Bug 202624

Summary:

ASSERTION FAILED: this->prototypeChainMayInterceptStoreTo(vm, propertyName) || obj == this, with __proto__

Product:

WebKit

Reporter:

rain <hexiaoyu>

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED DUPLICATE

Severity:

Critical

CC:

ddkilzer, fpizlo, mark.lam, nth10sd, saam, webkit-bug-importer, ysuzuki

Priority:

Keywords:

InRadar

Version:

WebKit Local Build

Hardware:

OS:

Linux

Attachments:

Description	Flags
poc	none

rain

Reported 2019-10-06 23:21:28 PDT

Created attachment 380307 [details] poc This is not a dupe of 202342 ======================================= ASSERTION FAILED: this->prototypeChainMayInterceptStoreTo(vm, propertyName) || obj == this ../../Source/JavaScriptCore/runtime/JSObject.cpp(797) : bool JSC::JSObject::putInlineSlow(JSC::ExecState *, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot &) Aborted (core dumped) ======================================= OS: ubuntu 16.04 Configuration: --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang' -DCMAKE_CXX_COMPILER='/usr/bin/clang++' -DCMAKE_CXX_FLAGS='-fsanitize-coverage=trace-pc-guard -O3 -lrt' git log: ======================================= commit 9188d0222391c558277ed74d037b7c9ef5719405 Author: commit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc> commit 9188d0222391c558277ed74d037b7c9ef5719405 Author: commit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Date: Wed May 29 06:00:40 2019 +0000 [MSE][GStreamer] update the readyState correctly in MediaPlayerPrivateGStreamerMSE https://bugs.webkit.org/show_bug.cgi?id=197834 Patch by Yacine Bandou <yacine.bandou@softathome.com> on 2019-05-28 Reviewed by Xabier Rodriguez-Calvar. ==================== pass parameters： jsc poc

Attachments
poc (383 bytes, text/javascript) 2019-10-06 23:21 PDT, rain	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2019-10-07 09:09:15 PDT

<rdar://problem/56038268>

Gary Kwong [:gkw] [:nth10sd]

Comment 2 2020-04-21 12:36:57 PDT

I made some modifications to Robobisect v0.0.1 (available at https://github.com/nth10sd/robobisect) to find out the likely regressor (when the poc started crashing) and likely fix: ===================== | Robobisect report | ===================== Likely regressor: commit 043245b0ed35b36e177dc7f96df8deb6cdbb5465 Author: mcatanzaro </snip> Date: Sun Nov 25 18:22:30 2018 +0000 CRASH() should call abort() except on Darwin and in developer builds https://bugs.webkit.org/show_bug.cgi?id=184408 Reviewed by Daniel Bates. </snip> git-svn-id: https://svn.webkit.org/repository/webkit/trunk@238478 268f45cc-cd09-0410-ab3c-d52691b4dbfc ===================== Likely fix: commit 17b927ea0dedded5de8356b366a60bf70c9bff45 Author: sbarati </snip> Date: Mon Sep 16 19:32:39 2019 +0000 JSObject::putInlineSlow should not ignore "__proto__" for Proxy https://bugs.webkit.org/show_bug.cgi?id=200386 <rdar://problem/53854946> Reviewed by Yusuke Suzuki. </snip> git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249911 268f45cc-cd09-0410-ab3c-d52691b4dbfc ===================== Saam/Yusuke, is bug 200386 a likely fix for this bug? Or is this possibly a dupe of bug 200386?

Gary Kwong [:gkw] [:nth10sd]

Comment 3 2020-04-21 12:43:42 PDT

Backtrace with git commit 043245b0ed35b36e177dc7f96df8deb6cdbb5465: #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 #1 0x00007ffff6469801 in __GI_abort () at abort.c:79 #2 0x000055555788bc1b in JSC::JSObject::putInlineSlow (this=0x7fffb35c8280, exec=0x7fffffffcc80, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:769 #3 0x000055555707e39a in JSC::JSObject::putInlineForJSObject (cell=0x7fffb35c8280, exec=0x7fffffffcc80, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObjectInlines.h:245 #4 0x000055555707a16e in JSC::JSCell::putInline (this=0x7fffb35c8280, exec=0x7fffffffcc80, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSCellInlines.h:403 #5 0x000055555707d597 in JSC::JSValue::putInline (this=0x7fffffffca60, exec=0x7fffffffcc80, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:951 #6 0x00005555575f2ac9 in JSC::LLInt::llint_slow_path_put_by_id (exec=0x7fffffffcc80, pc=0x7ffff3f8508b) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:851 #7 0x00005555575e151a in llint_entry () at DerivedSources/ForwardingHeaders/wtf/CagedPtr.h:50 #8 0x00005555575ebab6 in llint_entry () at DerivedSources/ForwardingHeaders/wtf/CagedPtr.h:50 #9 0x00005555575da4e2 in vmEntryToJavaScript () at DerivedSources/ForwardingHeaders/wtf/CagedPtr.h:50 #10 0x0000555557509bc0 in JSC::JITCode::execute (this=0x7ffff3f8a000, vm=0x7fffb3d00000, protoCallFrame=0x7fffffffcf30) at ../../Source/JavaScriptCore/jit/JITCodeInlines.h:38 #11 0x000055555750075d in JSC::Interpreter::executeProgram (this=0x7ffff3ffd270, source=..., callFrame=0x7fffb35e0048, thisObj=0x7fffb35a8080) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:832 #12 0x0000555557796661 in JSC::evaluate (exec=0x7fffb35e0048, source=..., thisValue=..., returnedException=...) at ../../Source/JavaScriptCore/runtime/Completion.cpp:106 #13 0x0000555556bcf037 in runWithOptions (globalObject=0x7fffb35e0000, options=..., success=@0x7fffffffdaaa: true) at ../../Source/JavaScriptCore/jsc.cpp:2460 #14 0x0000555556bd017e in <lambda(JSC::VM&, GlobalObject*, bool&)>::operator()(JSC::VM &, GlobalObject *, bool &) const (__closure=0x7fffffffdc18, globalObject=0x7fffb35e0000, success=@0x7fffffffdaaa: true) at ../../Source/JavaScriptCore/jsc.cpp:2864 #15 0x0000555556bd184d in runJSC<jscmain(int, char**)::<lambda(JSC::VM&, GlobalObject*, bool&)> >(CommandLine, bool, const <lambda(JSC::VM&, GlobalObject*, bool&)> &) (options=..., isWorker=false, func=...) at ../../Source/JavaScriptCore/jsc.cpp:2765 #16 0x0000555556bd0242 in jscmain (argc=2, argv=0x7fffffffdde8) at ../../Source/JavaScriptCore/jsc.cpp:2865 #17 0x0000555556bcdb26 in main (argc=2, argv=0x7fffffffdde8) at ../../Source/JavaScriptCore/jsc.cpp:2286 ===== On a recent git commit eb42a8967d53ebb95bd59b6d89662ac7fdf95a8b, the testcase only shows: Exception: SyntaxError: Invalid character '\u007f' instead of showing the assertion failure.

Gary Kwong [:gkw] [:nth10sd]

Comment 4 2020-04-21 12:44:34 PDT

The bug title can perhaps be changed to: ASSERTION FAILED: this->prototypeChainMayInterceptStoreTo(vm, propertyName) || obj == this, with __proto__ but I don't yet have sufficient Bugzilla permissions.

David Kilzer (:ddkilzer)

Comment 5 2020-04-29 13:15:40 PDT

Dupe of this? Bug 200386: JSObject::putInlineSlow should not ignore "__proto__" for Proxy

Yusuke Suzuki

Comment 6 2020-05-05 17:06:12 PDT

Yes, this is dupe of bug 200386. Put operation with __proto__ traverses Proxy's [[Prototype]] instead of calling Proxy's [[Put]], then state of Proxy's Structure and state of Structure chain got from Proxy's [[Prototype]] can be different, and assertion hits. *** This bug has been marked as a duplicate of bug 200386 ***

Note You need to log in before you can comment on or make changes to this bug.