Bug 170924

Summary:

ASSERTION FAILED: inIndex != notFound in JSC::invalidParameterInSourceAppender()

Product:

WebKit

Reporter:

Daniel Bates <dbates>

Component:

JavaScriptCore

Assignee:

Saam Barati <saam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

benjamin, buildbot, commit-queue, fpizlo, ggaren, gskachkov, jfbastien, keith_miller, mark.lam, msaboff, rniwa, saam, ticaiolima, webkit-bug-importer, ysuzuki

Priority:

Keywords:

InRadar

Version:

WebKit Local Build

Hardware:

Mac

OS:

macOS 10.12

Attachments:

Description	Flags
Test case	none
patch	none
patch	mark.lam: review+, buildbot: commit-queue-
Archive of layout-test-results from ews101 for mac-elcapitan	none
Archive of layout-test-results from ews106 for mac-elcapitan-wk2	none
Archive of layout-test-results from ews123 for ios-simulator-wk2	none
Archive of layout-test-results from ews112 for mac-elcapitan	none
patch for landing	buildbot: commit-queue-
patch for landing	none

Daniel Bates

Reported 2017-04-17 16:06:26 PDT

1. Create a page xss.php with the following markup that can be served from an HTTP server: <script>var q="<?php echo $_GET['q']; ?>"</script> 2. Access the page at <http://127.0.0.1/xss.php?q=%22i\u006E+alert(1)//>, modifying the URL as needed to access xss.php. Then the WebProcess will crash because the assertion RELEASE_ASSERT(inIndex != notFound) fails in JSC::invalidParameterInSourceAppender(). I am using a local build of Mac WebKit at r215419.

Attachments
Test case (44 bytes, text/html) 2017-04-19 16:15 PDT, Daniel Bates	no flags	Details
patch (7.43 KB, patch) 2017-04-25 19:19 PDT, Saam Barati	no flags	Details Formatted Diff Diff
patch (7.44 KB, patch) 2017-04-25 19:20 PDT, Saam Barati	mark.lam: review+ buildbot: commit-queue-	Details Formatted Diff Diff
Archive of layout-test-results from ews101 for mac-elcapitan (964.97 KB, application/zip) 2017-04-25 20:10 PDT, Build Bot	no flags	Details
Archive of layout-test-results from ews106 for mac-elcapitan-wk2 (1.04 MB, application/zip) 2017-04-25 20:19 PDT, Build Bot	no flags	Details
Archive of layout-test-results from ews123 for ios-simulator-wk2 (15.44 MB, application/zip) 2017-04-25 21:00 PDT, Build Bot	no flags	Details
Archive of layout-test-results from ews112 for mac-elcapitan (1.60 MB, application/zip) 2017-04-25 21:55 PDT, Build Bot	no flags	Details
patch for landing (15.07 KB, patch) 2017-04-26 14:56 PDT, Saam Barati	buildbot: commit-queue-	Details Formatted Diff Diff
patch for landing (15.96 KB, patch) 2017-04-26 16:07 PDT, Saam Barati	no flags	Details Formatted Diff Diff
Show Obsolete (7) View All Add attachment proposed patch, testcase, etc.

Daniel Bates

Comment 1 2017-04-17 16:34:28 PDT

ASSERTION FAILED: inIndex != notFound /Volumes/Data/WebKitDevGit/OpenSource/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp(208) : WTF::String JSC::invalidParameterInSourceAppender(const WTF::String &, const WTF::String &, JSC::RuntimeType, ErrorInstance::SourceTextWhereErrorOccurred) 1 0x109b6a00d WTFCrash 2 0x1091ef117 JSC::invalidParameterInSourceAppender(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred) 3 0x1091e6f65 JSC::appendSourceToError(JSC::ExecState*, JSC::ErrorInstance*, unsigned int) 4 0x1091e6c9e JSC::ErrorInstance::finishCreation(JSC::ExecState*, JSC::VM&, WTF::String const&, bool) 5 0x1091e1efa JSC::ErrorInstance::create(JSC::ExecState*, JSC::VM&, JSC::Structure*, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType, bool) 6 0x1091e242a JSC::createTypeError(JSC::ExecState*, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType) 7 0x1091eed6b JSC::createError(JSC::ExecState*, JSC::JSValue, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred)) 8 0x1091eefce JSC::createInvalidInParameterError(JSC::ExecState*, JSC::JSValue) 9 0x108ccb710 JSC::CommonSlowPaths::opIn(JSC::ExecState*, JSC::JSValue, JSC::JSValue, JSC::ArrayProfile*) 10 0x108ccb549 slow_path_in 11 0x1096ced82 llint_entry 12 0x1096c86fe vmEntryToJavaScript 13 0x10949e89e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) 14 0x10945009f JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) 15 0x108cdb028 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 16 0x108cdb1f0 JSC::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 17 0x110243e1b WebCore::JSMainThreadExecState::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 18 0x110243c08 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*) 19 0x110243efd WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&, WebCore::ExceptionDetails*) 20 0x110259b42 WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&) 21 0x110257f8f WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) 22 0x10e9dba60 WebCore::HTMLScriptRunner::runScript(WebCore::ScriptElement&, WTF::TextPosition const&) 23 0x10e9db8cf WebCore::HTMLScriptRunner::execute(WTF::Ref<WebCore::ScriptElement>&&, WTF::TextPosition const&) 24 0x10e902b72 WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() 25 0x10e9030d3 WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) 26 0x10e901e18 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) 27 0x10e90196b WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) 28 0x10e9043da WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) 29 0x10e2dec22 WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter&, char const*, unsigned long) 30 0x10e424b79 WebCore::DocumentWriter::addData(char const*, unsigned long) 31 0x10e3d866f WebCore::DocumentLoader::commitData(char const*, unsigned long)

Daniel Bates

Comment 2 2017-04-19 16:15:55 PDT

Created attachment 307519 [details] Test case For convenience, attached test case that represents the rendered output of the web page shown by following the reproduction steps.

Radar WebKit Bug Importer

Comment 3 2017-04-19 16:53:04 PDT

<rdar://problem/31721052>

Saam Barati

Comment 4 2017-04-19 17:15:49 PDT

This is a silly bug. And should be an easy fix. The code I wrote searches for the string "in", however, we parse various Unicode characters as "n". So the test program is parsed as an "in" expression, but we don't find the string "in" (obviously, because the source does not have the character "n" in it)

Saam Barati

Comment 5 2017-04-25 19:19:41 PDT

Created attachment 308190 [details] patch

Saam Barati

Comment 6 2017-04-25 19:20:47 PDT

Created attachment 308191 [details] patch

Build Bot

Comment 7 2017-04-25 19:59:02 PDT

Comment on attachment 308191 [details] patch Attachment 308191 [details] did not pass jsc-ews (mac): Output: http://webkit-queues.webkit.org/results/3606661 New failing tests: stress/destructuring-assignment-accepts-iterables.js.ftl-eager-no-cjit-b3o1 jsc-layout-tests.yaml/js/script-tests/let-syntax.js.layout-ftl-no-cjit stress/destructuring-assignment-accepts-iterables.js.ftl-no-cjit-no-inline-validate jsc-layout-tests.yaml/js/script-tests/let-syntax.js.layout stress/destructuring-assignment-accepts-iterables.js.ftl-no-cjit-no-put-stack-validate stress/destructuring-assignment-accepts-iterables.js.no-cjit-collect-continuously stress/destructuring-assignment-accepts-iterables.js.no-ftl stress/destructuring-assignment-accepts-iterables.js.no-llint stress/destructuring-assignment-accepts-iterables.js.ftl-no-cjit-small-pool jsc-layout-tests.yaml/js/script-tests/let-syntax.js.layout-no-llint stress/destructuring-assignment-accepts-iterables.js.dfg-eager jsc-layout-tests.yaml/js/script-tests/let-syntax.js.layout-ftl-eager-no-cjit stress/destructuring-assignment-accepts-iterables.js.dfg-maximal-flush-validate-no-cjit jsc-layout-tests.yaml/js/script-tests/let-syntax.js.layout-no-ftl jsc-layout-tests.yaml/js/script-tests/let-syntax.js.layout-dfg-eager-no-cjit stress/destructuring-assignment-accepts-iterables.js.default stress/destructuring-assignment-accepts-iterables.js.ftl-eager-no-cjit stress/destructuring-assignment-accepts-iterables.js.ftl-eager stress/destructuring-assignment-accepts-iterables.js.ftl-no-cjit-b3o1 jsc-layout-tests.yaml/js/script-tests/let-syntax.js.layout-no-cjit stress/destructuring-assignment-accepts-iterables.js.dfg-eager-no-cjit-validate stress/destructuring-assignment-accepts-iterables.js.ftl-no-cjit-validate-sampling-profiler stress/destructuring-assignment-accepts-iterables.js.no-cjit-validate-phases

Mark Lam

Comment 8 2017-04-25 20:00:13 PDT

Comment on attachment 308191 [details] patch LGTM. Please fix EWS issues.

Build Bot

Comment 9 2017-04-25 20:10:37 PDT

Comment on attachment 308191 [details] patch Attachment 308191 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/3606743 New failing tests: imported/w3c/web-platform-tests/css-timing-1/step-timing-functions-output.html js/let-syntax.html imported/w3c/web-platform-tests/css-timing-1/frames-timing-functions-output.html imported/w3c/web-platform-tests/css-timing-1/cubic-bezier-timing-functions-output.html

Build Bot

Comment 10 2017-04-25 20:10:38 PDT

Created attachment 308195 [details] Archive of layout-test-results from ews101 for mac-elcapitan The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews101 Port: mac-elcapitan Platform: Mac OS X 10.11.6

Build Bot

Comment 11 2017-04-25 20:19:36 PDT

Comment on attachment 308191 [details] patch Attachment 308191 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/3606771 New failing tests: imported/w3c/web-platform-tests/css-timing-1/step-timing-functions-output.html js/let-syntax.html imported/w3c/web-platform-tests/css-timing-1/frames-timing-functions-output.html imported/w3c/web-platform-tests/css-timing-1/cubic-bezier-timing-functions-output.html

Build Bot

Comment 12 2017-04-25 20:19:38 PDT

Created attachment 308197 [details] Archive of layout-test-results from ews106 for mac-elcapitan-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews106 Port: mac-elcapitan-wk2 Platform: Mac OS X 10.11.6

Build Bot

Comment 13 2017-04-25 21:00:32 PDT

Comment on attachment 308191 [details] patch Attachment 308191 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/3606854 New failing tests: imported/w3c/web-platform-tests/css-timing-1/step-timing-functions-output.html js/let-syntax.html imported/w3c/web-platform-tests/css-timing-1/frames-timing-functions-output.html imported/w3c/web-platform-tests/css-timing-1/cubic-bezier-timing-functions-output.html

Build Bot

Comment 14 2017-04-25 21:00:34 PDT

Created attachment 308206 [details] Archive of layout-test-results from ews123 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews123 Port: ios-simulator-wk2 Platform: Mac OS X 10.11.6

Build Bot

Comment 15 2017-04-25 21:55:32 PDT

Comment on attachment 308191 [details] patch Attachment 308191 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/3607284 New failing tests: imported/w3c/web-platform-tests/css-timing-1/step-timing-functions-output.html js/let-syntax.html imported/w3c/web-platform-tests/css-timing-1/frames-timing-functions-output.html imported/w3c/web-platform-tests/css-timing-1/cubic-bezier-timing-functions-output.html

Build Bot

Comment 16 2017-04-25 21:55:33 PDT

Created attachment 308212 [details] Archive of layout-test-results from ews112 for mac-elcapitan The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews112 Port: mac-elcapitan Platform: Mac OS X 10.11.6

Saam Barati

Comment 17 2017-04-26 12:41:52 PDT

Will rebaseline the failing tests.

Saam Barati

Comment 18 2017-04-26 14:56:47 PDT

Created attachment 308289 [details] patch for landing

Build Bot

Comment 19 2017-04-26 15:34:26 PDT

Comment on attachment 308289 [details] patch for landing Attachment 308289 [details] did not pass jsc-ews (mac): Output: http://webkit-queues.webkit.org/results/3613184 New failing tests: stress/destructuring-assignment-accepts-iterables.js.ftl-no-cjit-no-put-stack-validate stress/destructuring-assignment-accepts-iterables.js.dfg-eager stress/destructuring-assignment-accepts-iterables.js.ftl-eager stress/destructuring-assignment-accepts-iterables.js.ftl-no-cjit-b3o1 stress/destructuring-assignment-accepts-iterables.js.ftl-eager-no-cjit-b3o1 stress/destructuring-assignment-accepts-iterables.js.no-cjit-collect-continuously stress/destructuring-assignment-accepts-iterables.js.dfg-maximal-flush-validate-no-cjit stress/destructuring-assignment-accepts-iterables.js.ftl-no-cjit-no-inline-validate stress/destructuring-assignment-accepts-iterables.js.dfg-eager-no-cjit-validate stress/destructuring-assignment-accepts-iterables.js.ftl-eager-no-cjit stress/destructuring-assignment-accepts-iterables.js.no-ftl stress/destructuring-assignment-accepts-iterables.js.ftl-no-cjit-validate-sampling-profiler stress/destructuring-assignment-accepts-iterables.js.no-cjit-validate-phases stress/destructuring-assignment-accepts-iterables.js.ftl-no-cjit-small-pool stress/destructuring-assignment-accepts-iterables.js.default stress/destructuring-assignment-accepts-iterables.js.no-llint

Saam Barati

Comment 20 2017-04-26 16:07:09 PDT

Created attachment 308300 [details] patch for landing edited some more error messages

WebKit Commit Bot

Comment 21 2017-04-26 19:28:42 PDT

Comment on attachment 308300 [details] patch for landing Clearing flags on attachment: 308300 Committed r215852: <http://trac.webkit.org/changeset/215852>

WebKit Commit Bot

Comment 22 2017-04-26 19:28:45 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.