| Summary: | [JSC] FTLLowerDFGToB3.cpp - DFG ASSERTION FAILED: Bad array type | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Minh Tran <myoki.crystal> | ||||
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> | ||||
| Status: | RESOLVED DUPLICATE | ||||||
| Severity: | Normal | CC: | fpizlo, keith_miller, mark.lam, saam, webkit-bug-importer | ||||
| Priority: | P2 | Keywords: | InRadar | ||||
| Version: | WebKit Nightly Build | ||||||
| Hardware: | Mac | ||||||
| OS: | macOS 10.15 | ||||||
| Attachments: |
|
||||||
I have about 69 more crashes with FTLLowerDFGToB3, some of which might not be FTL. Please reply if Webkit team is interested in fixing this bug. (In reply to Minh Tran from comment #2) > I have about 69 more crashes with FTLLowerDFGToB3, some of which might not > be FTL. Please reply if Webkit team is interested in fixing this bug. Yeah, we're interested in any crashes you've found. (In reply to Minh Tran from comment #2) > I have about 69 more crashes with FTLLowerDFGToB3, some of which might not > be FTL. Please reply if Webkit team is interested in fixing this bug. Are they all the same crash? (In reply to Saam Barati from comment #4) > (In reply to Minh Tran from comment #2) > > I have about 69 more crashes with FTLLowerDFGToB3, some of which might not > > be FTL. Please reply if Webkit team is interested in fixing this bug. > > Are they all the same crash? Those crash are different stack trace from each other, but it might come from the same root cause: ... -> compileNode -> compileGetArrayLength -> CRASH!!! I believe that the DFG component mistreat these objects. All of the crashes come from the same root cause. Here is a minimized crash:
```
function f(){
for(v of Array.prototype){};
while(true){}
};
f()
```
Hey, thanks for the bug! I think our internal testing also found this at the same time so I fixed it in: https://trac.webkit.org/changeset/261712. If you still see crashes like this, please feel free to reopen this or file a new bug. *** This bug has been marked as a duplicate of bug 211914 *** *** This bug has been marked as a duplicate of bug 211914 *** (In reply to Minh Tran from comment #8) > > *** This bug has been marked as a duplicate of bug 211914 *** Sorry for re-edit the title. The latest patch is confirmed to fix this bug. Should I submit similar bugs as security bug from now on? (In reply to Minh Tran from comment #9) > (In reply to Minh Tran from comment #8) > > > > *** This bug has been marked as a duplicate of bug 211914 *** > > Sorry for re-edit the title. The latest patch is confirmed to fix this bug. > Should I submit similar bugs as security bug from now on? Submitting as security is fine. It's better to err on the side of caution. Bugs don't need to be in security until some port has shipped that code since it's not really an exploit until then. However, figuring out if a port has shipped the bug, or if the bug is really a longstanding issue can be hard to figure out without diving into it. I just like to move bugs out of security when we know it's not a security bug. That way, anyone looking at bug lists doesn't try to cherry-pick it into a security release or something. |
Created attachment 398200 [details] crashes.zip First of all, I'm new to Bugzilla. I looked into some previous bug like #184773 and #208764 but I can not find a pattern to submit this kind of bug. I will try to follow the "bug writing guidelines". Overview: DFG ASSERTION FAILED: Bad array type on several cases. Steps to Reproduce: 1) Build Relaese with ASAN: ./Tools/Scripts/set-webkit-configuration --asan ./Tools/Scripts/build-webkit --jsc-only --release 2) Run JSC with JS file Actual Results: JSC crashes with "DFG ASSERTION FAILED: Bad array type" Expected Results: JSC should not crash. Build Date & Hardware: commit@66c0e50302b9b28b931129d906e332cd6903dbab Additional Information: This crashes were generated by fuzzilli with some additional tweak.