Bug 211301

Summary: [JSC] FTLLowerDFGToB3.cpp - DFG ASSERTION FAILED: Bad array type
Product: WebKit Reporter: Minh Tran <myoki.crystal>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: fpizlo, keith_miller, mark.lam, saam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Mac   
OS: macOS 10.15   
Attachments:
Description Flags
crashes.zip none

Minh Tran
Reported 2020-05-01 10:32:34 PDT
Created attachment 398200 [details] crashes.zip First of all, I'm new to Bugzilla. I looked into some previous bug like #184773 and #208764 but I can not find a pattern to submit this kind of bug. I will try to follow the "bug writing guidelines". Overview: DFG ASSERTION FAILED: Bad array type on several cases. Steps to Reproduce: 1) Build Relaese with ASAN: ./Tools/Scripts/set-webkit-configuration --asan ./Tools/Scripts/build-webkit --jsc-only --release 2) Run JSC with JS file Actual Results: JSC crashes with "DFG ASSERTION FAILED: Bad array type" Expected Results: JSC should not crash. Build Date & Hardware: commit@66c0e50302b9b28b931129d906e332cd6903dbab Additional Information: This crashes were generated by fuzzilli with some additional tweak.
Attachments
crashes.zip (8.23 KB, application/zip)
2020-05-01 10:32 PDT, Minh Tran 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2020-05-01 12:54:19 PDT
<rdar://problem/62743252>
Minh Tran
Comment 2 2020-05-04 13:04:47 PDT
I have about 69 more crashes with FTLLowerDFGToB3, some of which might not be FTL. Please reply if Webkit team is interested in fixing this bug.
Saam Barati
Comment 3 2020-05-04 16:00:58 PDT
(In reply to Minh Tran from comment #2) > I have about 69 more crashes with FTLLowerDFGToB3, some of which might not > be FTL. Please reply if Webkit team is interested in fixing this bug. Yeah, we're interested in any crashes you've found.
Saam Barati
Comment 4 2020-05-04 16:01:39 PDT
(In reply to Minh Tran from comment #2) > I have about 69 more crashes with FTLLowerDFGToB3, some of which might not > be FTL. Please reply if Webkit team is interested in fixing this bug. Are they all the same crash?
Minh Tran
Comment 5 2020-05-05 04:10:41 PDT
(In reply to Saam Barati from comment #4) > (In reply to Minh Tran from comment #2) > > I have about 69 more crashes with FTLLowerDFGToB3, some of which might not > > be FTL. Please reply if Webkit team is interested in fixing this bug. > > Are they all the same crash? Those crash are different stack trace from each other, but it might come from the same root cause: ... -> compileNode -> compileGetArrayLength -> CRASH!!! I believe that the DFG component mistreat these objects.
Minh Tran
Comment 6 2020-05-07 21:04:49 PDT
All of the crashes come from the same root cause. Here is a minimized crash: ``` function f(){ for(v of Array.prototype){}; while(true){} }; f() ```
Keith Miller
Comment 7 2020-05-14 17:18:05 PDT
Hey, thanks for the bug! I think our internal testing also found this at the same time so I fixed it in: https://trac.webkit.org/changeset/261712. If you still see crashes like this, please feel free to reopen this or file a new bug. *** This bug has been marked as a duplicate of bug 211914 ***
Minh Tran
Comment 8 2020-05-15 00:23:30 PDT
*** This bug has been marked as a duplicate of bug 211914 ***
Minh Tran
Comment 9 2020-05-15 00:29:57 PDT
(In reply to Minh Tran from comment #8) > > *** This bug has been marked as a duplicate of bug 211914 *** Sorry for re-edit the title. The latest patch is confirmed to fix this bug. Should I submit similar bugs as security bug from now on?
Keith Miller
Comment 10 2020-05-27 09:21:33 PDT
(In reply to Minh Tran from comment #9) > (In reply to Minh Tran from comment #8) > > > > *** This bug has been marked as a duplicate of bug 211914 *** > > Sorry for re-edit the title. The latest patch is confirmed to fix this bug. > Should I submit similar bugs as security bug from now on? Submitting as security is fine. It's better to err on the side of caution. Bugs don't need to be in security until some port has shipped that code since it's not really an exploit until then. However, figuring out if a port has shipped the bug, or if the bug is really a longstanding issue can be hard to figure out without diving into it. I just like to move bugs out of security when we know it's not a security bug. That way, anyone looking at bug lists doesn't try to cherry-pick it into a security release or something.
Note You need to log in before you can comment on or make changes to this bug.