I have multiple crash samples that are deterministic for macOS 12.5 found through fuzzing. Though granted for some reason I can't seem to retriever it on my own even passing different options to jsc. But my WebKit commit hash is 6cc919dc34cf1cd0c91c46be20c402fed66c3b6b. This was built with ./Tools/Scripts/build-jsc --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_CXX_FLAGS='-fsanitize-coverage=trace-pc-guard -O3'". Again I have four build for this commit which is debug with coverage and slow compilation flag and also same for release, I also have both debug and release builds with coverage like so ./Tools/Scripts/build-jsc --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_CXX_FLAGS='-fsanitize-coverage=trace-pc-guard'" with normal compilation instead none of these seem to retrigger it. function placeholder(){} function main() { const v0 = Int8Array; let v3 = 0; while (v3 < 1) { const v5 = 1 / v3; const v6 = v3++; } function v7(v8) { return v8; function* v9(v10,v11,v12) { const v13 = /cm\w\w\W/gmu; const v15 = []; const v16 = v13.test; const v17 = Reflect.apply(v16,v13,v15); yield* v8; return v11; } } function v18(v19) { [] = `dotAll${true}object`; v19[v3] &= v19; const v20 = [1]; const v22 = [1.0]; for (let v26 = 0; v26 < 100; v26++) { function v27(v28,v29,v30,v31) { for (let v35 = 0; v35 < 7; v35++) { v28[7] = v35; } } const v37 = new Float64Array(); const v38 = v27(v37); const v39 = v27(v22); } } function v40() { const v42 = [Object]; for (const v43 of v42) { let v44 = 2.220446049250313e-16; v44 %= v44; const v45 = [v44]; v45.toString = -1073741824n; } } function v47(v48,v49,v50) { function v52(v53,v54) { v53 %= v53; } for (let v58 = 0; v58 < 1000; v58++) { const v59 = v52(1); } } function v60() { `dotAll${true}object`[5] = `dotAll${true}object`; function v61(v62,v63,v64,v65) { const v67 = Array(); const v68 = v67.length; const v69 = /[^R]/gi; const v72 = "symbol"["replace"](v69,"symbol"); } const v73 = v61(); } function v74(v75,v76,v77) { const v80 = new Uint32Array(1470); const v82 = v80["subarray"](...v80,1470,..."subarray",..."subarray"); function v83(v84,v85,v86,v87) { function v88(v89,v90,v91,v92) { const v93 = {}; const v94 = v93 >>> v84; } } const v95 = v83(); } function v96() { const v98 = delete (3173463710n)[0]; const v99 = 3173463710n; const v100 = /\S*/s; const v101 = -288722.5203760335; const v102 = {}; const v103 = v102(); } function v104(v105,v106,v107) { const v108 = v105[v40]; const v111 = new Float64Array(55787); let v112 = 0; const v113 = v112++; } function v114(v115) { for (let v119 = 0; v119 < 1000; v119++) { } const v120 = []; const v122 = v120["splice"](); const v123 = "splice".localeCompare; } function v124(v125,v126) { const v127 = fiatInt52; const v129 = new Uint16Array(); const v130 = {}; const v132 = new Proxy(v129,v130); const v133 = {"set":v132}; } function v134(v135,v136,v137,v138) { const v139 = /cm\w\w\W/gmu; function v140(v141,v142,v143,v144) { const v146 = []; const v147 = v139.test; const v148 = Reflect.apply(v147,v139,v146); } for (let v152 = 0; v152 < 1000; v152++) { const v153 = v140(); } const v156 = new Int8Array(3458); async function v157(v158,v159,v160) { const v162 = {}; const v164 = new Proxy(this,v162); const v166 = v164["openFile"](v162); } const v168 = v156["every"](v157); const v171 = (0)["toLocaleString"](); with (Infinity) { const v173 = arguments; } const v175 = [7]; const v176 = ` const v177 = v171[1000]; const v178 = "every"[v138]; `; const v180 = eval(v176); } function v182(v183,v184,v185,v186) { const v190 = {}; const v191 = v184.E; const v192 = -1000000000000.0; for (const v193 in 562236.7482379009) { try { const v194 = {"E":v190,"__proto__":9007199254740993,"c":v193,"constructor":Number,...v185,...v184}; const v195 = Int8Array; } catch(v196) { } finally { } } for (const v197 of `NJPzicXYys${v183}OgDIuRLpAI${v182}boolean${v184}10000${v185}2`) { } function* v198(v199,v200,v201,v202) { } const v203 = v198(); let [] = v203; } const v206 = Array(); const v207 = v182(false,v206); for (let v211 = 0; v211 < 1000; v211++) { const v214 = new Object(); v214.m = v40; v214.n = v182; const v215 = {"m":v104,"p":Object}; v214.e = v215; v214.c = v215; const v216 = v134(68149305n,v214,v206,68149305n); } function v217(v218,v219,v220,v221,v222,v223,v224,v225,v226) { for (const v227 in v221) { const v229 = []; Object[v229] = Int8Array; const v232 = [Object,v223]; const v233 = v229.at; const v234 = Reflect.apply(v233,v219,v232); switch (Int8Array) { case v225: const v235 = this; const v236 = {}; const v238 = new Proxy(); break; case v227: const v239 = 0; const v240 = 1000; const v241 = 1; const v242 = Object(v218,v222,v217,v223,v220); break; case v227: function v243(v244) { } const v245 = v243(); default: const v246 = {"d":v217,"length":v217,"toString":v229,"valueOf":v220,...v233,...v223,...v220,...v229,...v227}; break; case v223: function v247(v248,v249,v250,v251) { 'use strict'; return v217; } case v220: function v252(v253) { } function v254(v255,v256) { v252 = v255; } break; case Object: break; case Object: } } const v258 = new Array(); const v259 = v258[0]; } const v261 = {"m":Array,"p":v217}; const v262 = {"c":v104,"e":v261,"m":v7,"n":v182}; const v263 = v134(268435456n,v262,v206,268435456n); for (let v267 = 0; v267 < 1000; v267++) { const v268 = v134(268435456n,v262,v206,268435456n); } let v269 = 0; do { const v272 = Math; const v273 = v269++; } while (v269 < 2); const v274 = v134(268435456n,v262,v206,268435456n); gc(); } noDFG(main); noFTL(main); main(); // CRASH INFO // ========== // TERMSIG: 11 // STDERR: // ASSERTION FAILED: U_SUCCESS(status) // /Users/bootywarrior/Downloads/Webkit/latest/WebKit/Source/JavaScriptCore/runtime/IntlObject.cpp(1035) : auto JSC::numberingSystemsForLocale(const WTF::String &)::(anonymous class)::operator()() const // 1 0x1046a17d0 WTFCrash // 2 0x102576210 GlobalObject::testCustomSetterImpl(JSC::JSGlobalObject*, GlobalObject*, long long, WTF::ASCIILiteral) // 3 0x103df1e34 void std::__1::__call_once_proxy<std::__1::tuple<JSC::numberingSystemsForLocale(WTF::String const&)::$_16&&> >(void*) // 4 0x1a04ad958 std::__1::__call_once(unsigned long volatile&, void*, void (*)(void*)) // 5 0x103dd8fc0 JSC::numberingSystemsForLocale(WTF::String const&) // 6 0x103dd6ccc JSC::resolveLocale(JSC::JSGlobalObject*, WTF::HashSet<WTF::String, WTF::DefaultHash<WTF::String>, WTF::HashTraits<WTF::String>, WTF::MemoryCompactLookupOnlyRobinHoodHashTableTraits> const&, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, JSC::LocaleMatcher, std::__1::array<std::__1::optional<WTF::String>, 6ul> const&, std::initializer_list<JSC::RelevantExtensionKey>, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> (*)(WTF::String const&, JSC::RelevantExtensionKey)) // 7 0x103d9e834 JSC::IntlNumberFormat::initializeNumberFormat(JSC::JSGlobalObject*, JSC::JSValue, JSC::JSValue) // 8 0x1040a5dc8 JSC::numberProtoFuncToLocaleString(JSC::JSGlobalObject*, JSC::CallFrame*) // 9 0x11109003c // 10 0x1110e45dc // 11 0x10467df14 llint_entry // 12 0x10467df14 llint_entry // 13 0x104658630 vmEntryToJavaScript // 14 0x10386d50c JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) // 15 0x103cb6870 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) // 16 0x10257a450 jscmain(int, char**) // 17 0x102578df8 main // 18 0x10666908c
<rdar://problem/99051991>
Also these are the flags passed to the Debug jsc with -O3 flag "--validateOptions=true", "--thresholdForJITSoon=10", "--thresholdForJITAfterWarmUp=10", "--thresholdForOptimizeAfterWarmUp=100", "--thresholdForOptimizeAfterLongWarmUp=100", "--thresholdForOptimizeSoon=100", "--thresholdForFTLOptimizeAfterWarmUp=1000", "--thresholdForFTLOptimizeSoon=1000", // Enable bounds check elimination validation "--validateBCE=true", "--useConcurrentJIT=false", "--reprl""
Correct Me if I'm wrong whoever seeing this for some reason it's popping up as an assertion failure but if that's the case why is the last Call before WTFCRASH is to testCustomAccessorSetter. Which contains GlobalObject* thisObject = jsDynamicCast<GlobalObject*>(jsCast<JSProxy*>(thisCell)->target());. Which is the only thing I can think of in that function that could even remotely be an issue considering the fact of the "jsCast" to JSProxy pointer if so would it be because target is being confused here or is it an actual debug assertion failure as it is stating?
I have another weird outcome discovery, Trying this on any release build results in the following: "bootywarrior@Bootys-MacBook-Air ~ % /Users/bootywarrior/Downloads/Webkit/latest/WebKit/FuzzBuildO3/Release/bin/jsc /Users/bootywarrior/Desktop/0917debugfuzz/crashes/program_20220920082729_30A75B86-C775-4585-9210-FF81580329D1_deterministic.js [COV] no shared memory bitmap available, skipping [COV] edge counters initialized. Shared memory: (null) with 830943 edges Exception: TypeError: Failed to format a number. toLocaleString@[native code]" Resulting in a TypeError But on debug build this happens: "bootywarrior@Bootys-MacBook-Air ~ % /Users/bootywarrior/Downloads/Webkit/latest/WebKit/FuzzBuildO3/Debug/bin/jsc /Users/bootywarrior/Desktop/0917debugfuzz/crashes/program_20220920082729_30A75B86-C775-4585-9210-FF81580329D1_deterministic.js [COV] no shared memory bitmap available, skipping [COV] edge counters initialized. Shared memory: (null) with 953722 edges ASSERTION FAILED: U_SUCCESS(status) /Users/bootywarrior/Downloads/Webkit/latest/WebKit/Source/JavaScriptCore/runtime/IntlObject.cpp(1035) : auto JSC::numberingSystemsForLocale(const WTF::String &)::(anonymous class)::operator()() const 1 0x106e21714 WTFCrash 2 0x104cf6160 GlobalObject::testCustomSetterImpl(JSC::JSGlobalObject*, GlobalObject*, long long, WTF::ASCIILiteral) 3 0x1065ba7d4 void std::__1::__call_once_proxy<std::__1::tuple<JSC::numberingSystemsForLocale(WTF::String const&)::$_16&&> >(void*) 4 0x191dfd958 std::__1::__call_once(unsigned long volatile&, void*, void (*)(void*)) 5 0x1065a1960 JSC::numberingSystemsForLocale(WTF::String const&) 6 0x10659f66c JSC::resolveLocale(JSC::JSGlobalObject*, WTF::HashSet<WTF::String, WTF::DefaultHash<WTF::String>, WTF::HashTraits<WTF::String>, WTF::MemoryCompactLookupOnlyRobinHoodHashTableTraits> const&, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, JSC::LocaleMatcher, std::__1::array<std::__1::optional<WTF::String>, 6ul> const&, std::initializer_list<JSC::RelevantExtensionKey>, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> (*)(WTF::String const&, JSC::RelevantExtensionKey)) 7 0x1065671d4 JSC::IntlNumberFormat::initializeNumberFormat(JSC::JSGlobalObject*, JSC::JSValue, JSC::JSValue) 8 0x10686e768 JSC::numberProtoFuncToLocaleString(JSC::JSGlobalObject*, JSC::CallFrame*) 9 0x14000803c 10 0x140043bdc 11 0x140040c64 12 0x104d773e8 llint_entry 13 0x104d51b04 vmEntryToJavaScript 14 0x106035eac JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) 15 0x10647f210 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 16 0x104cfa3a0 jscmain(int, char**) 17 0x104cf8d48 main 18 0x108e0908c UndefinedBehaviorSanitizer:DEADLYSIGNAL ==70940==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x000106e2171c bp 0x000106e21714 sp 0x00016b10e3e0 T23241124) ==70940==The signal is caused by a UNKNOWN memory access. ==70940==WARNING: failed to spawn external symbolizer (errno: 9) ==70940==WARNING: failed to spawn external symbolizer (errno: 9) ==70940==WARNING: failed to spawn external symbolizer (errno: 9) ==70940==WARNING: failed to spawn external symbolizer (errno: 9) ==70940==WARNING: failed to spawn external symbolizer (errno: 9) ==70940==WARNING: Failed to use and restart external symbolizer! #0 0x106e2171c in WTFCrash+0x14 (/Users/bootywarrior/Downloads/Webkit/latest/WebKit/FuzzBuildO3/Debug/bin/jsc:arm64+0x10213171c) ==70940==Register values: x[0] = 0x000000016b10e278 x[1] = 0x0000000000000000 x[2] = 0x00000000000120a8 x[3] = 0x000000016b10dc68 x[4] = 0x0000000191de8cf7 x[5] = 0x000000016b10e1c0 x[6] = 0x000000000000000a x[7] = 0x0000000000000000 x[8] = 0x00000000bbadbeef x[9] = 0x7faa9967c756004e x[10] = 0x0000000000000001 x[11] = 0x00000000fffffffd x[12] = 0x0000010000000000 x[13] = 0x0000000000000000 x[14] = 0x0000000000000000 x[15] = 0x0000000000000000 x[16] = 0x0000000191e6f454 x[17] = 0x00000001ebfc5968 x[18] = 0x0000000000000000 x[19] = 0x00000001075cfa44 x[20] = 0x00000001075d52bd x[21] = 0x000000016b10e580 x[22] = 0x000000016b10e9c0 x[23] = 0x0000000000000000 x[24] = 0x0000000000000005 x[25] = 0x0000000000000000 x[26] = 0xffffffffffffffe8 x[27] = 0x000000016b10e820 x[28] = 0x00000001075d1bae fp = 0x000000016b10e3e0 lr = 0x0000000106e21714 sp = 0x000000016b10e3e0 UndefinedBehaviorSanitizer can not provide additional info. SUMMARY: UndefinedBehaviorSanitizer: SEGV (/Users/bootywarrior/Downloads/Webkit/latest/WebKit/FuzzBuildO3/Debug/bin/jsc:arm64+0x10213171c) in WTFCrash+0x14 ==70940==ABORTING zsh: abort /Users/bootywarrior/Downloads/Webkit/latest/WebKit/FuzzBuildO3/Debug/bin/jsc " Looking at a better POC the fuzzer produced : " function placeholder(){} function main() { function v1(v2,v3,v4,v5) { function v6(v7,v8) { } const v9 = {}; switch (v2) { default: break; case v6: break; case v9: } } for (let v13 = 0; v13 < 1000; v13++) { const v14 = v1(); } for (let v18 = 0; v18 < 1000; v18++) { function v19(v20) { try { const v21 = [65537n,1000]; const v22 = v19++; const v23 = v21[128]; const v24 = arguments; let v25 = {}; function v26() { const v28 = {}; const v30 = new Proxy(this,v28); const v32 = v30["openFile"](); // some reason commenting this out changes bug trigger and execution finish } v25 = v26; const v33 = v25(); const v34 = ++v20; const v35 = false; const v36 = 2n; for (let v40 = 0; v40 < 1000000; v40++) { const v41 = v26(); } } catch(v42) { function v44(v45,v46) { const v49 = Object.is(3.0,16960); } for (let v53 = 0; v53 < 1000; v53++) { const v54 = v44(); } } finally { { const v55 = 1; const v58 = (256)["toLocaleString"](); let v59 = []; let v62 = 1; for (let v63 = 0; v63 < 7; v63 = v63 || v62) { for (let v64 of "toLocaleString") { ({"__proto__":v63,"constructor":v64,"length":v59,"multiline":v62,"sticky":v63,} = v58); } } } } function v65(v66,v67) { try { const v68 = forceGCSlowPaths; } catch(v69) { } finally { } } const v70 = v65(); } const v72 = `-1`.split(); for (let v76 = 0; v76 < 10; v76++) { const v77 = v1(v72,0,0,v19); } const v78 = v19(0); } } noDFG(main); noFTL(main); main(); // CRASH INFO // ========== // TERMSIG: 11 // STDERR: // ASSERTION FAILED: U_SUCCESS(status) // /Users/bootywarrior/Downloads/Webkit/latest/WebKit/Source/JavaScriptCore/runtime/IntlObject.cpp(1035) : auto JSC::numberingSystemsForLocale(const WTF::String &)::(anonymous class)::operator()() const // 1 0x106eb1714 WTFCrash // 2 0x104d86160 GlobalObject::testCustomSetterImpl(JSC::JSGlobalObject*, GlobalObject*, long long, WTF::ASCIILiteral) // 3 0x10664a7d4 void std::__1::__call_once_proxy<std::__1::tuple<JSC::numberingSystemsForLocale(WTF::String const&)::$_16&&> >(void*) // 4 0x191dfd958 std::__1::__call_once(unsigned long volatile&, void*, void (*)(void*)) // 5 0x106631960 JSC::numberingSystemsForLocale(WTF::String const&) // 6 0x10662f66c JSC::resolveLocale(JSC::JSGlobalObject*, WTF::HashSet<WTF::String, WTF::DefaultHash<WTF::String>, WTF::HashTraits<WTF::String>, WTF::MemoryCompactLookupOnlyRobinHoodHashTableTraits> const&, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, JSC::LocaleMatcher, std::__1::array<std::__1::optional<WTF::String>, 6ul> const&, std::initializer_list<JSC::RelevantExtensionKey>, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> (*)(WTF::String const&, JSC::RelevantExtensionKey)) // 7 0x1065f71d4 JSC::IntlNumberFormat::initializeNumberFormat(JSC::JSGlobalObject*, JSC::JSValue, JSC::JSValue) // 8 0x1068fe768 JSC::numberProtoFuncToLocaleString(JSC::JSGlobalObject*, JSC::CallFrame*) // 9 0x13000803c // 10 0x1300592d8 // 11 0x130056368 // 12 0x104e073e8 llint_entry // 13 0x104de1b04 vmEntryToJavaScript // 14 0x1060c5eac JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) // 15 0x10650f210 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) // 16 0x104d8a3a0 jscmain(int, char**) // 17 0x104d88d48 main // 18 0x108c2108c " In function v26 if taking out the openFile line it results in the POC never finishing and having to be canceled with Control^ + C combo. But having it their results in a crash but the openFile isn't where we crash at weirdly we crash at the WTFCrash because something went wrong in JSC::numberingSystemsForLocale ie Assertion Failure The registers and SEGV are clearly from WTFCrash Since https://github.com/WebKit/WebKit/blob/23272376caff6f758cfb154dc6721b545e313d71/Source/WTF/wtf/Assertions.cpp#L328 Line 328 after the else statement in WTFCrash it does this "*(int *)(uintptr_t)0xbbadbeef = 0;" which is purposely invalid. But why does this happen I can't seem to figure out after stepping through lldb and breaking on JSC::numberingSystemsForLocale. Doesn't give me any bright ideas. next comment
bootywarrior@Bootys-MacBook-Air ~ % lldb -- /Users/bootywarrior/Downloads/Webkit/latest/WebKit/FuzzBuildO3/Debug/bin/jsc /Users/bootywarrior/Desktop/0917debugfuzz/crashes/program_20220920082729_30A75B86-C775-4585-9210-FF81580329D1_deterministic.js (lldb) target create "/Users/bootywarrior/Downloads/Webkit/latest/WebKit/FuzzBuildO3/Debug/bin/jsc" Current executable set to '/Users/bootywarrior/Downloads/Webkit/latest/WebKit/FuzzBuildO3/Debug/bin/jsc' (arm64). (lldb) settings set -- target.run-args "/Users/bootywarrior/Desktop/0917debugfuzz/crashes/program_20220920082729_30A75B86-C775-4585-9210-FF81580329D1_deterministic.js" (lldb) b JSC::numberingSystemsForLocale Breakpoint 1: where = jsc`JSC::numberingSystemsForLocale(WTF::String const&) + 44 at IntlObject.cpp:1027, address = 0x00000001018b190c (lldb) r Process 81181 launched: '/Users/bootywarrior/Downloads/Webkit/latest/WebKit/FuzzBuildO3/Debug/bin/jsc' (arm64) [COV] no shared memory bitmap available, skipping [COV] edge counters initialized. Shared memory: (null) with 953722 edges jsc was compiled with optimization - stepping may behave oddly; variables may not be available. Process 81181 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1 frame #0: 0x00000001018b190c jsc`JSC::numberingSystemsForLocale(locale=0x000000016fdfe5b8) at IntlObject.cpp:1027 [opt] 1024 } 1025 1026 Vector<String> numberingSystemsForLocale(const String& locale) -> 1027 { 1028 static LazyNeverDestroyed<Vector<String>> availableNumberingSystems; 1029 static std::once_flag initializeOnce; 1030 std::call_once(initializeOnce, [&] { Target 0: (jsc) stopped. (lldb) next Process 81181 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = step over frame #0: 0x00000001018b1918 jsc`JSC::numberingSystemsForLocale(locale=0x000000016fdfe5b8) at IntlObject.cpp:1030:5 [opt] 1027 { 1028 static LazyNeverDestroyed<Vector<String>> availableNumberingSystems; 1029 static std::once_flag initializeOnce; -> 1030 std::call_once(initializeOnce, [&] { 1031 availableNumberingSystems.construct(); 1032 ASSERT(availableNumberingSystems->isEmpty()); 1033 UErrorCode status = U_ZERO_ERROR; Target 0: (jsc) stopped. (lldb) step Process 81181 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = step in frame #0: 0x00000001018b1918 jsc`JSC::numberingSystemsForLocale(WTF::String const&) [inlined] void std::__1::call_once<JSC::numberingSystemsForLocale(WTF::String const&)::$_16>(__func=0x000000016fdfe4a0)::$_16&&) at mutex:671:9 [opt] 668 void 669 call_once(once_flag& __flag, _Callable&& __func, _Args&&... __args) 670 { -> 671 if (__libcpp_acquire_load(&__flag.__state_) != ~once_flag::_State_type(0)) 672 { 673 typedef tuple<_Callable&&, _Args&&...> _Gp; 674 _Gp __f(_VSTD::forward<_Callable>(__func), _VSTD::forward<_Args>(__args)...); Target 0: (jsc) stopped. (lldb) next Process 81181 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = step over frame #0: 0x00000001018b192c jsc`JSC::numberingSystemsForLocale(WTF::String const&) at mutex:674:9 [opt] 671 if (__libcpp_acquire_load(&__flag.__state_) != ~once_flag::_State_type(0)) 672 { 673 typedef tuple<_Callable&&, _Args&&...> _Gp; -> 674 _Gp __f(_VSTD::forward<_Callable>(__func), _VSTD::forward<_Args>(__args)...); 675 __call_once_param<_Gp> __p(__f); 676 __call_once(__flag.__state_, &__p, &__call_once_proxy<_Gp>); 677 } Target 0: (jsc) stopped. (lldb) next Process 81181 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = step over frame #0: 0x00000001018b1944 jsc`JSC::numberingSystemsForLocale(WTF::String const&) at mutex:675:32 [opt] 672 { 673 typedef tuple<_Callable&&, _Args&&...> _Gp; 674 _Gp __f(_VSTD::forward<_Callable>(__func), _VSTD::forward<_Args>(__args)...); -> 675 __call_once_param<_Gp> __p(__f); 676 __call_once(__flag.__state_, &__p, &__call_once_proxy<_Gp>); 677 } 678 } Target 0: (jsc) stopped. (lldb) next Process 81181 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = step over frame #0: 0x00000001018b1948 jsc`JSC::numberingSystemsForLocale(WTF::String const&) at mutex:676:9 [opt] 673 typedef tuple<_Callable&&, _Args&&...> _Gp; 674 _Gp __f(_VSTD::forward<_Callable>(__func), _VSTD::forward<_Args>(__args)...); 675 __call_once_param<_Gp> __p(__f); -> 676 __call_once(__flag.__state_, &__p, &__call_once_proxy<_Gp>); 677 } 678 } 679 Target 0: (jsc) stopped. (lldb) next ASSERTION FAILED: U_SUCCESS(status) /Users/bootywarrior/Downloads/Webkit/latest/WebKit/Source/JavaScriptCore/runtime/IntlObject.cpp(1035) : auto JSC::numberingSystemsForLocale(const WTF::String &)::(anonymous class)::operator()() const 1 0x102131714 WTFCrash 2 0x100006160 GlobalObject::testCustomSetterImpl(JSC::JSGlobalObject*, GlobalObject*, long long, WTF::ASCIILiteral) 3 0x1018ca7d4 void std::__1::__call_once_proxy<std::__1::tuple<JSC::numberingSystemsForLocale(WTF::String const&)::$_16&&> >(void*) 4 0x191dfd958 std::__1::__call_once(unsigned long volatile&, void*, void (*)(void*)) 5 0x1018b1960 JSC::numberingSystemsForLocale(WTF::String const&) 6 0x1018af66c JSC::resolveLocale(JSC::JSGlobalObject*, WTF::HashSet<WTF::String, WTF::DefaultHash<WTF::String>, WTF::HashTraits<WTF::String>, WTF::MemoryCompactLookupOnlyRobinHoodHashTableTraits> const&, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, JSC::LocaleMatcher, std::__1::array<std::__1::optional<WTF::String>, 6ul> const&, std::initializer_list<JSC::RelevantExtensionKey>, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> (*)(WTF::String const&, JSC::RelevantExtensionKey)) 7 0x1018771d4 JSC::IntlNumberFormat::initializeNumberFormat(JSC::JSGlobalObject*, JSC::JSValue, JSC::JSValue) 8 0x101b7e768 JSC::numberProtoFuncToLocaleString(JSC::JSGlobalObject*, JSC::CallFrame*) 9 0x11800803c 10 0x118043bd8 11 0x118040c64 12 0x1000873e8 llint_entry 13 0x100061b04 vmEntryToJavaScript 14 0x101345eac JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) 15 0x10178f210 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 16 0x10000a3a0 jscmain(int, char**) 17 0x100008d48 main 18 0x103d7d08c Process 81181 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef) frame #0: 0x000000010213171c jsc`::WTFCrash() at Assertions.cpp:328:35 [opt] 325 #if ASAN_ENABLED 326 __builtin_trap(); 327 #else -> 328 *(int *)(uintptr_t)0xbbadbeef = 0; 329 // More reliable, but doesn't say BBADBEEF. 330 #if COMPILER(GCC_COMPATIBLE) 331 __builtin_trap(); Target 0: (jsc) stopped. (lldb) next Process 81181 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef) frame #0: 0x000000010213171c jsc`::WTFCrash() at Assertions.cpp:328:35 [opt] 325 #if ASAN_ENABLED 326 __builtin_trap(); 327 #else -> 328 *(int *)(uintptr_t)0xbbadbeef = 0; 329 // More reliable, but doesn't say BBADBEEF. 330 #if COMPILER(GCC_COMPATIBLE) 331 __builtin_trap(); Target 0: (jsc) stopped. (lldb) bt * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef) * frame #0: 0x000000010213171c jsc`::WTFCrash() at Assertions.cpp:328:35 [opt] frame #1: 0x0000000100006160 jsc`WTFCrashWithInfo((null)=1035, (null)="/Users/bootywarrior/Downloads/Webkit/latest/WebKit/Source/JavaScriptCore/runtime/IntlObject.cpp", (null)="auto JSC::numberingSystemsForLocale(const WTF::String &)::(anonymous class)::operator()() const", (null)=2552) at Assertions.h:754:5 [opt] frame #2: 0x00000001018ca7d4 jsc`void std::__1::__call_once_proxy<std::__1::tuple<JSC::numberingSystemsForLocale(WTF::String const&)::$_16&&> >(void*) [inlined] JSC::numberingSystemsForLocale(WTF::String const&)::$_16::operator()() const at IntlObject.cpp:1035:9 [opt] frame #3: 0x00000001018ca5dc jsc`void std::__1::__call_once_proxy<std::__1::tuple<JSC::numberingSystemsForLocale(WTF::String const&)::$_16&&> >(void*) [inlined] decltype(static_cast<JSC::numberingSystemsForLocale(WTF::String const&)::$_16>(fp)()) std::__1::__invoke<JSC::numberingSystemsForLocale(WTF::String const&)::$_16>(JSC::numberingSystemsForLocale(WTF::String const&)::$_16&&) at type_traits:3918:1 [opt] frame #4: 0x00000001018ca5dc jsc`void std::__1::__call_once_proxy<std::__1::tuple<JSC::numberingSystemsForLocale(WTF::String const&)::$_16&&> >(void*) [inlined] void std::__1::__call_once_param<std::__1::tuple<JSC::numberingSystemsForLocale(WTF::String const&)::$_16&&> >::__execute<>(std::__1::__tuple_indices<>) at mutex:630:9 [opt] frame #5: 0x00000001018ca5dc jsc`void std::__1::__call_once_proxy<std::__1::tuple<JSC::numberingSystemsForLocale(WTF::String const&)::$_16&&> >(void*) [inlined] std::__1::__call_once_param<std::__1::tuple<JSC::numberingSystemsForLocale(WTF::String const&)::$_16&&> >::operator()() at mutex:622:9 [opt] frame #6: 0x00000001018ca5dc jsc`void std::__1::__call_once_proxy<std::__1::tuple<JSC::numberingSystemsForLocale(WTF::String const&)::$_16&&> >(__vp=<unavailable>) at mutex:658:5 [opt] frame #7: 0x0000000191dfd958 libc++.1.dylib`std::__1::__call_once(unsigned long volatile&, void*, void (*)(void*)) + 180 frame #8: 0x00000001018b1960 jsc`JSC::numberingSystemsForLocale(WTF::String const&) at mutex:676:9 [opt] frame #9: 0x00000001018b1918 jsc`JSC::numberingSystemsForLocale(locale=0x000000016fdfe5b8) at IntlObject.cpp:1030:5 [opt] frame #10: 0x00000001018af66c jsc`JSC::resolveLocale(globalObject=0x00000001390a0a68, availableLocales=<unavailable>, requestedLocales=0x000000016fdfe7b0, localeMatcher=<unavailable>, options=0x000000016fdfe750, relevantExtensionKeys=<unavailable>, localeData=(jsc`JSC::IntlNumberFormat::localeData(WTF::String const&, JSC::RelevantExtensionKey) at IntlNumberFormat.cpp:113))(WTF::String const&, JSC::RelevantExtensionKey)) at IntlObject.cpp:924:40 [opt] frame #11: 0x00000001018771d4 jsc`JSC::IntlNumberFormat::initializeNumberFormat(this=0x0000000106048768, globalObject=0x00000001390a0a68, locales=<unavailable>, optionsValue=<unavailable>) at IntlNumberFormat.cpp:318:21 [opt] frame #12: 0x0000000101b7e768 jsc`JSC::numberProtoFuncToLocaleString(globalObject=0x00000001390a0a68, callFrame=0x000000016fdfea80) at NumberPrototype.cpp:577:19 [opt] frame #13: 0x000000011800803c frame #14: 0x0000000118043bd8 frame #15: 0x0000000118040c64 (lldb)
I tried it 1. 6cc919dc34cf1cd0c91c46be20c402fed66c3b6b hash 2. ./Tools/Scripts/build-jsc --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_CXX_FLAGS='-fsanitize-coverage=trace-pc-guard -O3'" 3. macOS 12.5 And the process crashes immediately since UBSan isn't supported in WebKit since UBSan does not work well with Darwin's JIT mappings. I also tried reproducing this with `make debug` built JSC, and the issue didn't reproduce. From your log, the crashed point is ASSERT(U_SUCCESS(status)), which is failing to initialize ICU. And it is very unlikely that this function can fail unless 1. ICU is messed up. 2. binary is built with wrong ICU and JSC is using different ICU 3. the process is opening massive amount of files 4. the process is getting too strict sandboxing Please double-check whether the binary is built and correctly linked to the right ICU, and correctly launched with the right ICU.
(In reply to Yusuke Suzuki from comment #6) > I tried it > > 1. 6cc919dc34cf1cd0c91c46be20c402fed66c3b6b hash > 2. ./Tools/Scripts/build-jsc --jsc-only --debug > --cmakeargs="-DENABLE_STATIC_JSC=ON > -DCMAKE_CXX_FLAGS='-fsanitize-coverage=trace-pc-guard -O3'" > 3. macOS 12.5 > > And the process crashes immediately since UBSan isn't supported in WebKit > since UBSan does not work well with Darwin's JIT mappings. > I also tried reproducing this with `make debug` built JSC, and the issue > didn't reproduce. > > From your log, the crashed point is ASSERT(U_SUCCESS(status)), which is > failing to initialize ICU. > And it is very unlikely that this function can fail unless > > 1. ICU is messed up. > 2. binary is built with wrong ICU and JSC is using different ICU > 3. the process is opening massive amount of files > 4. the process is getting too strict sandboxing > > Please double-check whether the binary is built and correctly linked to the > right ICU, and correctly launched with the right ICU. How does one check these things ? Do you want me to run build-jsc and see what it outputs ? Or do I just look In some folders and tell that ?
(In reply to Yusuke Suzuki from comment #6) > I tried it > > 1. 6cc919dc34cf1cd0c91c46be20c402fed66c3b6b hash > 2. ./Tools/Scripts/build-jsc --jsc-only --debug > --cmakeargs="-DENABLE_STATIC_JSC=ON > -DCMAKE_CXX_FLAGS='-fsanitize-coverage=trace-pc-guard -O3'" > 3. macOS 12.5 > > And the process crashes immediately since UBSan isn't supported in WebKit > since UBSan does not work well with Darwin's JIT mappings. > I also tried reproducing this with `make debug` built JSC, and the issue > didn't reproduce. > > From your log, the crashed point is ASSERT(U_SUCCESS(status)), which is > failing to initialize ICU. > And it is very unlikely that this function can fail unless > > 1. ICU is messed up. > 2. binary is built with wrong ICU and JSC is using different ICU > 3. the process is opening massive amount of files > 4. the process is getting too strict sandboxing > > Please double-check whether the binary is built and correctly linked to the > right ICU, and correctly launched with the right ICU. Well their is one thing I had to do to get it to work just like you I had crash as well but UBSan is needed for fuzzying, with that being said to fix the crash In PlatformUse.h USE_PTHREAD_JIT_PERMISSIONS is manually defined to 1 so macOS can stop crashing if then it worked just fine after rebuild, other than that which I doubt defining it to 1 manually changed anything as if it you had apple internal sdk would it be set to 0, *which I don’t think it would?*.
(In reply to bigsean123 from comment #7) > > How does one check these things ? Do you want me to run build-jsc and see > what it outputs ? Or do I just look In some folders and tell that ? I don't have solid idea, but probably you can try looking into what error code is returned from ICU. And checking your build configurations to ensure that your build ICU headers, libraries, etc. are the expected ones. And still another guess is that it is just because '-fsanitize-coverage=trace-pc-guard -O3' option is broken (which is not supported in WebKit). > Well their is one thing I had to do to get it to work just like you I had crash as well but UBSan is needed for fuzzying, with that being said to fix the crash In PlatformUse.h USE_PTHREAD_JIT_PERMISSIONS is manually defined to 1 so macOS can stop crashing if then it worked just fine after rebuild, other than that which I doubt defining it to 1 manually changed anything as if it you had apple internal sdk would it be set to 0, *which I don’t think it would?*. I tested it with customer shipping OS with non internal SDK. I flipped USE_PTHREAD_JIT_PERMISSIONS and JSC gets working, but it does not reproduce the crash with the attached JS file. So, probably installed ICU issue.
(In reply to Yusuke Suzuki from comment #9) > (In reply to bigsean123 from comment #7) > > > > How does one check these things ? Do you want me to run build-jsc and see > > what it outputs ? Or do I just look In some folders and tell that ? > > I don't have solid idea, but probably you can try looking into what error > code is returned from ICU. > And checking your build configurations to ensure that your build ICU > headers, libraries, etc. are the expected ones. > And still another guess is that it is just because > '-fsanitize-coverage=trace-pc-guard -O3' option is broken (which is not > supported in WebKit). > > > Well their is one thing I had to do to get it to work just like you I had crash as well but UBSan is needed for fuzzying, with that being said to fix the crash In PlatformUse.h USE_PTHREAD_JIT_PERMISSIONS is manually defined to 1 so macOS can stop crashing if then it worked just fine after rebuild, other than that which I doubt defining it to 1 manually changed anything as if it you had apple internal sdk would it be set to 0, *which I don’t think it would?*. > > I tested it with customer shipping OS with non internal SDK. > I flipped USE_PTHREAD_JIT_PERMISSIONS and JSC gets working, but it does not > reproduce the crash with the attached JS file. So, probably installed ICU > issue. Ok I will report back with the following ICU version and etc etc and do a build again with this commit and see what It reports for the ICU etc etc, IDK what ICU or much about it but got it be messed up or etc I’m assuming this something user installable and not something that comes default with macOS?
(In reply to Yusuke Suzuki from comment #9) > (In reply to bigsean123 from comment #7) > > > > How does one check these things ? Do you want me to run build-jsc and see > > what it outputs ? Or do I just look In some folders and tell that ? > > I don't have solid idea, but probably you can try looking into what error > code is returned from ICU. > And checking your build configurations to ensure that your build ICU > headers, libraries, etc. are the expected ones. > And still another guess is that it is just because > '-fsanitize-coverage=trace-pc-guard -O3' option is broken (which is not > supported in WebKit). > > > Well their is one thing I had to do to get it to work just like you I had crash as well but UBSan is needed for fuzzying, with that being said to fix the crash In PlatformUse.h USE_PTHREAD_JIT_PERMISSIONS is manually defined to 1 so macOS can stop crashing if then it worked just fine after rebuild, other than that which I doubt defining it to 1 manually changed anything as if it you had apple internal sdk would it be set to 0, *which I don’t think it would?*. > > I tested it with customer shipping OS with non internal SDK. > I flipped USE_PTHREAD_JIT_PERMISSIONS and JSC gets working, but it does not > reproduce the crash with the attached JS file. So, probably installed ICU > issue. with the way you did it "cd /Source" "make debug" the only thing I see related to icu is this "CompileC /Users/bootywarrior/Downloads/Webkit/latest/WebKit/WebKitBuild/JavaScriptCore.build/Debug/JSCLLIntSettingsExtractor.build/Objects-normal/arm64/LLIntSettingsExtractor.o /Users/bootywarrior/Downloads/Webkit/latest/WebKit/Source/JavaScriptCore/llint/LLIntSettingsExtractor.cpp normal arm64 c++ com.apple.compilers.llvm.clang.1_0.compiler (in target 'JSCLLIntSettingsExtractor' from project 'JavaScriptCore') cd /Users/bootywarrior/Downloads/Webkit/latest/WebKit/Source/JavaScriptCore /Users/bootywarrior/Downloads/Webkit/latest/WebKit/Source/JavaScriptCore/../../Tools/ccache/ccache-clang -x c++ -target arm64-apple-macos12.3 -fmessage-length\=0 -fdiagnostics-show-note-include-stack -fmacro-backtrace-limit\=0 -std\=c++2a -stdlib\=libc++ -Wno-trigraphs -fno-exceptions -fno-rtti -fno-sanitize\=vptr -fpascal-strings -O0 -fno-common -Werror -Wno-missing-field-initializers -Wmissing-prototypes -Wdocumentation -Wunreachable-code -Wnon-virtual-dtor -Wno-overloaded-virtual -Wno-exit-time-destructors -Wno-missing-braces -Wparentheses -Wswitch -Wunused-function -Wno-unused-label -Wno-unused-parameter -Wunused-variable -Wunused-value -Wempty-body -Wuninitialized -Wno-unknown-pragmas -Wno-shadow -Wno-four-char-constants -Wno-conversion -Wconstant-conversion -Wint-conversion -Wbool-conversion -Wenum-conversion -Wno-float-conversion -Wnon-literal-null-conversion -Wobjc-literal-conversion -Wsign-compare -Wno-shorten-64-to-32 -Wnewline-eof -Wno-c++11-extensions -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk -fstrict-aliasing -Wdeprecated-declarations -Winvalid-offsetof -g -fvisibility\=hidden -fvisibility-inlines-hidden -fno-threadsafe-statics -Wno-sign-conversion -Winfinite-recursion -Wmove -Wcomma -Wblock-capture-autoreleasing -Wstrict-prototypes -Wrange-loop-analysis -Wno-semicolon-before-method-body -iquote /Users/bootywarrior/Downloads/Webkit/latest/WebKit/WebKitBuild/JavaScriptCore.build/Debug/JSCLLIntSettingsExtractor.build/JSCLLIntSettingsExtractor-generated-files.hmap -I/Users/bootywarrior/Downloads/Webkit/latest/WebKit/WebKitBuild/JavaScriptCore.build/Debug/JSCLLIntSettingsExtractor.build/JSCLLIntSettingsExtractor-own-target-headers.hmap -I/Users/bootywarrior/Downloads/Webkit/latest/WebKit/WebKitBuild/JavaScriptCore.build/Debug/JSCLLIntSettingsExtractor.build/JSCLLIntSettingsExtractor-all-target-headers.hmap -iquote /Users/bootywarrior/Downloads/Webkit/latest/WebKit/WebKitBuild/JavaScriptCore.build/Debug/JSCLLIntSettingsExtractor.build/JSCLLIntSettingsExtractor-project-headers.hmap -I/Users/bootywarrior/Downloads/Webkit/latest/WebKit/WebKitBuild/Debug/include -I/Users/bootywarrior/Downloads/Webkit/latest/WebKit/WebKitBuild/Debug/DerivedSources/JavaScriptCore -I/System/Library/Frameworks/JavaScriptCore.framework/PrivateHeaders -I. -I/Users/bootywarrior/Downloads/Webkit/latest/WebKit/WebKitBuild/Debug/usr/local/include -isystem /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/local/include -I/Users/bootywarrior/Downloads/Webkit/latest/WebKit/WebKitBuild/JavaScriptCore.build/Debug/JSCLLIntSettingsExtractor.build/DerivedSources-normal/arm64 -I/Users/bootywarrior/Downloads/Webkit/latest/WebKit/WebKitBuild/JavaScriptCore.build/Debug/JSCLLIntSettingsExtractor.build/DerivedSources/arm64 -I/Users/bootywarrior/Downloads/Webkit/latest/WebKit/WebKitBuild/JavaScriptCore.build/Debug/JSCLLIntSettingsExtractor.build/DerivedSources -Wall -Wextra -Wcast-qual -Wchar-subscripts -Wconditional-uninitialized -Wextra-tokens -Wformat\=2 -Winit-self -Wmissing-format-attribute -Wmissing-noreturn -Wpacked -Wpointer-arith -Wredundant-decls -Wundef -Wwrite-strings -Wexit-time-destructors -Wglobal-constructors -Wtautological-compare -Wimplicit-fallthrough -Wvla -Wliteral-conversion -Wthread-safety -Wno-profile-instr-out-of-date -Wno-profile-instr-unprofiled -F/Users/bootywarrior/Downloads/Webkit/latest/WebKit/WebKitBuild/Debug -F/Users/bootywarrior/Downloads/Webkit/latest/WebKit/WebKitLibraries/WebKitPrivateFrameworkStubs/Mac/120000 -isystem icu -isystem /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/System/Library/Frameworks/System.framework/PrivateHeaders -MMD -MT dependencies -MF /Users/bootywarrior/Downloads/Webkit/latest/WebKit/WebKitBuild/JavaScriptCore.build/Debug/JSCLLIntSettingsExtractor.build/Objects-normal/arm64/LLIntSettingsExtractor.d --serialize-diagnostics /Users/bootywarrior/Downloads/Webkit/latest/WebKit/WebKitBuild/JavaScriptCore.build/Debug/JSCLLIntSettingsExtractor.build/Objects-normal/arm64/LLIntSettingsExtractor.dia -c /Users/bootywarrior/Downloads/Webkit/latest/WebKit/Source/JavaScriptCore/llint/LLIntSettingsExtractor.cpp -o /Users/bootywarrior/Downloads/Webkit/latest/WebKit/WebKitBuild/JavaScriptCore.build/Debug/JSCLLIntSettingsExtractor.build/Objects-normal/arm64/LLIntSettingsExtractor.o Ld /Users/bootywarrior/Downloads/Webkit/latest/WebKit/WebKitBuild/Debug/JSCLLIntSettingsExtractor normal (in target 'JSCLLIntSettingsExtractor' from project 'JavaScriptCore') cd /Users/bootywarrior/Downloads/Webkit/latest/WebKit/Source/JavaScriptCore /Users/bootywarrior/Downloads/Webkit/latest/WebKit/Source/JavaScriptCore/../../Tools/ccache/ccache-clang++ -target arm64-apple-macos12.3 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk -L/Users/bootywarrior/Downloads/Webkit/latest/WebKit/WebKitBuild/Debug -L/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/local/lib -F/Users/bootywarrior/Downloads/Webkit/latest/WebKit/WebKitBuild/Debug -F/Users/bootywarrior/Downloads/Webkit/latest/WebKit/Source/JavaScriptCore/../../WebKitLibraries/WebKitPrivateFrameworkStubs/Mac/120000 -filelist /Users/bootywarrior/Downloads/Webkit/latest/WebKit/WebKitBuild/JavaScriptCore.build/Debug/JSCLLIntSettingsExtractor.build/Objects-normal/arm64/JSCLLIntSettingsExtractor.LinkFileList -Xlinker -object_path_lto -Xlinker /Users/bootywarrior/Downloads/Webkit/latest/WebKit/WebKitBuild/JavaScriptCore.build/Debug/JSCLLIntSettingsExtractor.build/Objects-normal/arm64/JSCLLIntSettingsExtractor_lto.o -Xlinker -no_deduplicate -stdlib\=libc++ -Xlinker -source_version -Xlinker 614.1.20.0.0 -Xlinker -no_adhoc_codesign -Xlinker -dependency_info -Xlinker /Users/bootywarrior/Downloads/Webkit/latest/WebKit/WebKitBuild/JavaScriptCore.build/Debug/JSCLLIntSettingsExtractor.build/Objects-normal/arm64/JSCLLIntSettingsExtractor_dependency_info.dat -o /Users/bootywarrior/Downloads/Webkit/latest/WebKit/WebKitBuild/Debug/JSCLLIntSettingsExtractor ld: warning: directory not found for option '-L/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/local/lib' ld: warning: directory not found for option '-F/Users/bootywarrior/Downloads/Webkit/latest/WebKit/Source/JavaScriptCore/../../WebKitLibraries/WebKitPrivateFrameworkStubs/Mac/120000'" The other icu are the ones being built that *are related to WebKit and comes default* such as: "CompileC /Users/bootywarrior/Downloads/Webkit/latest/WebKit/WebKitBuild/WTF.build/Debug/WTF.build/Objects-normal/arm64/LineBreakIteratorPoolICU.o /Users/bootywarrior/Downloads/Webkit/latest/WebKit/Source/WTF/wtf/text/LineBreakIteratorPoolICU.cpp normal arm64 c++ " "-isystem /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/System/Library/Frameworks/System.framework/PrivateHeaders -MMD -MT dependencies -MF /Users/bootywarrior/Downloads/Webkit/latest/WebKit/WebKitBuild/WTF.build/Debug/WTF.build/Objects-normal/arm64/LineBreakIteratorPoolICU.d --serialize-diagnostics /Users/bootywarrior/Downloads/Webkit/latest/WebKit/WebKitBuild/WTF.build/Debug/WTF.build/Objects-normal/arm64/LineBreakIteratorPoolICU.dia -c /Users/bootywarrior/Downloads/Webkit/latest/WebKit/Source/WTF/wtf/text/LineBreakIteratorPoolICU.cpp -o /Users/bootywarrior/Downloads/Webkit/latest/WebKit/WebKitBuild/WTF.build/Debug/WTF.build/Objects-normal/arm64/LineBreakIteratorPoolICU.o" Example of files that has the name icu goes on etc. is their anything specifically I should be looking for?
(In reply to Yusuke Suzuki from comment #6) > I tried it > > 1. 6cc919dc34cf1cd0c91c46be20c402fed66c3b6b hash > 2. ./Tools/Scripts/build-jsc --jsc-only --debug > --cmakeargs="-DENABLE_STATIC_JSC=ON > -DCMAKE_CXX_FLAGS='-fsanitize-coverage=trace-pc-guard -O3'" > 3. macOS 12.5 > > And the process crashes immediately since UBSan isn't supported in WebKit > since UBSan does not work well with Darwin's JIT mappings. > I also tried reproducing this with `make debug` built JSC, and the issue > didn't reproduce. > > From your log, the crashed point is ASSERT(U_SUCCESS(status)), which is > failing to initialize ICU. > And it is very unlikely that this function can fail unless > > 1. ICU is messed up. > 2. binary is built with wrong ICU and JSC is using different ICU > 3. the process is opening massive amount of files > 4. the process is getting too strict sandboxing > > Please double-check whether the binary is built and correctly linked to the > right ICU, and correctly launched with the right ICU. Lastly this is what I will do because I haven't tested this on non-ulsan build, but I will leave it at default without touching PlatformUse.h then build-jsc --jsc-only debug and run the poc on the resulting binary.. From the looks of while its building it build-jsc makes its own ICU folder and puts a /Headers folder inside filled with many headers is this the "ICU" your referring to by chance?
(In reply to Yusuke Suzuki from comment #6) > I tried it > > 1. 6cc919dc34cf1cd0c91c46be20c402fed66c3b6b hash > 2. ./Tools/Scripts/build-jsc --jsc-only --debug > --cmakeargs="-DENABLE_STATIC_JSC=ON > -DCMAKE_CXX_FLAGS='-fsanitize-coverage=trace-pc-guard -O3'" > 3. macOS 12.5 > > And the process crashes immediately since UBSan isn't supported in WebKit > since UBSan does not work well with Darwin's JIT mappings. > I also tried reproducing this with `make debug` built JSC, and the issue > didn't reproduce. > > From your log, the crashed point is ASSERT(U_SUCCESS(status)), which is > failing to initialize ICU. > And it is very unlikely that this function can fail unless > > 1. ICU is messed up. > 2. binary is built with wrong ICU and JSC is using different ICU > 3. the process is opening massive amount of files > 4. the process is getting too strict sandboxing > > Please double-check whether the binary is built and correctly linked to the > right ICU, and correctly launched with the right ICU. Ahh I found it :) "-- Found ICU: /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/lib/libicucore.tbd"
(In reply to Yusuke Suzuki from comment #6) > I tried it > > 1. 6cc919dc34cf1cd0c91c46be20c402fed66c3b6b hash > 2. ./Tools/Scripts/build-jsc --jsc-only --debug > --cmakeargs="-DENABLE_STATIC_JSC=ON > -DCMAKE_CXX_FLAGS='-fsanitize-coverage=trace-pc-guard -O3'" > 3. macOS 12.5 > > And the process crashes immediately since UBSan isn't supported in WebKit > since UBSan does not work well with Darwin's JIT mappings. > I also tried reproducing this with `make debug` built JSC, and the issue > didn't reproduce. > > From your log, the crashed point is ASSERT(U_SUCCESS(status)), which is > failing to initialize ICU. > And it is very unlikely that this function can fail unless > > 1. ICU is messed up. > 2. binary is built with wrong ICU and JSC is using different ICU > 3. the process is opening massive amount of files > 4. the process is getting too strict sandboxing > > Please double-check whether the binary is built and correctly linked to the > right ICU, and correctly launched with the right ICU. Ok sorry about the long wait, I've had hiccups all day trying to build this again for macOS random build errors been popping up left and right so I'm opting to just redownload the whole WebKit.git from scratch, with that being said I decided to look in further at your explanation of icu being wrong or etc and etc and found out that "icu4c" that webkit has been depending on wasn't installed the whole time, which means whatever I've built my webkit with has been finding something else that was wrong or comletely different when searching for ICU. Further proof of your notion here: "bootywarrior@Bootys-MacBook-Air ~ % brew install icu4c Running `brew update --auto-update`... ==> Auto-updated Homebrew! Updated 1 tap (homebrew/core). You have 14 outdated formulae installed. You can upgrade them with brew upgrade or list them with brew outdated. icu4c is already installed but outdated (so it will be upgraded). ==> Downloading https://ghcr.io/v2/homebrew/core/icu4c/manifests/71.1 ######################################################################## 100.0% ==> Downloading https://ghcr.io/v2/homebrew/core/icu4c/blobs/sha256:0bf3c66f005e ==> Downloading from https://pkg-containers.githubusercontent.com/ghcr1/blobs/sh ######################################################################## 100.0% ==> Pouring icu4c--71.1.arm64_monterey.bottle.tar.gz ==> Caveats icu4c is keg-only, which means it was not symlinked into /opt/homebrew, because macOS provides libicucore.dylib (but nothing else). If you need to have icu4c first in your PATH, run: echo 'export PATH="/opt/homebrew/opt/icu4c/bin:$PATH"' >> ~/.zshrc echo 'export PATH="/opt/homebrew/opt/icu4c/sbin:$PATH"' >> ~/.zshrc For compilers to find icu4c you may need to set: export LDFLAGS="-L/opt/homebrew/opt/icu4c/lib" export CPPFLAGS="-I/opt/homebrew/opt/icu4c/include" ==> Summary 🍺 /opt/homebrew/Cellar/icu4c/71.1: 262 files, 76.8MB ==> Running `brew cleanup icu4c`... Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP. Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`). Removing: /opt/homebrew/Cellar/icu4c/70.1... (261 files, 74.9MB) ==> Upgrading 1 dependent of upgraded formula: Disable this behaviour by setting HOMEBREW_NO_INSTALLED_DEPENDENTS_CHECK. Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`). node 18.7.0 -> 18.9.0 ==> Downloading https://ghcr.io/v2/homebrew/core/libnghttp2/manifests/1.49.0 ######################################################################## 100.0% ==> Downloading https://ghcr.io/v2/homebrew/core/libnghttp2/blobs/sha256:8984658 ==> Downloading from https://pkg-containers.githubusercontent.com/ghcr1/blobs/sh ######################################################################## 100.0% ==> Downloading https://ghcr.io/v2/homebrew/core/node/manifests/18.9.0 ######################################################################## 100.0% ==> Downloading https://ghcr.io/v2/homebrew/core/node/blobs/sha256:283a5835d95a0 ==> Downloading from https://pkg-containers.githubusercontent.com/ghcr1/blobs/sh ######################################################################## 100.0% ==> Upgrading node 18.7.0 -> 18.9.0 ==> Installing dependencies for node: libnghttp2 ==> Installing node dependency: libnghttp2 ==> Pouring libnghttp2--1.49.0.arm64_monterey.bottle.tar.gz 🍺 /opt/homebrew/Cellar/libnghttp2/1.49.0: 13 files, 726.3KB ==> Installing node ==> Pouring node--18.9.0.arm64_monterey.bottle.tar.gz 🍺 /opt/homebrew/Cellar/node/18.9.0: 1,997 files, 48.4MB ==> Running `brew cleanup node`... Removing: /opt/homebrew/Cellar/node/18.7.0... (1,934 files, 47.7MB) ==> Checking for dependents of upgraded formulae... ==> No broken dependents found! ==> Caveats ==> icu4c icu4c is keg-only, which means it was not symlinked into /opt/homebrew, because macOS provides libicucore.dylib (but nothing else). If you need to have icu4c first in your PATH, run: echo 'export PATH="/opt/homebrew/opt/icu4c/bin:$PATH"' >> ~/.zshrc echo 'export PATH="/opt/homebrew/opt/icu4c/sbin:$PATH"' >> ~/.zshrc For compilers to find icu4c you may need to set: export LDFLAGS="-L/opt/homebrew/opt/icu4c/lib" export CPPFLAGS="-I/opt/homebrew/opt/icu4c/include" bootywarrior@Bootys-MacBook-Air ~ % echo 'export PATH="/opt/homebrew/opt/icu4c/bin:$PATH"' >> ~/.zshrc bootywarrior@Bootys-MacBook-Air ~ % echo 'export PATH="/opt/homebrew/opt/icu4c/sbin:$PATH"' >> ~/.zshrc bootywarrior@Bootys-MacBook-Air ~ % export LDFLAGS="-L/opt/homebrew/opt/icu4c/lib" bootywarrior@Bootys-MacBook-Air ~ % export CPPFLAGS="-I/opt/homebrew/opt/icu4c/include" bootywarrior@Bootys-MacBook-Air ~ % " Now that I have it successfully installed and once WebKit.git is done downloading I'm going to build the same way as provided in the original posting and see if I still get the same crash...
Anyway, it is ICU initialization. And we cannot reproduce with normal `make debug` build configuration. "Exception: TypeError: Failed to format a number." means that ICU is not working at all. So, you can look into your ICU about what is happening, and if you find a bug, then you can report it to ICU :)
Yep POC doesn’t reproduce with the installed ICU, Also tried it on Linux arm64 which is actually supported for static —-jsc-only builds and it did not work even with the same compilation flags. Thanks for investigating.
(In reply to Yusuke Suzuki from comment #15) > Anyway, it is ICU initialization. And we cannot reproduce with normal `make > debug` build configuration. "Exception: TypeError: Failed to format a > number." means that ICU is not working at all. > So, you can look into your ICU about what is happening, and if you find a > bug, then you can report it to ICU :) Also that exception is what I was getting when running the POC originally against /System/path/to/Helpers/jsc, hence why I thought it was a debug only build problem etc turns out it just linked to wrong icu.