Bug 228552 - [JSC] LLIntCallee should have two replacements
Summary: [JSC] LLIntCallee should have two replacements
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebAssembly (show other bugs)
Version: Safari 14
Hardware: All All
: P2 Major
Assignee: Yusuke Suzuki
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-07-28 08:22 PDT by Daniel Biró
Modified: 2021-11-01 18:15 PDT (History)
10 users (show)

See Also:

Attachments
SIGSEGV from WASM crash report (149.94 KB, text/plain)
2021-07-28 08:22 PDT, Daniel Biró 		no flags Details
Patch (11.46 KB, patch)
2021-11-01 16:43 PDT, Yusuke Suzuki 		no flags Details | Formatted Diff | Diff
Patch (11.49 KB, patch)
2021-11-01 16:44 PDT, Yusuke Suzuki 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Biró 2021-07-28 08:22:38 PDT 
Created attachment 434428 [details]
SIGSEGV from WASM crash report

It looks like that the following page, which calculates different hash functions with the 'hash-wasm' library triggers a SIGSEGV in Safari 14.1.
https://3w4be.csb.app/
Source code: https://codesandbox.io/s/3w4be

Just continually updating/replacing a short string should trigger the crash.

I don't have a Mac to investigate it further, but I've got a crash report here: https://github.com/Daninet/hash-wasm/issues/28
I've attached it to this bug report as well.

From the crash log for me it is concerning security-wise.

Termination Signal:    Segmentation fault: 11
Termination Reason:    Namespace SIGNAL, Code 0xb
Terminating Process:   exc handler [19473]

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x00007fff3742a590 JSC::Wasm::operationWasmTriggerOSREntryNow(JSC::Probe::Context&) + 144
1   com.apple.JavaScriptCore      	0x00007fff3691ede8 JSC::Probe::executeProbe(JSC::Probe::State*) + 120
2   com.apple.JavaScriptCore      	0x00007fff3691e742 ctiMasmProbeTrampoline + 338
3   ???                           	0x000025cd1fff349c 0 + 41562935342236
4   ???                           	0x000025cd1e929c78 0 + 41562911448184
5   com.apple.JavaScriptCore      	0x00007fff3686d156 vmEntryToJavaScript + 216
6   com.apple.JavaScriptCore      	0x00007fff37460cc5 JSC::callWebAssemblyFunction(JSC::JSGlobalObject*, JSC::CallFrame*) + 1189
...
Comment 1 Radar WebKit Bug Importer 2021-07-28 08:22:49 PDT 
<rdar://problem/81217357>
Comment 2 Daniel Biró 2021-07-28 09:46:06 PDT 
I managed to reproduce it in GNOME Web 40.1 - WebKitGTK 2.32.1

<script src="https://cdn.jsdelivr.net/npm/hash-wasm@4.9.0/dist/argon2.umd.min.js"></script>
<script>
const run = async (i) => {
	console.log(await hashwasm.argon2id({
		password: 'abc' + i,
		salt: '12345678',
		parallelism: 1,
		memorySize: 128,
		iterations: 4,
		hashLength: 16,
		outputType: 'encoded'
	}));
};

for (let i = 0; i < 30; i++) {
	run(i);
}

</script>
Comment 3 Yusuke Suzuki 2021-11-01 16:43:54 PDT 
Created attachment 443035 [details]
Patch
Comment 4 Yusuke Suzuki 2021-11-01 16:44:36 PDT 
Created attachment 443036 [details]
Patch
Comment 5 Saam Barati 2021-11-01 16:51:15 PDT 
Comment on attachment 443036 [details]
Patch

r=me
Comment 6 EWS 2021-11-01 18:14:57 PDT 
Committed r285149 (243786@main): <https://commits.webkit.org/243786@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 443036 [details].