvbXBpbGVHZXRCeVZhbE9uSW50VHlwZWRB cnJheQorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTk5 OTk3CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgTm8g bmVlZCB0byBBU1NFUlQobm9kZS0+YXJyYXlNb2RlKCkuYWxyZWFkeUNoZWNrZWQoLi4uKSkgaW4g U3BlY3VsYXRpdmVKSVQ6OmNvbXBpbGVHZXRCeVZhbE9uSW50VHlwZWRBcnJheSgpCisgICAgICAg IGFuZCBjb21waWxlR2V0QnlWYWxPbkZsb2F0VHlwZWRBcnJheSgpIGFzIHRoZSBhYnN0cmFjdCBp bnRlcnByZXRlciBpcyBjb25zZXJ2YXRpdmUgYW5kIGNhbiBpbnNlcnQgYQorICAgICAgICBDaGVj a1N0cnVjdHVyZU9yRW1wdHkgd2hpY2ggd2lsbCBmYWlsIHRoZSBBU1NFUlQgYXMgaXQgY2hlY2tz IGZvciB0aGUgU3BlY1R5cGUgb2YgdGhlIGFycmF5CisgICAgICAgIGFuZCBub3QgZm9yIFNwZWNF bXB0eS4gIElmIHdlIGFkZGVkIGEgY2hlY2sgZm9yIHRoZSBTcGVjRW1wdHkgaW4gdGhlIEFTU0VS VCwgdGhlcmUgYXJlIGNhc2VzIHdoZXJlCisgICAgICAgIGl0IHdvbid0IGJlIHNldC4KKworICAg ICAgICAqIGRmZy9ERkdTcGVjdWxhdGl2ZUpJVC5jcHA6CisgICAgICAgIChKU0M6OkRGRzo6U3Bl Y3VsYXRpdmVKSVQ6OmNvbXBpbGVHZXRCeVZhbE9uSW50VHlwZWRBcnJheSk6CisgICAgICAgIChK U0M6OkRGRzo6U3BlY3VsYXRpdmVKSVQ6OmNvbXBpbGVHZXRCeVZhbE9uRmxvYXRUeXBlZEFycmF5 KToKKwogMjAxOS0wOC0wMyAgRGV2aW4gUm91c3NvICA8ZHJvdXNzb0BhcHBsZS5jb20+CiAKICAg ICAgICAgV2ViIEluc3BlY3RvcjogRE9NOiBhZGQgYSBzcGVjaWFsIGJyZWFrcG9pbnQgZm9yICJB bGwgRXZlbnRzIgpJbmRleDogU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdTcGVjdWxhdGl2 ZUpJVC5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdTcGVj dWxhdGl2ZUpJVC5jcHAJKHJldmlzaW9uIDI0ODI3MCkKKysrIFNvdXJjZS9KYXZhU2NyaXB0Q29y ZS9kZmcvREZHU3BlY3VsYXRpdmVKSVQuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC0yOTYzLDggKzI5 NjMsNiBAQCB2b2lkIFNwZWN1bGF0aXZlSklUOjpjb21waWxlR2V0QnlWYWxPbkluCiAgICAgR1BS VGVtcG9yYXJ5IHJlc3VsdCh0aGlzKTsKICAgICBHUFJSZWcgcmVzdWx0UmVnID0gcmVzdWx0Lmdw cigpOwogCi0gICAgQVNTRVJUKG5vZGUtPmFycmF5TW9kZSgpLmFscmVhZHlDaGVja2VkKG1faml0 LmdyYXBoKCksIG5vZGUsIG1fc3RhdGUuZm9yTm9kZShtX2dyYXBoLnZhckFyZ0NoaWxkKG5vZGUs IDApKSkpOwotCiAgICAgZW1pdFR5cGVkQXJyYXlCb3VuZHNDaGVjayhub2RlLCBiYXNlUmVnLCBw cm9wZXJ0eVJlZyk7CiAgICAgbG9hZEZyb21JbnRUeXBlZEFycmF5KHN0b3JhZ2VSZWcsIHByb3Bl cnR5UmVnLCByZXN1bHRSZWcsIHR5cGUpOwogICAgIGJvb2wgY2FuU3BlY3VsYXRlID0gdHJ1ZTsK QEAgLTMxOTMsOCArMzE5MSw2IEBAIHZvaWQgU3BlY3VsYXRpdmVKSVQ6OmNvbXBpbGVHZXRCeVZh bE9uRmwKICAgICBHUFJSZWcgcHJvcGVydHlSZWcgPSBwcm9wZXJ0eS5ncHIoKTsKICAgICBHUFJS ZWcgc3RvcmFnZVJlZyA9IHN0b3JhZ2UuZ3ByKCk7CiAKLSAgICBBU1NFUlQobm9kZS0+YXJyYXlN b2RlKCkuYWxyZWFkeUNoZWNrZWQobV9qaXQuZ3JhcGgoKSwgbm9kZSwgbV9zdGF0ZS5mb3JOb2Rl KG1fZ3JhcGgudmFyQXJnQ2hpbGQobm9kZSwgMCkpKSk7Ci0KICAgICBGUFJUZW1wb3JhcnkgcmVz dWx0KHRoaXMpOwogICAgIEZQUlJlZyByZXN1bHRSZWcgPSByZXN1bHQuZnByKCk7CiAgICAgZW1p dFR5cGVkQXJyYXlCb3VuZHNDaGVjayhub2RlLCBiYXNlUmVnLCBwcm9wZXJ0eVJlZyk7Cg==