Created attachment 462586 [details] Testcase Tested on linux intel 64 and ARMv7. The regression seems to have been introduced by commit 0a1408274330aa1999490790cee7d2b9b3b8ac2b. Running the attached test case fails with the following message: $ ./WebKitBuild/Debug/bin/jsc bar.js ASSERTION FAILED: decontaminate() /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/StructureID.h(130) : JSC::Structure *JSC::StructureID::decode() const Aborted (core dumped) The backtrace: #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737246848832) at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=140737246848832) at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=140737246848832, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007ffff19f5476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007ffff19db7f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x00007ffff427127b in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:754 #6 0x00007ffff42e529e in JSC::StructureID::decode (this=0x7ffe00007dd0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/StructureID.h:130 #7 0x00007ffff42e4b75 in JSC::JSCell::structure (this=0x7ffe00007dd0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/JSCellInlines.h:137 #8 0x00007ffff42e8dd9 in JSC::Heap::writeBarrier (this=0x7fffa6000080, from=0x7fffe8020668) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/heap/HeapInlines.h:121 #9 0x00007ffff42e8d44 in JSC::VM::writeBarrier (this=0x7fffa6000000, from=0x7fffe8020668) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/VM.h:894 #10 0x00007ffff42e8973 in JSC::AuxiliaryBarrier<JSC::Butterfly*>::AuxiliaryBarrier<JSC::Butterfly*&> (this=0x7fffe8020670, vm=..., owner=0x7fffe8020668, value=@0x7fffffffc820: 0x0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/AuxiliaryBarrierInlines.h:39 #11 0x00007ffff42e8775 in JSC::JSObject::JSObject (this=0x7fffe8020668, vm=..., structure=0x7ffe00007dd0, butterfly=0x0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/JSObject.h:1374 #12 0x00007ffff42dd7bd in JSC::JSNonFinalObject::JSNonFinalObject (this=0x7fffe8020668, vm=..., structure=0x7ffe00007dd0, butterfly=0x0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/JSObject.h:1202 #13 0x00007ffff5a0a04d in JSC::IntlDurationFormat::IntlDurationFormat (this=0x7fffe8020668, vm=..., structure=0x7ffe00007dd0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/IntlDurationFormat.cpp:74 #14 0x00007ffff5a09ef1 in JSC::IntlDurationFormat::create (vm=..., structure=0x7ffe00007dd0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/IntlDurationFormat.cpp:63 #15 0x00007ffff5a51da2 in JSC::constructIntlDurationFormat (globalObject=0x7fffa641a068, callFrame=0x7fffffffca40) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/IntlDurationFormatConstructor.cpp:90 #16 0x00007fffa71ac0c7 in ?? () #17 0x00007fffffffcae0 in ?? () #18 0x00007ffff4231e37 in js_trampoline_op_construct_varargs () from /home/mgadelha/tools/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1 #19 0x0000000000000000 in ?? () (gdb) #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737246848832) at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=140737246848832) at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=140737246848832, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007ffff19f5476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007ffff19db7f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x00007ffff427127b in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:754 #6 0x00007ffff42e529e in JSC::StructureID::decode (this=0x7ffe00007dd0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/StructureID.h:130 #7 0x00007ffff42e4b75 in JSC::JSCell::structure (this=0x7ffe00007dd0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/JSCellInlines.h:137 #8 0x00007ffff42e8dd9 in JSC::Heap::writeBarrier (this=0x7fffa6000080, from=0x7fffe8020668) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/heap/HeapInlines.h:121 #9 0x00007ffff42e8d44 in JSC::VM::writeBarrier (this=0x7fffa6000000, from=0x7fffe8020668) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/VM.h:894 #10 0x00007ffff42e8973 in JSC::AuxiliaryBarrier<JSC::Butterfly*>::AuxiliaryBarrier<JSC::Butterfly*&> (this=0x7fffe8020670, vm=..., owner=0x7fffe8020668, value=@0x7fffffffc820: 0x0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/AuxiliaryBarrierInlines.h:39 #11 0x00007ffff42e8775 in JSC::JSObject::JSObject (this=0x7fffe8020668, vm=..., structure=0x7ffe00007dd0, butterfly=0x0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/JSObject.h:1374 #12 0x00007ffff42dd7bd in JSC::JSNonFinalObject::JSNonFinalObject (this=0x7fffe8020668, vm=..., structure=0x7ffe00007dd0, butterfly=0x0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/JSObject.h:1202 #13 0x00007ffff5a0a04d in JSC::IntlDurationFormat::IntlDurationFormat (this=0x7fffe8020668, vm=..., structure=0x7ffe00007dd0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/IntlDurationFormat.cpp:74 #14 0x00007ffff5a09ef1 in JSC::IntlDurationFormat::create (vm=..., structure=0x7ffe00007dd0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/IntlDurationFormat.cpp:63 #15 0x00007ffff5a51da2 in JSC::constructIntlDurationFormat (globalObject=0x7fffa641a068, callFrame=0x7fffffffca40) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/IntlDurationFormatConstructor.cpp:90 #16 0x00007fffa71ac0c7 in ?? () #17 0x00007fffffffcae0 in ?? () #18 0x00007ffff4231e37 in js_trampoline_op_construct_varargs () from /home/mgadelha/tools/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1 #19 0x0000000000000000 in ?? () Found by Igalia Fuzzing Campaign.