See attached testcase and error message below. Reproduced with JSC on ASAN release builds r280021, for both Linux and macos. ASSERTION FAILED: instanceofIndex != notFound ./runtime/ExceptionHelpers.cpp(222) : WTF::String JSC::invalidParameterInstanceofSourceAppender(const WTF::String &, const WTF::String &, const WTF::String &, JSC::RuntimeType, ErrorInstance::SourceTextWhereErrorOccurred) 1 0x10104f9b4 WTFCrash 2 0x103ac7714 WTFCrashWithInfo(int, char const*, char const*, int) 3 0x106e96e28 JSC::invalidParameterInstanceofSourceAppender(WTF::String const&, WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred) 4 0x106e8d214 JSC::invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred) 5 0x106e744c4 JSC::appendSourceToErrorMessage(JSC::CallFrame*, JSC::ErrorInstance*, JSC::BytecodeIndex, WTF::String const&) 6 0x106e737f0 JSC::ErrorInstance::finishCreation(JSC::VM&, JSC::JSGlobalObject*, WTF::String const&, JSC::JSValue, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType, bool) 7 0x106b5a780 JSC::ErrorInstance::create(JSC::JSGlobalObject*, JSC::VM&, JSC::Structure*, WTF::String const&, JSC::JSValue, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType, JSC::ErrorType, bool) 8 0x106e68c00 JSC::createTypeError(JSC::JSGlobalObject*, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType) 9 0x106e8ba04 JSC::createError(JSC::JSGlobalObject*, JSC::JSValue, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred)) 10 0x106e8cf6c JSC::createInvalidInstanceofParameterErrorHasInstanceValueNotFunction(JSC::JSGlobalObject*, JSC::JSValue) 11 0x107340988 JSC::JSObject::hasInstance(JSC::JSGlobalObject*, JSC::JSValue, JSC::JSValue) 12 0x107341ed8 JSC::JSObject::hasInstance(JSC::JSGlobalObject*, JSC::JSValue) 13 0x1070a3ec4 JSC::hasInstanceBoundFunction(JSC::JSGlobalObject*, JSC::CallFrame*) 14 0x11d8041b4 15 0x103b6a250 llint_entry 16 0x103b45168 vmEntryToJavaScript 17 0x10623d6b8 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) 18 0x10623ae00 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) 19 0x106dbc4cc JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 20 0x1008b8704 runWithOptions(GlobalObject*, CommandLine&, bool&) 21 0x10081570c jscmain(int, char**)::$_8::operator()(JSC::VM&, GlobalObject*, bool&) const 22 0x10079c484 int runJSC<jscmain(int, char**)::$_8>(CommandLine const&, bool, jscmain(int, char**)::$_8 const&) 23 0x10079671c jscmain(int, char**) 24 0x100795ec0 main 25 0x189dc1450 start
<rdar://problem/80762879>
Created attachment 433776 [details] Testcase Sorry, I forgot to attach the testcase.
This is happening when JSC appends a source error. The invalidParameterInstanceofSourceAppender function expects the the sourceText to contain the string "instanceof", which is not the case here: 222 RELEASE_ASSERT(instanceofIndex != notFound); (rr) p content.utf8().data() $1 = 0x607000005510 "[Symbol.hasInstance] is not a function, undefined, or null" (rr) p originalMessage.utf8().data() $2 = 0x608000004d30 "function [Symbol.hasInstance] is not a function, undefined, or null" (rr) p sourceText.utf8().data() $3 = 0x606000007c50 "Function.prototype[Symbol.hasInstance].call(b)" It does not seem a security issue.
Will look
Since this is release-assert, it is not a security issue.
Created attachment 433866 [details] Patch
Comment on attachment 433866 [details] Patch Thanks. I'm going to r+ this since I suspect many reviewers are on holidays and this change seems uncontroversial.
Comment on attachment 433866 [details] Patch Thanks!
Committed r280097 (239814@main): <https://commits.webkit.org/239814@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 433866 [details].