RESOLVED FIXED 228552
[JSC] LLIntCallee should have two replacements 
https://bugs.webkit.org/show_bug.cgi?id=228552
Summary [JSC] LLIntCallee should have two replacements
Daniel Biró
Reported 2021-07-28 08:22:38 PDT
Created attachment 434428 [details] SIGSEGV from WASM crash report It looks like that the following page, which calculates different hash functions with the 'hash-wasm' library triggers a SIGSEGV in Safari 14.1. https://3w4be.csb.app/ Source code: https://codesandbox.io/s/3w4be Just continually updating/replacing a short string should trigger the crash. I don't have a Mac to investigate it further, but I've got a crash report here: https://github.com/Daninet/hash-wasm/issues/28 I've attached it to this bug report as well. From the crash log for me it is concerning security-wise. Termination Signal: Segmentation fault: 11 Termination Reason: Namespace SIGNAL, Code 0xb Terminating Process: exc handler [19473] Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x00007fff3742a590 JSC::Wasm::operationWasmTriggerOSREntryNow(JSC::Probe::Context&) + 144 1 com.apple.JavaScriptCore 0x00007fff3691ede8 JSC::Probe::executeProbe(JSC::Probe::State*) + 120 2 com.apple.JavaScriptCore 0x00007fff3691e742 ctiMasmProbeTrampoline + 338 3 ??? 0x000025cd1fff349c 0 + 41562935342236 4 ??? 0x000025cd1e929c78 0 + 41562911448184 5 com.apple.JavaScriptCore 0x00007fff3686d156 vmEntryToJavaScript + 216 6 com.apple.JavaScriptCore 0x00007fff37460cc5 JSC::callWebAssemblyFunction(JSC::JSGlobalObject*, JSC::CallFrame*) + 1189 ...
Attachments
SIGSEGV from WASM crash report (149.94 KB, text/plain)
2021-07-28 08:22 PDT, Daniel Biró 		no flags
Details
Patch (11.46 KB, patch)
2021-11-01 16:43 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (11.49 KB, patch)
2021-11-01 16:44 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2021-07-28 08:22:49 PDT
<rdar://problem/81217357>
Daniel Biró
Comment 2 2021-07-28 09:46:06 PDT
I managed to reproduce it in GNOME Web 40.1 - WebKitGTK 2.32.1 <script src="https://cdn.jsdelivr.net/npm/hash-wasm@4.9.0/dist/argon2.umd.min.js"></script> <script> const run = async (i) => { console.log(await hashwasm.argon2id({ password: 'abc' + i, salt: '12345678', parallelism: 1, memorySize: 128, iterations: 4, hashLength: 16, outputType: 'encoded' })); }; for (let i = 0; i < 30; i++) { run(i); } </script>
Yusuke Suzuki
Comment 3 2021-11-01 16:43:54 PDT
Created attachment 443035 [details] Patch
Yusuke Suzuki
Comment 4 2021-11-01 16:44:36 PDT
Created attachment 443036 [details] Patch
Saam Barati
Comment 5 2021-11-01 16:51:15 PDT
Comment on attachment 443036 [details] Patch r=me
EWS
Comment 6 2021-11-01 18:14:57 PDT
Committed r285149 (243786@main): <https://commits.webkit.org/243786@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 443036 [details].
Note You need to log in before you can comment on or make changes to this bug.