Bug 228075

Summary: [JSC] invalidParameterInstanceofSourceAppender should care direct call of Symbol.hasInstance
Product: WebKit Reporter: Frédéric Wang (:fredw) <fred.wang>
Component: JavaScriptCoreAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, cgarcia, ews-watchlist, gpoo, keith_miller, mark.lam, msaboff, pmatos, product-security, rbuis, rmorisset, rniwa, saam, svillar, ticaiolima, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Testcase
none
Patch none

Description Frédéric Wang (:fredw) 2021-07-19 01:32:59 PDT 
See attached testcase and error message below.
Reproduced with JSC on ASAN release builds r280021, for both Linux and macos.

ASSERTION FAILED: instanceofIndex != notFound
./runtime/ExceptionHelpers.cpp(222) : WTF::String JSC::invalidParameterInstanceofSourceAppender(const WTF::String &, const WTF::String &, const WTF::String &, JSC::RuntimeType, ErrorInstance::SourceTextWhereErrorOccurred)
1   0x10104f9b4 WTFCrash
2   0x103ac7714 WTFCrashWithInfo(int, char const*, char const*, int)
3   0x106e96e28 JSC::invalidParameterInstanceofSourceAppender(WTF::String const&, WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred)
4   0x106e8d214 JSC::invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred)
5   0x106e744c4 JSC::appendSourceToErrorMessage(JSC::CallFrame*, JSC::ErrorInstance*, JSC::BytecodeIndex, WTF::String const&)
6   0x106e737f0 JSC::ErrorInstance::finishCreation(JSC::VM&, JSC::JSGlobalObject*, WTF::String const&, JSC::JSValue, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType, bool)
7   0x106b5a780 JSC::ErrorInstance::create(JSC::JSGlobalObject*, JSC::VM&, JSC::Structure*, WTF::String const&, JSC::JSValue, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType, JSC::ErrorType, bool)
8   0x106e68c00 JSC::createTypeError(JSC::JSGlobalObject*, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType)
9   0x106e8ba04 JSC::createError(JSC::JSGlobalObject*, JSC::JSValue, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred))
10  0x106e8cf6c JSC::createInvalidInstanceofParameterErrorHasInstanceValueNotFunction(JSC::JSGlobalObject*, JSC::JSValue)
11  0x107340988 JSC::JSObject::hasInstance(JSC::JSGlobalObject*, JSC::JSValue, JSC::JSValue)
12  0x107341ed8 JSC::JSObject::hasInstance(JSC::JSGlobalObject*, JSC::JSValue)
13  0x1070a3ec4 JSC::hasInstanceBoundFunction(JSC::JSGlobalObject*, JSC::CallFrame*)
14  0x11d8041b4
15  0x103b6a250 llint_entry
16  0x103b45168 vmEntryToJavaScript
17  0x10623d6b8 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
18  0x10623ae00 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*)
19  0x106dbc4cc JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
20  0x1008b8704 runWithOptions(GlobalObject*, CommandLine&, bool&)
21  0x10081570c jscmain(int, char**)::$_8::operator()(JSC::VM&, GlobalObject*, bool&) const
22  0x10079c484 int runJSC<jscmain(int, char**)::$_8>(CommandLine const&, bool, jscmain(int, char**)::$_8 const&)
23  0x10079671c jscmain(int, char**)
24  0x100795ec0 main
25  0x189dc1450 start
Comment 1 Radar WebKit Bug Importer 2021-07-19 01:33:18 PDT 
<rdar://problem/80762879>
Comment 2 Frédéric Wang (:fredw) 2021-07-19 01:41:09 PDT 
Created attachment 433776 [details]
Testcase

Sorry, I forgot to attach the testcase.
Comment 3 Frédéric Wang (:fredw) 2021-07-19 02:24:33 PDT 
This is happening when JSC appends a source error.

The invalidParameterInstanceofSourceAppender function expects the the sourceText to contain the string "instanceof", which is not the case here: 

222	    RELEASE_ASSERT(instanceofIndex != notFound);
(rr) p content.utf8().data()
$1 = 0x607000005510 "[Symbol.hasInstance] is not a function, undefined, or null"
(rr) p originalMessage.utf8().data()
$2 = 0x608000004d30 "function [Symbol.hasInstance] is not a function, undefined, or null"
(rr) p sourceText.utf8().data()
$3 = 0x606000007c50 "Function.prototype[Symbol.hasInstance].call(b)"

It does not seem a security issue.
Comment 4 Yusuke Suzuki 2021-07-20 03:30:32 PDT 
Will look
Comment 5 Yusuke Suzuki 2021-07-20 03:33:06 PDT 
Since this is release-assert, it is not a security issue.
Comment 6 Yusuke Suzuki 2021-07-20 03:42:15 PDT 
Created attachment 433866 [details]
Patch
Comment 7 Frédéric Wang (:fredw) 2021-07-20 04:19:07 PDT 
Comment on attachment 433866 [details]
Patch

Thanks. I'm going to r+ this since I suspect many reviewers are on holidays and this change seems uncontroversial.
Comment 8 Yusuke Suzuki 2021-07-20 11:47:40 PDT 
Comment on attachment 433866 [details]
Patch

Thanks!
Comment 9 EWS 2021-07-20 12:36:04 PDT 
Committed r280097 (239814@main): <https://commits.webkit.org/239814@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 433866 [details].