202624 2019-10-06 23:21:28 -0700 ASSERTION FAILED: this->prototypeChainMayInterceptStoreTo(vm, propertyName) || obj == this, with __proto__ 2020-05-05 17:06:12 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Local Build PC Linux RESOLVED DUPLICATE 200386 InRadar P2 Critical --- 1 hexiaoyu webkit-unassigned ddkilzer fpizlo mark.lam nth10sd saam webkit-bug-importer ysuzuki oldest_to_newest 1577291 0 380307 hexiaoyu 2019-10-06 23:21:28 -0700 Created attachment 380307 poc This is not a dupe of 202342 ======================================= ASSERTION FAILED: this->prototypeChainMayInterceptStoreTo(vm, propertyName) || obj == this ../../Source/JavaScriptCore/runtime/JSObject.cpp(797) : bool JSC::JSObject::putInlineSlow(JSC::ExecState *, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot &) Aborted (core dumped) ======================================= OS: ubuntu 16.04 Configuration: --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang' -DCMAKE_CXX_COMPILER='/usr/bin/clang++' -DCMAKE_CXX_FLAGS='-fsanitize-coverage=trace-pc-guard -O3 -lrt' git log: ======================================= commit 9188d0222391c558277ed74d037b7c9ef5719405 Author: commit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc> commit 9188d0222391c558277ed74d037b7c9ef5719405 Author: commit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Date: Wed May 29 06:00:40 2019 +0000 [MSE][GStreamer] update the readyState correctly in MediaPlayerPrivateGStreamerMSE https://bugs.webkit.org/show_bug.cgi?id=197834 Patch by Yacine Bandou <yacine.bandou@softathome.com> on 2019-05-28 Reviewed by Xabier Rodriguez-Calvar. ==================== pass parameters： jsc poc 1577366 1 webkit-bug-importer 2019-10-07 09:09:15 -0700 <rdar://problem/56038268> 1643970 2 nth10sd 2020-04-21 12:36:57 -0700 I made some modifications to Robobisect v0.0.1 (available at https://github.com/nth10sd/robobisect) to find out the likely regressor (when the poc started crashing) and likely fix: ===================== | Robobisect report | ===================== Likely regressor: commit 043245b0ed35b36e177dc7f96df8deb6cdbb5465 Author: mcatanzaro </snip> Date: Sun Nov 25 18:22:30 2018 +0000 CRASH() should call abort() except on Darwin and in developer builds https://bugs.webkit.org/show_bug.cgi?id=184408 Reviewed by Daniel Bates. </snip> git-svn-id: https://svn.webkit.org/repository/webkit/trunk@238478 268f45cc-cd09-0410-ab3c-d52691b4dbfc ===================== Likely fix: commit 17b927ea0dedded5de8356b366a60bf70c9bff45 Author: sbarati </snip> Date: Mon Sep 16 19:32:39 2019 +0000 JSObject::putInlineSlow should not ignore "__proto__" for Proxy https://bugs.webkit.org/show_bug.cgi?id=200386 <rdar://problem/53854946> Reviewed by Yusuke Suzuki. </snip> git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249911 268f45cc-cd09-0410-ab3c-d52691b4dbfc ===================== Saam/Yusuke, is bug 200386 a likely fix for this bug? Or is this possibly a dupe of bug 200386? 1643971 3 nth10sd 2020-04-21 12:43:42 -0700 Backtrace with git commit 043245b0ed35b36e177dc7f96df8deb6cdbb5465: #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 #1 0x00007ffff6469801 in __GI_abort () at abort.c:79 #2 0x000055555788bc1b in JSC::JSObject::putInlineSlow (this=0x7fffb35c8280, exec=0x7fffffffcc80, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:769 #3 0x000055555707e39a in JSC::JSObject::putInlineForJSObject (cell=0x7fffb35c8280, exec=0x7fffffffcc80, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObjectInlines.h:245 #4 0x000055555707a16e in JSC::JSCell::putInline (this=0x7fffb35c8280, exec=0x7fffffffcc80, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSCellInlines.h:403 #5 0x000055555707d597 in JSC::JSValue::putInline (this=0x7fffffffca60, exec=0x7fffffffcc80, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:951 #6 0x00005555575f2ac9 in JSC::LLInt::llint_slow_path_put_by_id (exec=0x7fffffffcc80, pc=0x7ffff3f8508b) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:851 #7 0x00005555575e151a in llint_entry () at DerivedSources/ForwardingHeaders/wtf/CagedPtr.h:50 #8 0x00005555575ebab6 in llint_entry () at DerivedSources/ForwardingHeaders/wtf/CagedPtr.h:50 #9 0x00005555575da4e2 in vmEntryToJavaScript () at DerivedSources/ForwardingHeaders/wtf/CagedPtr.h:50 #10 0x0000555557509bc0 in JSC::JITCode::execute (this=0x7ffff3f8a000, vm=0x7fffb3d00000, protoCallFrame=0x7fffffffcf30) at ../../Source/JavaScriptCore/jit/JITCodeInlines.h:38 #11 0x000055555750075d in JSC::Interpreter::executeProgram (this=0x7ffff3ffd270, source=..., callFrame=0x7fffb35e0048, thisObj=0x7fffb35a8080) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:832 #12 0x0000555557796661 in JSC::evaluate (exec=0x7fffb35e0048, source=..., thisValue=..., returnedException=...) at ../../Source/JavaScriptCore/runtime/Completion.cpp:106 #13 0x0000555556bcf037 in runWithOptions (globalObject=0x7fffb35e0000, options=..., success=@0x7fffffffdaaa: true) at ../../Source/JavaScriptCore/jsc.cpp:2460 #14 0x0000555556bd017e in <lambda(JSC::VM&, GlobalObject*, bool&)>::operator()(JSC::VM &, GlobalObject *, bool &) const (__closure=0x7fffffffdc18, globalObject=0x7fffb35e0000, success=@0x7fffffffdaaa: true) at ../../Source/JavaScriptCore/jsc.cpp:2864 #15 0x0000555556bd184d in runJSC<jscmain(int, char**)::<lambda(JSC::VM&, GlobalObject*, bool&)> >(CommandLine, bool, const <lambda(JSC::VM&, GlobalObject*, bool&)> &) (options=..., isWorker=false, func=...) at ../../Source/JavaScriptCore/jsc.cpp:2765 #16 0x0000555556bd0242 in jscmain (argc=2, argv=0x7fffffffdde8) at ../../Source/JavaScriptCore/jsc.cpp:2865 #17 0x0000555556bcdb26 in main (argc=2, argv=0x7fffffffdde8) at ../../Source/JavaScriptCore/jsc.cpp:2286 ===== On a recent git commit eb42a8967d53ebb95bd59b6d89662ac7fdf95a8b, the testcase only shows: Exception: SyntaxError: Invalid character '\u007f' instead of showing the assertion failure. 1643972 4 nth10sd 2020-04-21 12:44:34 -0700 The bug title can perhaps be changed to: ASSERTION FAILED: this->prototypeChainMayInterceptStoreTo(vm, propertyName) || obj == this, with __proto__ but I don't yet have sufficient Bugzilla permissions. 1647125 5 ddkilzer 2020-04-29 13:15:40 -0700 Dupe of this? Bug 200386: JSObject::putInlineSlow should not ignore "__proto__" for Proxy 1649437 6 ysuzuki 2020-05-05 17:06:12 -0700 Yes, this is dupe of bug 200386. Put operation with __proto__ traverses Proxy's [[Prototype]] instead of calling Proxy's [[Put]], then state of Proxy's Structure and state of Structure chain got from Proxy's [[Prototype]] can be different, and assertion hits. *** This bug has been marked as a duplicate of bug 200386 *** 380307 2019-10-06 23:21:28 -0700 2019-10-06 23:21:28 -0700 poc 4.js text/javascript 383 hexiaoyu ZnVuY3Rpb24gbWFpbigpIHsKY29uc3QgdjEgPSBbMTMuMzcsMTMuMzcsMTMuMzddOwpjb25zdCB2 MyA9IFt2MSwxMzM3LDEzLjM3XTsKY29uc3QgdjQgPSB7Y29uc3RydWN0b3I6MTMzN307CmNvbnN0 IHY2ID0ge2dldFByb3RvdHlwZU9mOkFycmF5fTsKY29uc3QgdjggPSBuZXcgUHJveHkodjMsdjYp Owpmb3IgKGxldCB2MTIgPSAwOyB2MTIgPCAxMDA7IHYxMisrKSB7CiAgICB2NC5fX3Byb3RvX18g PSB2ODsKICAgIGNvbnN0IHYxNSA9IGFyZ3VtZW50cy5fX3Byb3RvX187CiAgICBjb25zdCB2MTcg PSBuZXcgUHJveHkodjE1LFJlZmxlY3QpOwogICAgY29uc3QgdjE5ID0gT2JqZWN0LnNlYWwodjE3 KTsKfQp9Cm5vREZHKG1haW4pOwpub0ZUTChtYWluKTsKbWFpbigpOwo=