246405 2022-10-12 09:14:48 -0700 [JSC] Use storage node in ArrayPush for SlowPutArray 2022-10-12 14:49:41 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 mikhail ysuzuki bfulgham webkit-bug-importer ysuzuki oldest_to_newest 1905079 0 462944 mikhail 2022-10-12 09:14:48 -0700 Created attachment 462944 Testcase Tested on linux intel 64 and ARMv7. $ ./WebKitBuild/Debug/bin/jsc bar.js --useConcurrentGC=0 --returnEarlyFromInfiniteLoopsForFuzzing=1 --earlyReturnFromInfiniteLoopsLimit=1000000 --verifyGC=true --forceGCSlowPaths=true --forceEagerCompilation=1 --jitPolicyScale=0 --useConcurrentJIT=0 ASSERTION FAILED: node() /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGEdge.h(82) : JSC::DFG::UseKind JSC::DFG::Edge::useKind() const Aborted (core dumped) Backtrace: #6 0x0000555555a440fd in JSC::DFG::Edge::useKind (this=0x7fffffff6738) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGEdge.h:82 #7 0x0000555555f2be73 in JSC::DFG::StorageOperand::emplace (this=0x7fffffff6a20, jit=0x555558bc4190, edge=...) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:2048 #8 0x0000555555f03cc0 in JSC::DFG::StorageOperand::StorageOperand (this=0x7fffffff6a20, jit=0x555558bc4190, edge=...) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:2016 #9 0x0000555555ec8f5b in JSC::DFG::SpeculativeJIT::compileGetArrayLength (this=0x555558bc4190, node=0x555558bd6c00) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:8702 #10 0x000055555605f403 in JSC::DFG::SpeculativeJIT::compile (this=0x555558bc4190, node=0x555558bd6c00) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:4411 #11 0x0000555555e91097 in JSC::DFG::SpeculativeJIT::compileCurrentBlock (this=0x555558bc4190) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2370 #12 0x0000555555ea4a66 in JSC::DFG::SpeculativeJIT::compile (this=0x555558bc4190) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2480 #13 0x0000555555c8c304 in JSC::DFG::JITCompiler::compileBody (this=0x7fffffffa808) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:182 #14 0x0000555555c8ef8e in JSC::DFG::JITCompiler::compileFunction (this=0x7fffffffa808) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:485 #15 0x0000555555d58729 in JSC::DFG::Plan::compileInThreadImpl (this=0x555558c0d1f0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGPlan.cpp:343 #16 0x000055555659287f in JSC::JITPlan::compileInThread (this=0x555558c0d1f0, thread=0x0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/jit/JITPlan.cpp:172 #17 0x00005555565fb007 in JSC::JITWorklist::enqueue (this=0x555558bc4010, plan=...) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/jit/JITWorklist.cpp:84 #18 0x0000555555c10096 in JSC::DFG::compileImpl (vm=..., codeBlock=0x555558c23dc0, profiledDFGCodeBlock=0x0, mode=JSC::JITCompilationMode::DFG, osrEntryBytecodeIndex=..., mustHandleValues=..., callback=...) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGDriver.cpp:90 #19 0x0000555555c0fc63 in JSC::DFG::compile (vm=..., codeBlock=0x555558c23dc0, profiledDFGCodeBlock=0x0, mode=JSC::JITCompilationMode::DFG, osrEntryBytecodeIndex=..., mustHandleValues=..., callback=...) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/dfg/DFGDriver.cpp:106 #20 0x0000555556571732 in operationOptimize (vmPointer=0x555558b3fd90, bytecodeIndexBits=0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/jit/JITOperations.cpp:2000 Found by Igalia Fuzzing Campaign. 1905080 1 webkit-bug-importer 2022-10-12 09:15:02 -0700 <rdar://problem/101081844> 1905081 2 mikhail 2022-10-12 09:15:57 -0700 Git bisect shows it was introduced by commit 8f662d8b6ea7f62e9c04fbeb9c9cafb15c7fbd91. 1905099 3 ysuzuki 2022-10-12 10:02:29 -0700 This is just a crash bug, so not a security issue. 1905100 4 mikhail 2022-10-12 10:05:19 -0700 It was aligned with us that all the fuzzing bugs should be opened as security bugs. I'm simply following what was agreed. 1905108 5 ysuzuki 2022-10-12 10:18:48 -0700 Pull request: https://github.com/WebKit/WebKit/pull/5292 1905171 6 ews-feeder 2022-10-12 14:49:39 -0700 Committed 255454@main (1b4792d4d366): <https://commits.webkit.org/255454@main> Reviewed commits have been landed. Closing PR #5292 and removing active labels. 462944 2022-10-12 09:14:48 -0700 2022-10-12 09:14:48 -0700 Testcase bar.js text/javascript 422 mikhail ZnVuY3Rpb24gcnVuTmVhclN0YWNrTGltaXQoKSB7CiAgX192XzIxID0gW10KICB0cnkgewogICAg dHJ5IHsKICAgICAgICBfX3ZfMjEucHVzaCgpfSBjYXRjaCB7fQogIH0gY2F0Y2gge30KfQpmdW5j dGlvbiBfX2ZfNigpIHsKICB0cnkgewogICAgICAgcnVuTmVhclN0YWNrTGltaXQoKQogIH0gY2F0 Y2gge30KfQp0cnkgewogIF9fZl82KCkKICBmb3IgKF9fdl8xOSA9IDA7IF9fdl8xOSA8IDEwOyAr K19fdl8xOSkKICAgIHRyeSB7CiAgICAgIE9iamVjdC5kZWZpbmVQcm9wZXJ0eShBcnJheS5wcm90 b3R5cGUsIF9fdl8xOSwge30pfSBjYXRjaCB7fQp9IGNhdGNoIHt9CmZ1bmN0aW9uIF9fZl8zMigp IHsKICB0cnkgewogICAgX19mXzYoKQogICAgICB9IGNhdGNoIHt9Cn0KdHJ5IHsKICBfX2ZfMzIo KQogIF9fZl8zMigpfSBjYXRjaCB7fQo=