Bug 284132

Summary: JSC::JSValue convert of JSConverter<IDLRecord<K, V>> crashes when converting an input WebCore::IDLRecord<WebCore::IDLUSVString, WebCore::IDLUnion<WebCore::IDLUndefined, WebCore::IDLUSVString>>
Product: WebKit Reporter: jlee53
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: cdumez, sam, sihui_liu, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Crashlog
none
crashlog-correct
none
Crash signature from updated layout test none

jlee53
Reported 2024-12-05 14:18:06 PST
The converter seems to mistakenly interpret a String as a number. (The String is in fact the string "0"). The input dictionary / union originates from <https://github.com/WebKit/WebKit/pull/37467>. It is `struct URLPatternComponentResult` defined in URLPattern.h / URLPatternResult.idl
Attachments
Crashlog (48.22 KB, text/plain)
2024-12-05 14:18 PST, jlee53 		no flags
Details
crashlog-correct (48.22 KB, text/plain)
2024-12-05 14:20 PST, jlee53 		no flags
Details
Crash signature from updated layout test (110.60 KB, text/plain)
2024-12-06 15:51 PST, jlee53 		no flags
Details
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
jlee53
Comment 1 2024-12-05 14:18:30 PST
Created attachment 473475 [details] Crashlog
jlee53
Comment 2 2024-12-05 14:19:44 PST
(In reply to jlee53 from comment #1) > Created attachment 473475 [details] > Crashlog This is the incorrect attachment. Please ignore.
jlee53
Comment 3 2024-12-05 14:20:20 PST
Created attachment 473476 [details] crashlog-correct
Chris Dumez
Comment 4 2024-12-05 14:31:50 PST
Sam Weinig would be the most familiar but basically this looks like a bug in `JSConverter<IDLRecord<K, V>>` in `JSDOMRecordConvert.h`. On this line in particular: ``` // 3. Let created be ! CreateDataProperty(result, esKey, esValue). bool created = result->putDirect(vm, JSC::Identifier::fromString(vm, keyValuePair.key), esValue); ``` Maybe because it doesn't deal nicely with `(undefined or USVString)` in the IDLRecord. I think support for `undefined or USVString` is very new and I guess converting from native to JS isn't quite fully working yet.
jlee53
Comment 5 2024-12-05 14:42:31 PST
I added a print statement where the assertion / crash happens and the property name is 0. Source/JavaScriptCore/runtime/JSObjectInlines.h @@ -369,6 +369,8 @@ ALWAYS_INLINE ASCIILiteral JSObject::putDirectInternal(VM& vm, PropertyName prop ASSERT(!Heap::heap(value) || Heap::heap(value) == Heap::heap(this)); + String printPropertyName = static_cast<String>(propertyName.publicName()); // add print statement + WTFLogAlways("JSObject::putDirectInternal printPropertyName:%s", printPropertyName.utf8().data()); ASSERT(!parseIndex(propertyName)); stderr.txt JSObject::putDirectInternal printPropertyName:0 // what was printed is 0. ASSERTION FAILED: !parseIndex(propertyName)
Chris Dumez
Comment 6 2024-12-05 15:24:09 PST
looks like I'm wrong about the crash reason. Maybe this code should be calling `putDirectMayBeIndex()` instead of `putDirect()` since I think the property name is an index in your case.
Radar WebKit Bug Importer
Comment 7 2024-12-05 17:49:24 PST
<rdar://problem/141017497>
jlee53
Comment 8 2024-12-05 17:52:04 PST
Pull request: https://github.com/WebKit/WebKit/pull/37522
jlee53
Comment 9 2024-12-05 17:59:48 PST
Thanks to Chris and Sihui, this was root-cased to usage of the function putDirect in /WebCore/bindings/js/JSDOMConvertRecord.h when converting a native object to an IDL Record. PutDirect() assumes that the property name is not an index but in fact, it is. Conversion should use <bool createDataProperty(JSGlobalObject*, PropertyName, JSValue, bool shouldThrow)> which is what the spec states. Spec: https://webidl.spec.whatwg.org/#js-record
jlee53
Comment 10 2024-12-06 15:45:08 PST
I confirmed that these tests are sufficient to test the change. If I remove the fix and I run the updated test, I see that it crashes with the same signature. Attaching crashlog
jlee53
Comment 11 2024-12-06 15:51:12 PST
Created attachment 473491 [details] Crash signature from updated layout test
EWS
Comment 12 2024-12-07 12:32:18 PST
Committed 287506@main (d78f8ae748e3): <https://commits.webkit.org/287506@main> Reviewed commits have been landed. Closing PR #37522 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.