Bug 228075

Summary: [JSC] invalidParameterInstanceofSourceAppender should care direct call of Symbol.hasInstance
Product: WebKit Reporter: Frédéric Wang (:fredw) <fred.wang>
Component: JavaScriptCoreAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, cgarcia, ews-watchlist, gpoo, keith_miller, mark.lam, msaboff, pmatos, product-security, rbuis, rmorisset, rniwa, saam, svillar, ticaiolima, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Testcase
none
Patch none

Frédéric Wang (:fredw)
Reported 2021-07-19 01:32:59 PDT
See attached testcase and error message below. Reproduced with JSC on ASAN release builds r280021, for both Linux and macos. ASSERTION FAILED: instanceofIndex != notFound ./runtime/ExceptionHelpers.cpp(222) : WTF::String JSC::invalidParameterInstanceofSourceAppender(const WTF::String &, const WTF::String &, const WTF::String &, JSC::RuntimeType, ErrorInstance::SourceTextWhereErrorOccurred) 1 0x10104f9b4 WTFCrash 2 0x103ac7714 WTFCrashWithInfo(int, char const*, char const*, int) 3 0x106e96e28 JSC::invalidParameterInstanceofSourceAppender(WTF::String const&, WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred) 4 0x106e8d214 JSC::invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred) 5 0x106e744c4 JSC::appendSourceToErrorMessage(JSC::CallFrame*, JSC::ErrorInstance*, JSC::BytecodeIndex, WTF::String const&) 6 0x106e737f0 JSC::ErrorInstance::finishCreation(JSC::VM&, JSC::JSGlobalObject*, WTF::String const&, JSC::JSValue, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType, bool) 7 0x106b5a780 JSC::ErrorInstance::create(JSC::JSGlobalObject*, JSC::VM&, JSC::Structure*, WTF::String const&, JSC::JSValue, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType, JSC::ErrorType, bool) 8 0x106e68c00 JSC::createTypeError(JSC::JSGlobalObject*, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType) 9 0x106e8ba04 JSC::createError(JSC::JSGlobalObject*, JSC::JSValue, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred)) 10 0x106e8cf6c JSC::createInvalidInstanceofParameterErrorHasInstanceValueNotFunction(JSC::JSGlobalObject*, JSC::JSValue) 11 0x107340988 JSC::JSObject::hasInstance(JSC::JSGlobalObject*, JSC::JSValue, JSC::JSValue) 12 0x107341ed8 JSC::JSObject::hasInstance(JSC::JSGlobalObject*, JSC::JSValue) 13 0x1070a3ec4 JSC::hasInstanceBoundFunction(JSC::JSGlobalObject*, JSC::CallFrame*) 14 0x11d8041b4 15 0x103b6a250 llint_entry 16 0x103b45168 vmEntryToJavaScript 17 0x10623d6b8 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) 18 0x10623ae00 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) 19 0x106dbc4cc JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 20 0x1008b8704 runWithOptions(GlobalObject*, CommandLine&, bool&) 21 0x10081570c jscmain(int, char**)::$_8::operator()(JSC::VM&, GlobalObject*, bool&) const 22 0x10079c484 int runJSC<jscmain(int, char**)::$_8>(CommandLine const&, bool, jscmain(int, char**)::$_8 const&) 23 0x10079671c jscmain(int, char**) 24 0x100795ec0 main 25 0x189dc1450 start
Attachments
Testcase (154 bytes, application/x-javascript)
2021-07-19 01:41 PDT, Frédéric Wang (:fredw) 		no flags
Details
Patch (3.54 KB, patch)
2021-07-20 03:42 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2021-07-19 01:33:18 PDT
<rdar://problem/80762879>
Frédéric Wang (:fredw)
Comment 2 2021-07-19 01:41:09 PDT
Created attachment 433776 [details] Testcase Sorry, I forgot to attach the testcase.
Frédéric Wang (:fredw)
Comment 3 2021-07-19 02:24:33 PDT
This is happening when JSC appends a source error. The invalidParameterInstanceofSourceAppender function expects the the sourceText to contain the string "instanceof", which is not the case here: 222 RELEASE_ASSERT(instanceofIndex != notFound); (rr) p content.utf8().data() $1 = 0x607000005510 "[Symbol.hasInstance] is not a function, undefined, or null" (rr) p originalMessage.utf8().data() $2 = 0x608000004d30 "function [Symbol.hasInstance] is not a function, undefined, or null" (rr) p sourceText.utf8().data() $3 = 0x606000007c50 "Function.prototype[Symbol.hasInstance].call(b)" It does not seem a security issue.
Yusuke Suzuki
Comment 4 2021-07-20 03:30:32 PDT
Will look
Yusuke Suzuki
Comment 5 2021-07-20 03:33:06 PDT
Since this is release-assert, it is not a security issue.
Yusuke Suzuki
Comment 6 2021-07-20 03:42:15 PDT
Created attachment 433866 [details] Patch
Frédéric Wang (:fredw)
Comment 7 2021-07-20 04:19:07 PDT
Comment on attachment 433866 [details] Patch Thanks. I'm going to r+ this since I suspect many reviewers are on holidays and this change seems uncontroversial.
Yusuke Suzuki
Comment 8 2021-07-20 11:47:40 PDT
Comment on attachment 433866 [details] Patch Thanks!
EWS
Comment 9 2021-07-20 12:36:04 PDT
Committed r280097 (239814@main): <https://commits.webkit.org/239814@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 433866 [details].
Note You need to log in before you can comment on or make changes to this bug.