RESOLVED FIXED 181388
WebKitGTK/JavaScriptCore segfault with ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter 
https://bugs.webkit.org/show_bug.cgi?id=181388
Summary WebKitGTK/JavaScriptCore segfault with ASSERTION FAILED: pair.second->m_type ...
Suyoung Lee
Reported 2018-01-08 07:53:25 PST
Created attachment 330704 [details] Core dump Crashes on WebKitGTK/JavaScriptCore 2.19.3 ia32/x64 debug build. Here is the input code. var var_0 = { get var_0() { ((31479 ? 2113 : 17505), (++var_0)); return 'field'; }, set var_0(var_0) { }, get var_0() { return var_0; }, set var_0(var_0) { throw "Bad expected case"; } }; var_0 = (-2407450097.0604715 ? var_0.var_0 : var_0); var_0[var_0]; (gdb) run 23-c38afc31b8eab5cebacf641b9c6eca9284ed2032-3456.js Starting program: /data/jsengine/JSC/2.19.3/ia32.debug/jsc 23-c38afc31b8eab5cebacf641b9c6eca9284ed2032-3456.js [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [New Thread 0xf32f2b40 (LWP 13938)] ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp(614) : virtual JSC::RegisterID* JSC::PropertyListNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) 1 0xf73bba8b WTFCrash 2 0xf67d5ec2 JSC::PropertyListNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) 3 0xf67fa4dd JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::ExpressionNode*) 4 0xf67fa3ba JSC::BytecodeGenerator::emitNode(JSC::RegisterID*, JSC::ExpressionNode*) 5 0xf67d55d1 JSC::ObjectLiteralNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) 6 0xf67fa4dd JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::ExpressionNode*) 7 0xf67fa3ba JSC::BytecodeGenerator::emitNode(JSC::RegisterID*, JSC::ExpressionNode*) 8 0xf67e5430 JSC::AssignResolveNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) 9 0xf67fa4dd JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::ExpressionNode*) 10 0xf67fa3ba JSC::BytecodeGenerator::emitNode(JSC::RegisterID*, JSC::ExpressionNode*) 11 0xf67fa511 JSC::Byteprint(' => output_filename: %s' % output_filename) util.jsFileWriteWithPath(output_filename, root_node.to_ecma())codeGenerator::emitNode(JSC::ExpressionNode*) 12 0xf67e68f0 JSC::DeclarationStatement::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) 13 0xf67fa313 JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::StatementNode*) 14 0xf67fdfde JSC::SourceElements::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) 15 0xf67fe09b JSC::ScopeNode::emitStatementsBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) 16 0xf67ebf41 17 0xf67ebfe6 JSC::ProgramNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) 18 0xf67b5eb8 JSC::BytecodeGenerator::generate() 19 0xf707472a JSC::ParserError JSC::BytecodeGenerator::generate<JSC::ProgramNode*, JSC::UnlinkedProgramCodeBlock*&, JSC::DebuggerMode&, JSC::VariableEnvironment const*&>(JSC::VM&, JSC::ProgramNode*&&, JSC::UnlinkedProgramCodeBlock*&, JSC::DebuggerMode&, JSC::VariableEnvironment const*&) 20 0xf706ec95 JSC::UnlinkedProgramCodeBlock* JSC::generateUnlinkedCodeBlock<JSC::UnlinkedProgramCodeBlock, JSC::ProgramExecutable>(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserStrictMode, JSC::JSParserScriptMode, JSC::DebuggerMode, JSC::ParserError&, JSC::EvalContextType, JSC::VariableEnvironment const*) 21 0xf706c228 JSC::UnlinkedProgramCodeBlock* JSC::CodeCache::getUnlinkedGlobalCodeBlock<JSC::UnlinkedProgramCodeBlock, JSC::ProgramExecutable>(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserStrictMode, JSC::JSParserScriptMode, JSC::DebuggerMode, JSC::ParserError&, JSC::EvalContextType) 22 0xf703c125 JSC::CodeCache::getUnlinkedProgramCodeBlock(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserStrictMode, JSC::DebuggerMode, JSC::ParserError&) 23 0xf721a095 JSC::ProgramExecutable::initializeGlobalProperties(JSC::VM&, JSC::ExecState*, JSC::JSScope*) 24 0xf6e028ae JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) 25 0xf704da77 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 26 0x809d8ef 27 0x809eb2c 28 0x809fd95 29 0x809ebe0 jscmain(int, char**) 30 0x809c3fe main 31 0xf5048637 __libc_start_main warning: Could not find DWO CU Source/WTF/wtf/CMakeFiles/WTF.dir/Assertions.cpp.dwo(0xbcbdcc3cd3da3302) referenced by CU at offset 0x1890 [in module /data/jsengine/JSC/2.19.3/ia32.debug/lib/libJavaScriptCore.so.1] Thread 1 "jsc" received signal SIGSEGV, Segmentation fault. 0xf73bba90 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:272 warning: Source file is more recent than executable. 272 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt warning: Could not find DWO CU Source/JavaScriptCore/CMakeFiles/JavaScriptCore.dir/__/__/DerivedSources/JavaScriptCore/unified-sources/UnifiedSource35.cpp.dwo(0x3777c1f6527e4ca3) referenced by CU at offset 0x5a0 [in module /data/jsengine/JSC/2.19.3/ia32.debug/lib/libJavaScriptCore.so.1] #0 0xf73bba90 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:272 #1 0xf67d5ec2 in JSC::PropertyListNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) () at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:614 #2 0xf67fa4dd in JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::ExpressionNode*) () at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:512 #3 0xf67fa3ba in JSC::BytecodeGenerator::emitNode(JSC::RegisterID*, JSC::ExpressionNode*) () at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:501 #4 0xf67d55d1 in JSC::ObjectLiteralNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) () at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:494 #5 0xf67fa4dd in JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::ExpressionNode*) () at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:512 #6 0xf67fa3ba in JSC::BytecodeGenerator::emitNode(JSC::RegisterID*, JSC::ExpressionNode*) () at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:501 #7 0xf67e5430 in JSC::AssignResolveNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) () at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2433 #8 0xf67fa4dd in JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::ExpressionNode*) () at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:512 #9 0xf67fa3ba in JSC::BytecodeGenerator::emitNode(JSC::RegisterID*, JSC::ExpressionNode*) () at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:501 #10 0xf67fa511 in JSC::BytecodeGenerator::emitNode(JSC::ExpressionNode*) () at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:517 #11 0xf67e68f0 in JSC::DeclarationStatement::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) () at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2627 #12 0xf67fa313 in JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::StatementNode*) () at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:485 #13 0xf67fdfde in JSC::SourceElements::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) () at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2585 #14 0xf67fe09b in JSC::ScopeNode::emitStatementsBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) () at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:3607 #15 0xf67ebf41 in JSC::emitProgramNodeBytecode(JSC::BytecodeGenerator&, JSC::ScopeNode&) () at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:3617 #16 0xf67ebfe6 in JSC::ProgramNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) () at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:3627 #17 0xf67b5eb8 in JSC::BytecodeGenerator::generate() () at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:151 warning: Could not find DWO CU Source/JavaScriptCore/CMakeFiles/JavaScriptCore.dir/__/__/DerivedSources/JavaScriptCore/unified-sources/UnifiedSource92.cpp.dwo(0x697a913a79c56edc) referenced by CU at offset 0x1134 [in module /data/jsengine/JSC/2.19.3/ia32.debug/lib/libJavaScriptCore.so.1] #18 0xf707472a in JSC::ParserError JSC::BytecodeGenerator::generate<JSC::ProgramNode*, JSC::UnlinkedProgramCodeBlock*&, JSC::DebuggerMode&, JSC::VariableEnvironment const*&>(JSC::VM&, JSC::ProgramNode*&&, JSC::UnlinkedProgramCodeBlock*&, JSC::DebuggerMode&, JSC::VariableEnvironment const*&) () at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:387 #19 0xf706ec95 in JSC::UnlinkedProgramCodeBlock* JSC::generateUnlinkedCodeBlock<JSC::UnlinkedProgramCodeBlock, JSC::ProgramExecutable>(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserStrictMode, JSC::JSParserScriptMode, JSC::DebuggerMode, JSC::ParserError&, JSC::EvalContextType, JSC::VariableEnvironment const*) () at ../../Source/JavaScriptCore/runtime/CodeCache.h:252 #20 0xf706c228 in JSC::UnlinkedProgramCodeBlock* JSC::CodeCache::getUnlinkedGlobalCodeBlock<JSC::UnlinkedProgramCodeBlock, JSC::ProgramExecutable>(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserStrictMode, JSC::JSParserScriptMode, JSC::DebuggerMode, JSC::ParserError&, JSC::EvalContextType) () at ../../Source/JavaScriptCore/runtime/CodeCache.cpp:75 #21 0xf703c125 in JSC::CodeCache::getUnlinkedProgramCodeBlock(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserStrictMode, JSC::DebuggerMode, JSC::ParserError&) () at ../../Source/JavaScriptCore/runtime/CodeCache.cpp:85 warning: Could not find DWO CU Source/JavaScriptCore/CMakeFiles/JavaScriptCore.dir/__/__/DerivedSources/JavaScriptCore/unified-sources/UnifiedSource113.cpp.dwo(0xae42486f05155d19) referenced by CU at offset 0x1524 [in module /data/jsengine/JSC/2.19.3/ia32.debug/lib/libJavaScriptCore.so.1] #22 0xf721a095 in JSC::ProgramExecutable::initializeGlobalProperties(JSC::VM&, JSC::ExecState*, JSC::JSScope*) () at ../../Source/JavaScriptCore/runtime/ProgramExecutable.cpp:99 warning: Could not find DWO CU Source/JavaScriptCore/CMakeFiles/JavaScriptCore.dir/__/__/DerivedSources/JavaScriptCore/unified-sources/UnifiedSource76.cpp.dwo(0xacc06726e7045932) referenced by CU at offset 0xe10 [in module /data/jsengine/JSC/2.19.3/ia32.debug/lib/libJavaScriptCore.so.1] #23 0xf6e028ae in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) () at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:910 #24 0xf704da77 in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) () at ../../Source/JavaScriptCore/runtime/Completion.cpp:103 #25 0x0809d8ef in runWithOptions(GlobalObject*, CommandLine&) () at ../../Source/JavaScriptCore/jsc.cpp:2275 #26 0x0809eb2c in jscmain(int, char**)::{lambda(JSC::VM&, GlobalObject*)#1}::operator()(JSC::VM&, GlobalObject*) const () at ../../Source/JavaScriptCore/jsc.cpp:2679 #27 0x0809fd95 in int runJSC<jscmain(int, char**)::{lambda(JSC::VM&, GlobalObject*)#1}>(CommandLine, bool, jscmain(int, char**)::{lambda(JSC::VM&, GlobalObject*)#1} const&) () at ../../Source/JavaScriptCore/jsc.cpp:2580 #28 0x0809ebe0 in jscmain(int, char**) () at ../../Source/JavaScriptCore/jsc.cpp:2679 #29 0x0809c3fe in main () at ../../Source/JavaScriptCore/jsc.cpp:2107
Attachments
Core dump (59.86 MB, application/x-core)
2018-01-08 07:53 PST, Suyoung Lee 		no flags
Details
proposed patch. (8.13 KB, patch)
2018-01-08 16:51 PST, Mark Lam 		saam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2018-01-08 07:54:58 PST
<rdar://problem/36349351>
Mark Lam
Comment 2 2018-01-08 09:44:55 PST
I can reproduce this on a debug build of ToT WebKit.
Suyoung Lee
Comment 3 2018-01-08 10:38:29 PST
Ignore the following line. 11 0xf67fa511 JSC::Byteprint(' => output_filename: %s' % output_filename) util.jsFileWriteWithPath(output_filename, root_node.to_ecma())codeGenerator::emitNode(JSC::ExpressionNode*) I made a mistake when I pasted the error message. That line was originally as follows. 11 0xf67fa511 JSC::BytecodeGenerator::emitNode(JSC::ExpressionNode*)
Mark Lam
Comment 4 2018-01-08 16:51:25 PST
Created attachment 330755 [details] proposed patch.
Saam Barati
Comment 5 2018-01-08 16:58:24 PST
Comment on attachment 330755 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=330755&action=review r=me > JSTests/stress/regress-181388.js:54 > + trace.push("get1"); > + this.value += 1000; > + return this.value; I would just throw here
Mark Lam
Comment 6 2018-01-09 10:50:32 PST
Thanks for the review. Layout and JSC tests run locally show no regression. I've applied the suggested change. Landed in r226650: <http://trac.webkit.org/r226650>.
Mark Lam
Comment 7 2018-01-09 11:12:52 PST
I don't think this bug is a security issue. It is merely a correctness issue. When there are duplicate setters or getters, this bug may cause the VM to overwrite a getter with a setter, or vice versa. Note that client JS code can already install whatever getter/setter functions they wish. The only way that this bug could become a security problem is if an attacker can use it to replace the getter/setter of some security critical API in WebCore. However, this bug requires the declaration of duplicate setters/getters in order to manifest and since WebCore's JS code is well-behaved and not controlled by unvetted JS code (i.e. no duplicate getter/setters), this bug is not an exploitable security issue. I recommend re-classifying this bug as NOT a security bug.
Note You need to log in before you can comment on or make changes to this bug.