RESOLVED FIXED 242599
[AArch32][Aarch64] ASSERTION FAILED variant.intrinsic() == NoIntrinsic in void JSC::DFG::ByteCodeParser::handleGetById 
https://bugs.webkit.org/show_bug.cgi?id=242599
Summary [AArch32][Aarch64] ASSERTION FAILED variant.intrinsic() == NoIntrinsic in voi...
Mikhail R. Gadelha
Reported 2022-07-11 12:26:59 PDT
Created attachment 460795 [details] Testcase Found by Igalia Fuzzing Campaign. The attached test case fails with the following message: ASSERTION FAILED: variant.intrinsic() == NoIntrinsic WebKit//Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp(4788) : void JSC::DFG::ByteCodeParser::handleGetById(JSC::VirtualRegister, JSC::SpeculatedType, JSC::DFG::Node*, JSC::CacheableIdentifier, unsigned int, JSC::GetByStatus, JSC::AccessType, JSC::BytecodeIndex)
Attachments
Testcase (134 bytes, text/javascript)
2022-07-11 12:26 PDT, Mikhail R. Gadelha 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-07-11 12:27:11 PDT
<rdar://problem/96836847>
Yusuke Suzuki
Comment 2 2022-07-12 13:30:22 PDT
This is stale assertion. Let's drop it.
Yusuke Suzuki
Comment 3 2022-07-12 13:32:04 PDT
Previously all intrinsic getters are handled. So at this point, it should be NoIntrinsic. But 4GB wasm array work added a case which can fail. But then, we should just continue using this generic path, invoking a getter. Thus, this assertion is stale. Let's just remove it. And marking it non-security since the solution is just removing this assertion and this is debug assertion.
Yusuke Suzuki
Comment 4 2022-07-12 13:49:23 PDT
Pull request: https://github.com/WebKit/WebKit/pull/2333
EWS
Comment 5 2022-07-12 14:43:17 PDT
Committed 252391@main (1f3e8b70b999): <https://commits.webkit.org/252391@main> Reviewed commits have been landed. Closing PR #2333 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.