RESOLVED FIXED 212399
in_structure_property needs to handle constants on the RHS of the "in" 
https://bugs.webkit.org/show_bug.cgi?id=212399
Summary in_structure_property needs to handle constants on the RHS of the "in"
Minh Tran
Reported 2020-05-26 20:41:07 PDT
The bug is in object iterator, really simple. Some type check must happen if the iterator can use `in` or not. In this case, the index (string d) can not use `in` function. I know `1337` is not an Object, but it still crash in some way. I am really new to JavaScriptCore and do not understand the design pattern fully, but I hope my POC can help. Thanks. POC: ``` const v0 = {d:13.37}; for (const v1 in v0) { print(typeof(v1), v1); print(typeof(v0[v1]), v0[v1]); const v2 = v1 in 1337; } ``` LOG: ``` string d number 13.37 ASSERTION FAILED: !reg.isConstant() ../../Source/JavaScriptCore/interpreter/CallFrameInlines.h(44) : JSC::Register &JSC::CallFrame::uncheckedR(JSC::VirtualRegister) 1 0x114a6b8d9 WTFCrash 2 0x104896590 WTF::BasicRawSentinelNode<Worker, WTF::DumbPtrTraits<Worker> >::remove() 3 0x1113625a3 JSC::CallFrame::uncheckedR(JSC::VirtualRegister) 4 0x1134d367e slow_path_in_structure_property 5 0x10f6b2e02 llint_entry 6 0x10f69bf32 vmEntryToJavaScript 7 0x112ab449b JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) 8 0x112ab1fa3 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) 9 0x11351c4da JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 10 0x104975534 runWithOptions(GlobalObject*, CommandLine&, bool&) 11 0x1048f7174 jscmain(int, char**)::$_4::operator()(JSC::VM&, GlobalObject*, bool&) const 12 0x10489b6fe int runJSC<jscmain(int, char**)::$_4>(CommandLine const&, bool, jscmain(int, char**)::$_4 const&) 13 0x1048981ae jscmain(int, char**) 14 0x104897c8e main 15 0x7fff72122cc9 start 16 0xc ``` Steps to Reproduce: 1) Build Relaese with ASAN: ./Tools/Scripts/set-webkit-configuration --asan ./Tools/Scripts/build-webkit --jsc-only --release 2) Run JSC with JS file Actual Results: JSC crashes with log like above Expected Results: JSC should not crash (or raise Type Error because 1337 is not an Object) Build Date & Hardware: commit@751ec07c691376353670d0913d09a85d490395cd (Date: Wed May 27 02:42:14 2020 +0000)
Attachments
Patch (2.58 KB, patch)
2020-05-27 09:15 PDT, Keith Miller 		saam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2020-05-26 23:38:50 PDT
<rdar://problem/63662913>
Keith Miller
Comment 2 2020-05-27 09:15:12 PDT
Created attachment 400340 [details] Patch
Saam Barati
Comment 3 2020-05-27 09:17:57 PDT
Comment on attachment 400340 [details] Patch nice & thanks r=me
Mark Lam
Comment 4 2020-05-27 09:18:37 PDT
Comment on attachment 400340 [details] Patch r=me too
Keith Miller
Comment 5 2020-05-27 09:28:56 PDT
Committed r262197: <https://trac.webkit.org/changeset/262197>
Ryan Haddad
Comment 6 2020-05-27 12:44:01 PDT
(In reply to Keith Miller from comment #5) > Committed r262197: <https://trac.webkit.org/changeset/262197> JSC EWS showed 18 new failures, which are now appearing on the trunk bot: https://build.webkit.org/builders/Apple-Catalina-Release-JSC-Tests/builds/2209/steps/jscore-test/logs/stdio
Saam Barati
Comment 7 2020-05-27 13:00:44 PDT
Comment on attachment 400340 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=400340&action=review > JSTests/stress/for-in-in-structure-property-constant-virtual-register.js:4 > +const v0 = {d:13.37}; > +for (const v1 in v0) { > + const v2 = v1 in 1337; > +} You need to wrap this in try/catch I believe
Ryan Haddad
Comment 8 2020-06-01 16:50:41 PDT
(In reply to Ryan Haddad from comment #6) > (In reply to Keith Miller from comment #5) > > Committed r262197: <https://trac.webkit.org/changeset/262197> > JSC EWS showed 18 new failures, which are now appearing on the trunk bot: > https://build.webkit.org/builders/Apple-Catalina-Release-JSC-Tests/builds/ > 2209/steps/jscore-test/logs/stdio Keith fixed this in https://trac.webkit.org/changeset/262210/webkit
Note You need to log in before you can comment on or make changes to this bug.