260908 2023-08-30 09:21:58 -0700 [JSC][32 bit] Crash in DFG when compiling TypedArray intrinsic getter with conflicting value profile 2023-08-31 11:17:18 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 joseph.j.griego webkit-unassigned webkit-bug-importer oldest_to_newest 1974467 0 joseph.j.griego 2023-08-30 09:21:58 -0700 On 32-bit, some DFG intrinsic getters are fallible--if the SpeculatedType does not match our expectations; however, in `ByteCodeParser::handleGetById`, we seem not to handle this possibility--the following program demonstrates this problem and crashes with a segfault on armv7: function foo(x) { return x.byteLength } var arr = new Uint8Array(42); var bad = {}; for (var i = 0; i < 1e6; i++) { if (null != foo(Object.create(bad))) { throw new Error(); } } bad.byteLength = 42; for (var i = 0; i < 1e6; i++) { if (42 != foo(arr)) { throw new Error(); } } and in the debugger we see: jgriego@devbox-armhf-1:~/proj/webkit$ gdb --args _build/bin/jsc test.js GNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git Copyright (C) 2021 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "arm-linux-gnueabihf". Type "show configuration" for configuration details. For bug reporting instructions, please see: <https://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from _build/bin/jsc... (gdb) r Starting program: /home/igalia/jgriego/proj/webkit/_build/bin/jsc test.js [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/arm-linux-gnueabihf/libthread_db.so.1". [New Thread 0xf37ff440 (LWP 3086765)] [New Thread 0xebdff440 (LWP 3086792)] [New Thread 0xeb5fe440 (LWP 3086793)] [New Thread 0xeadfd440 (LWP 3086794)] [New Thread 0xea5fc440 (LWP 3086795)] [New Thread 0xe9dfb440 (LWP 3086796)] [New Thread 0xe95fa440 (LWP 3086797)] [New Thread 0xe8df9440 (LWP 3086798)] Thread 1 "jsc" received signal SIGSEGV, Segmentation fault. 0xf5c67fc8 in WTF::Vector<JSC::CallVariant, 1u, WTF::CrashOnOverflow, 16u, WTF::FastMalloc>::size (this=0x0) at /home/igalia/jgriego/proj/webkit/_build/WTF/Headers/wtf/Vector.h:764 764 size_t size() const { return m_size; } (gdb) bt #0 0xf5c67fc8 in WTF::Vector<JSC::CallVariant, 1u, WTF::CrashOnOverflow, 16u, WTF::FastMalloc>::size (this=0x0) at /home/igalia/jgriego/proj/webkit/_build/WTF/Headers/wtf/Vector.h:764 #1 0xf5c67f58 in WTF::Vector<JSC::CallVariant, 1u, WTF::CrashOnOverflow, 16u, WTF::FastMalloc>::Vector (this=0xfffe9a2c, other=...) at /home/igalia/jgriego/proj/webkit/_build/WTF/Headers/wtf/Vector.h:964 #2 0xf5c64e38 in JSC::CallLinkStatus::CallLinkStatus (this=0xfffe9a2c) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/bytecode/CallLinkStatus.h:44 #3 0xf5e5306a in JSC::DFG::ByteCodeParser::handleGetById (this=0xfffed32c, destination=..., prediction=2207613190144, base=0xf2e81ba0, identifier=..., identifierNumber=0, getByStatus=..., type=JSC::AccessType::GetById, osrExitIndex=...) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:4818 #4 0xf5ed5d56 in JSC::DFG::ByteCodeParser::parseGetById<JSC::OpGetById> (this=0xfffed32c, currentInstruction=0xf2eb44b7) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:5374 #5 0xf5e6061a in JSC::DFG::ByteCodeParser::parseBlock (this=0xfffed32c, limit=14) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:6580 #6 0xf5e741a6 in JSC::DFG::ByteCodeParser::parseCodeBlock (this=0xfffed32c) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:8844 #7 0xf5e746d6 in JSC::DFG::ByteCodeParser::parse (this=0xfffed32c) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:9046 #8 0xf5e75266 in JSC::DFG::parse (graph=...) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:9182 #9 0xf60ae650 in JSC::DFG::Plan::compileInThreadImpl (this=0xf2ea12f0) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/dfg/DFGPlan.cpp:201 #10 0xf66829a8 in JSC::JITPlan::compileInThread (this=0xf2ea12f0, thread=0x0) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/jit/JITPlan.cpp:172 #11 0xf6720b00 in JSC::JITWorklist::enqueue (this=0xf2ec5288, plan=...) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/jit/JITWorklist.cpp:84 #12 0xf5fc08e0 in JSC::DFG::compileImpl (vm=..., codeBlock=0xf06afdc0, profiledDFGCodeBlock=0x0, mode=JSC::JITCompilationMode::DFG, osrEntryBytecodeIndex=..., mustHandleValues=..., callback=...) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/dfg/DFGDriver.cpp:90 #13 0xf5fc09ac in JSC::DFG::compile (vm=..., codeBlock=0xf06afdc0, profiledDFGCodeBlock=0x0, mode=JSC::JITCompilationMode::DFG, osrEntryBytecodeIndex=..., mustHandleValues=..., callback=...) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/dfg/DFGDriver.cpp:106 #14 0xf667a7d6 in JSC::operationOptimize (vmPointer=0xf0cf5000, bytecodeIndexBits=0) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/jit/JITOperations.cpp:2028 #15 0xf0dff87a in ?? () Backtrace stopped: previous frame identical to this frame (corrupt stack?) (gdb) frame 3 #3 0xf5e5306a in JSC::DFG::ByteCodeParser::handleGetById (this=0xfffed32c, destination=..., prediction=2207613190144, base=0xf2e81ba0, identifier=..., identifierNumber=0, getByStatus=..., type=JSC::AccessType::GetById, osrExitIndex=...) at /home/igalia/jgriego/proj/webkit/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:4818 4818 getter, numberOfParameters - 1, registerOffset, *variant.callLinkStatus(), prediction); (gdb) p variant.callLinkStatus() $1 = (JSC::CallLinkStatus *) 0x0 (gdb) p/x prediction $2 = 0x20200000000 (gdb) p variant.intrinsic() [Thread 0xebdff440 (LWP 3086792) exited] [Thread 0xea5fc440 (LWP 3086795) exited] $3 = JSC::TypedArrayByteLengthIntrinsic * * * To fix, I propose we add code to generate an ordinary GetById node if the code generation for the intrinsic fails; I'll send a patch to this effect shortly. 1974486 1 joseph.j.griego 2023-08-30 10:34:51 -0700 Pull request: https://github.com/WebKit/WebKit/pull/17232 1974774 2 ews-feeder 2023-08-31 11:16:50 -0700 Committed 267511@main (7a9106c7a56f): <https://commits.webkit.org/267511@main> Reviewed commits have been landed. Closing PR #17232 and removing active labels. 1974775 3 webkit-bug-importer 2023-08-31 11:17:18 -0700 <rdar://problem/114775615>