WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
228075
[JSC] invalidParameterInstanceofSourceAppender should care direct call of Symbol.hasInstance
https://bugs.webkit.org/show_bug.cgi?id=228075
Summary
[JSC] invalidParameterInstanceofSourceAppender should care direct call of Sym...
Frédéric Wang (:fredw)
Reported
2021-07-19 01:32:59 PDT
See attached testcase and error message below. Reproduced with JSC on ASAN release builds
r280021
, for both Linux and macos. ASSERTION FAILED: instanceofIndex != notFound ./runtime/ExceptionHelpers.cpp(222) : WTF::String JSC::invalidParameterInstanceofSourceAppender(const WTF::String &, const WTF::String &, const WTF::String &, JSC::RuntimeType, ErrorInstance::SourceTextWhereErrorOccurred) 1 0x10104f9b4 WTFCrash 2 0x103ac7714 WTFCrashWithInfo(int, char const*, char const*, int) 3 0x106e96e28 JSC::invalidParameterInstanceofSourceAppender(WTF::String const&, WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred) 4 0x106e8d214 JSC::invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred) 5 0x106e744c4 JSC::appendSourceToErrorMessage(JSC::CallFrame*, JSC::ErrorInstance*, JSC::BytecodeIndex, WTF::String const&) 6 0x106e737f0 JSC::ErrorInstance::finishCreation(JSC::VM&, JSC::JSGlobalObject*, WTF::String const&, JSC::JSValue, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType, bool) 7 0x106b5a780 JSC::ErrorInstance::create(JSC::JSGlobalObject*, JSC::VM&, JSC::Structure*, WTF::String const&, JSC::JSValue, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType, JSC::ErrorType, bool) 8 0x106e68c00 JSC::createTypeError(JSC::JSGlobalObject*, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType) 9 0x106e8ba04 JSC::createError(JSC::JSGlobalObject*, JSC::JSValue, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred)) 10 0x106e8cf6c JSC::createInvalidInstanceofParameterErrorHasInstanceValueNotFunction(JSC::JSGlobalObject*, JSC::JSValue) 11 0x107340988 JSC::JSObject::hasInstance(JSC::JSGlobalObject*, JSC::JSValue, JSC::JSValue) 12 0x107341ed8 JSC::JSObject::hasInstance(JSC::JSGlobalObject*, JSC::JSValue) 13 0x1070a3ec4 JSC::hasInstanceBoundFunction(JSC::JSGlobalObject*, JSC::CallFrame*) 14 0x11d8041b4 15 0x103b6a250 llint_entry 16 0x103b45168 vmEntryToJavaScript 17 0x10623d6b8 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) 18 0x10623ae00 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) 19 0x106dbc4cc JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 20 0x1008b8704 runWithOptions(GlobalObject*, CommandLine&, bool&) 21 0x10081570c jscmain(int, char**)::$_8::operator()(JSC::VM&, GlobalObject*, bool&) const 22 0x10079c484 int runJSC<jscmain(int, char**)::$_8>(CommandLine const&, bool, jscmain(int, char**)::$_8 const&) 23 0x10079671c jscmain(int, char**) 24 0x100795ec0 main 25 0x189dc1450 start
Attachments
Testcase
(154 bytes, application/x-javascript)
2021-07-19 01:41 PDT
,
Frédéric Wang (:fredw)
no flags
Details
Patch
(3.54 KB, patch)
2021-07-20 03:42 PDT
,
Yusuke Suzuki
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2021-07-19 01:33:18 PDT
<
rdar://problem/80762879
>
Frédéric Wang (:fredw)
Comment 2
2021-07-19 01:41:09 PDT
Created
attachment 433776
[details]
Testcase Sorry, I forgot to attach the testcase.
Frédéric Wang (:fredw)
Comment 3
2021-07-19 02:24:33 PDT
This is happening when JSC appends a source error. The invalidParameterInstanceofSourceAppender function expects the the sourceText to contain the string "instanceof", which is not the case here: 222 RELEASE_ASSERT(instanceofIndex != notFound); (rr) p content.utf8().data() $1 = 0x607000005510 "[Symbol.hasInstance] is not a function, undefined, or null" (rr) p originalMessage.utf8().data() $2 = 0x608000004d30 "function [Symbol.hasInstance] is not a function, undefined, or null" (rr) p sourceText.utf8().data() $3 = 0x606000007c50 "Function.prototype[Symbol.hasInstance].call(b)" It does not seem a security issue.
Yusuke Suzuki
Comment 4
2021-07-20 03:30:32 PDT
Will look
Yusuke Suzuki
Comment 5
2021-07-20 03:33:06 PDT
Since this is release-assert, it is not a security issue.
Yusuke Suzuki
Comment 6
2021-07-20 03:42:15 PDT
Created
attachment 433866
[details]
Patch
Frédéric Wang (:fredw)
Comment 7
2021-07-20 04:19:07 PDT
Comment on
attachment 433866
[details]
Patch Thanks. I'm going to r+ this since I suspect many reviewers are on holidays and this change seems uncontroversial.
Yusuke Suzuki
Comment 8
2021-07-20 11:47:40 PDT
Comment on
attachment 433866
[details]
Patch Thanks!
EWS
Comment 9
2021-07-20 12:36:04 PDT
Committed
r280097
(
239814@main
): <
https://commits.webkit.org/239814@main
> All reviewed patches have been landed. Closing bug and clearing flags on
attachment 433866
[details]
.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug