202624 – ASSERTION FAILED: this->prototypeChainMayInterceptStoreTo(vm, propertyName) || obj == this, with __proto__

Bug 202624 - ASSERTION FAILED: this->prototypeChainMayInterceptStoreTo(vm, propertyName) || obj == this, with __proto__

Summary: ASSERTION FAILED: this->prototypeChainMayInterceptStoreTo(vm, propertyName) |...

Status:	RESOLVED DUPLICATE of bug 200386

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Local Build
Hardware:	PC Linux

Importance:	P2 Critical
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2019-10-06 23:21 PDT by rain
Modified:	2020-05-05 17:06 PDT (History)
CC List:	7 users (show)

See Also:

Attachments
poc (383 bytes, text/javascript) 2019-10-06 23:21 PDT, rain	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description rain 2019-10-06 23:21:28 PDT

Created attachment 380307 [details]
poc

This is not a dupe of 202342
=======================================
ASSERTION FAILED: this->prototypeChainMayInterceptStoreTo(vm, propertyName) || obj == this
../../Source/JavaScriptCore/runtime/JSObject.cpp(797) : bool JSC::JSObject::putInlineSlow(JSC::ExecState *, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot &)
Aborted (core dumped)

=======================================

OS: ubuntu 16.04

Configuration:

--jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang' -DCMAKE_CXX_COMPILER='/usr/bin/clang++' -DCMAKE_CXX_FLAGS='-fsanitize-coverage=trace-pc-guard -O3 -lrt'

git log:
=======================================
commit 9188d0222391c558277ed74d037b7c9ef5719405
Author: commit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
commit 9188d0222391c558277ed74d037b7c9ef5719405
Author: commit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Wed May 29 06:00:40 2019 +0000

    [MSE][GStreamer] update the readyState correctly in MediaPlayerPrivateGStreamerMSE
    https://bugs.webkit.org/show_bug.cgi?id=197834
    
    Patch by Yacine Bandou <yacine.bandou@softathome.com> on 2019-05-28
    Reviewed by Xabier Rodriguez-Calvar.
====================
pass parameters：
jsc poc

Comment 1 Radar WebKit Bug Importer 2019-10-07 09:09:15 PDT

<rdar://problem/56038268>

Comment 2 Gary Kwong [:gkw] [:nth10sd] 2020-04-21 12:36:57 PDT

I made some modifications to Robobisect v0.0.1 (available at https://github.com/nth10sd/robobisect) to find out the likely regressor (when the poc started crashing) and likely fix:

=====================
| Robobisect report |
=====================

Likely regressor:

commit 043245b0ed35b36e177dc7f96df8deb6cdbb5465
Author: mcatanzaro </snip>
Date:   Sun Nov 25 18:22:30 2018 +0000

    CRASH() should call abort() except on Darwin and in developer builds
    https://bugs.webkit.org/show_bug.cgi?id=184408
    
    Reviewed by Daniel Bates.
    
    </snip>
    
    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@238478 268f45cc-cd09-0410-ab3c-d52691b4dbfc

=====================

Likely fix:

commit 17b927ea0dedded5de8356b366a60bf70c9bff45
Author: sbarati </snip>
Date:   Mon Sep 16 19:32:39 2019 +0000

    JSObject::putInlineSlow should not ignore "__proto__" for Proxy
    https://bugs.webkit.org/show_bug.cgi?id=200386
    <rdar://problem/53854946>
    
    Reviewed by Yusuke Suzuki.
    
    </snip>
    
    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249911 268f45cc-cd09-0410-ab3c-d52691b4dbfc

=====================


Saam/Yusuke, is bug 200386 a likely fix for this bug? Or is this possibly a dupe of bug 200386?

Comment 3 Gary Kwong [:gkw] [:nth10sd] 2020-04-21 12:43:42 PDT

Backtrace with git commit 043245b0ed35b36e177dc7f96df8deb6cdbb5465:

#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff6469801 in __GI_abort () at abort.c:79
#2  0x000055555788bc1b in JSC::JSObject::putInlineSlow (this=0x7fffb35c8280, exec=0x7fffffffcc80, propertyName=..., value=..., slot=...)
    at ../../Source/JavaScriptCore/runtime/JSObject.cpp:769
#3  0x000055555707e39a in JSC::JSObject::putInlineForJSObject (cell=0x7fffb35c8280, exec=0x7fffffffcc80, propertyName=..., value=..., slot=...)
    at ../../Source/JavaScriptCore/runtime/JSObjectInlines.h:245
#4  0x000055555707a16e in JSC::JSCell::putInline (this=0x7fffb35c8280, exec=0x7fffffffcc80, propertyName=..., value=..., slot=...)
    at ../../Source/JavaScriptCore/runtime/JSCellInlines.h:403
#5  0x000055555707d597 in JSC::JSValue::putInline (this=0x7fffffffca60, exec=0x7fffffffcc80, propertyName=..., value=..., slot=...)
    at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:951
#6  0x00005555575f2ac9 in JSC::LLInt::llint_slow_path_put_by_id (exec=0x7fffffffcc80, pc=0x7ffff3f8508b) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:851
#7  0x00005555575e151a in llint_entry () at DerivedSources/ForwardingHeaders/wtf/CagedPtr.h:50
#8  0x00005555575ebab6 in llint_entry () at DerivedSources/ForwardingHeaders/wtf/CagedPtr.h:50
#9  0x00005555575da4e2 in vmEntryToJavaScript () at DerivedSources/ForwardingHeaders/wtf/CagedPtr.h:50
#10 0x0000555557509bc0 in JSC::JITCode::execute (this=0x7ffff3f8a000, vm=0x7fffb3d00000, protoCallFrame=0x7fffffffcf30) at ../../Source/JavaScriptCore/jit/JITCodeInlines.h:38
#11 0x000055555750075d in JSC::Interpreter::executeProgram (this=0x7ffff3ffd270, source=..., callFrame=0x7fffb35e0048, thisObj=0x7fffb35a8080)
    at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:832
#12 0x0000555557796661 in JSC::evaluate (exec=0x7fffb35e0048, source=..., thisValue=..., returnedException=...) at ../../Source/JavaScriptCore/runtime/Completion.cpp:106
#13 0x0000555556bcf037 in runWithOptions (globalObject=0x7fffb35e0000, options=..., success=@0x7fffffffdaaa: true) at ../../Source/JavaScriptCore/jsc.cpp:2460
#14 0x0000555556bd017e in <lambda(JSC::VM&, GlobalObject*, bool&)>::operator()(JSC::VM &, GlobalObject *, bool &) const (__closure=0x7fffffffdc18, globalObject=0x7fffb35e0000, 
    success=@0x7fffffffdaaa: true) at ../../Source/JavaScriptCore/jsc.cpp:2864
#15 0x0000555556bd184d in runJSC<jscmain(int, char**)::<lambda(JSC::VM&, GlobalObject*, bool&)> >(CommandLine, bool, const <lambda(JSC::VM&, GlobalObject*, bool&)> &) (options=..., 
    isWorker=false, func=...) at ../../Source/JavaScriptCore/jsc.cpp:2765
#16 0x0000555556bd0242 in jscmain (argc=2, argv=0x7fffffffdde8) at ../../Source/JavaScriptCore/jsc.cpp:2865
#17 0x0000555556bcdb26 in main (argc=2, argv=0x7fffffffdde8) at ../../Source/JavaScriptCore/jsc.cpp:2286

=====

On a recent git commit eb42a8967d53ebb95bd59b6d89662ac7fdf95a8b, the testcase only shows:

Exception: SyntaxError: Invalid character '\u007f'

instead of showing the assertion failure.

Comment 4 Gary Kwong [:gkw] [:nth10sd] 2020-04-21 12:44:34 PDT

The bug title can perhaps be changed to:

ASSERTION FAILED: this->prototypeChainMayInterceptStoreTo(vm, propertyName) || obj == this, with __proto__

but I don't yet have sufficient Bugzilla permissions.

Comment 5 David Kilzer (:ddkilzer) 2020-04-29 13:15:40 PDT

Dupe of this?  Bug 200386: JSObject::putInlineSlow should not ignore "__proto__" for Proxy

Comment 6 Yusuke Suzuki 2020-05-05 17:06:12 PDT

Yes, this is dupe of bug 200386.
Put operation with __proto__ traverses Proxy's [[Prototype]] instead of calling Proxy's [[Put]], then state of Proxy's Structure and state of Structure chain got from Proxy's [[Prototype]] can be different, and assertion hits.

*** This bug has been marked as a duplicate of bug 200386 ***