Bug 252476

The following JavaScript program triggers an assertion failure in debug builds of JSC from current HEAD: const v0 = []; const v2 = WebAssembly.Tag; function f3(a4) { return a4; } Object.defineProperty(v2, "get", { enumerable: true, value: f3 }); const o5 = { "parameters": v0, }; const v7 = new Proxy(v2, v2); const v8 = new v7(o5); // CRASH INFO // ========== // TERMSIG: 6 // STDERR: // ASSERTION FAILED: structure // /home/builder/webkit/Source/JavaScriptCore/runtime/StructureID.h(145) : static JSC::StructureID JSC::StructureID::encode(const JSC::Structure *) // EXECUTION TIME: 194ms Here is the stack trace from gdb: #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at ./nptl/pthread_kill.c:44 #1 0x00007ffff18add2f in __pthread_kill_internal (signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:78 #2 0x00007ffff185eef2 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00007ffff1849472 in __GI_abort () at ./stdlib/abort.c:79 #4 0x00007ffff53a743b in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:758 #5 0x00007ffff53da98d in JSC::StructureID::encode (structure=0x0) at Source/JavaScriptCore/runtime/StructureID.h:145 #6 0x00007ffff53da855 in JSC::Structure::id (this=0x0) at Source/JavaScriptCore/runtime/Structure.h:234 #7 0x00007ffff53d9eda in JSC::JSCell::JSCell (this=0x7fffe70026c8, structure=0x0) at Source/JavaScriptCore/runtime/JSCellInlines.h:59 #8 0x00007ffff54a92cd in JSC::JSObject::JSObject (this=0x7fffe70026c8, vm=..., structure=0x0, butterfly=0x0) at Source/JavaScriptCore/runtime/JSObject.h:1374 #9 0x00007ffff54a0d0d in JSC::JSNonFinalObject::JSNonFinalObject (this=0x7fffe70026c8, vm=..., structure=0x0, butterfly=0x0) at Source/JavaScriptCore/runtime/JSObject.h:1203 #10 0x00007ffff7412a51 in JSC::JSWebAssemblyTag::JSWebAssemblyTag (this=0x7fffe70026c8, vm=..., structure=0x0, tag=...) at Source/JavaScriptCore/wasm/js/JSWebAssemblyTag.cpp:54 #11 0x00007ffff741298d in JSC::JSWebAssemblyTag::create (vm=..., globalObject=0x7fffa541a068, structure=0x0, tag=...) at Source/JavaScriptCore/wasm/js/JSWebAssemblyTag.cpp:43 #12 0x00007ffff743dec5 in JSC::constructJSWebAssemblyTag (globalObject=0x7fffa541a068, callFrame=0x7fffffffbd10) at Source/JavaScriptCore/wasm/js/WebAssemblyTagConstructor.cpp:89 #13 0x00007ffff536166b in vmEntryToNative () from WebKitBuild/Debug/lib/libJavaScriptCore.so.1 #14 0x00007ffff677d485 in JSC::Interpreter::executeConstruct (this=0x7fffa500c8b0, lexicalGlobalObject=0x7fffa541a068, constructor=0x7fffa54c83a0, constructData=..., args=..., newTarget=...) at Source/JavaScriptCore/interpreter/Interpreter.cpp:1168 #15 0x00007ffff6b656b9 in JSC::construct (globalObject=0x7fffa541a068, constructorObject=..., constructData=..., args=..., newTarget=...) at Source/JavaScriptCore/runtime/ConstructData.cpp:59 #16 0x00007ffff6f3ba37 in JSC::performProxyConstruct (globalObject=0x7fffa541a068, callFrame=0x7fffffffc780) at Source/JavaScriptCore/runtime/ProxyObject.cpp:567 #17 0x00007ffff686584b in WTF::FunctionPtr<(WTF::PtrTag)12563, long (JSC::JSGlobalObject*, JSC::CallFrame*), (WTF::FunctionAttributes)2>::operator()(JSC::JSGlobalObject*, JSC::CallFrame*) const (this=0x7fffffffc410, in=0x7fffffffc780, in=0x7fffffffc780) at WTF/Headers/wtf/FunctionPtr.h:104 #18 0x00007ffff68654ec in JSC::handleHostCall (globalObject=0x7fffa541a068, calleeFrame=0x7fffffffc780, callee=..., callLinkInfo=0x7fffe704b848) at Source/JavaScriptCore/bytecode/RepatchInlines.h:76 #19 0x00007ffff685a8d4 in JSC::linkFor (calleeFrame=0x7fffffffc780, globalObject=0x7fffa541a068, callLinkInfo=0x7fffe704b848) at Source/JavaScriptCore/bytecode/RepatchInlines.h:120 #20 0x00007ffff683f916 in operationLinkCall (calleeFrame=0x7fffffffc780, globalObject=0x7fffa541a068, callLinkInfo=0x7fffe704b848) at Source/JavaScriptCore/jit/JITOperations.cpp:1533 #21 0x00007fffa6e002a4 in ?? () #22 0x00007fffffffc810 in ?? () #23 0x00007ffff5386636 in js_trampoline_op_construct () from WebKitBuild/Debug/lib/libJavaScriptCore.so.1 #24 0x0000000000000000 in ?? () I'd think that this bug will always just lead to a nullptr dereference in release builds (due to |structure| being nullptr), but I'm still filing it as a security issue as a precaution in case the underlying bug can lead to other symptoms as well.