RESOLVED FIXED 282809
Aborted in JSC::Wasm::arrayNew 
https://bugs.webkit.org/show_bug.cgi?id=282809
Summary Aborted in JSC::Wasm::arrayNew
Q1IQ
Reported 2024-11-07 21:01:12 PST
Created attachment 473176 [details] poc.js ### Title Aborted in JSC::EncodedJSValue JSC::Wasm::arrayNew ### Environment ``` OS : Linux Ubuntu Commit : a6d261838dcb9f9e9c7bad991bc3d880ae5358ee Build : ./Tools/Scripts/build-jsc --debug --jsc-only --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang-15' -DCMAKE_CXX_COMPILER='/usr/bin/clang++-15' -DCMAKE_CXX_FLAGS='-O3 -lrt -Wno-error=cast-align -std=c++20 -stdlib=libc++'" ``` ### Proof of concept Run jsc: ``` /WebKit/build/JSCOnly/Debug/bin/jsc /tmp/poc.js ``` ### Output ``` ASSERTION FAILED: encValue <= UINT32_MAX /WebKit/Source/JavaScriptCore/wasm/WasmOperationsInlines.h(86) : JSC::EncodedJSValue JSC::Wasm::arrayNew(JSC::JSWebAssemblyInstance *, uint32_t, uint32_t, JSC::EncodedJSValue) 1 0x55bdb2edca3c /WebKit/build/JSCOnly/Debug/bin/jsc(+0x2f01a3c) [0x55bdb2edca3c] 2 0x55bdb2edb908 /WebKit/build/JSCOnly/Debug/bin/jsc(+0x2f00908) [0x55bdb2edb908] 3 0x55bdb2ec0075 /WebKit/build/JSCOnly/Debug/bin/jsc(+0x2ee5075) [0x55bdb2ec0075] 4 0x55bdb2e99ac7 /WebKit/build/JSCOnly/Debug/bin/jsc(+0x2ebeac7) [0x55bdb2e99ac7] 5 0x55bdb2e8491b /WebKit/build/JSCOnly/Debug/bin/jsc(+0x2ea991b) [0x55bdb2e8491b] 6 0x55bdb2e7e27d /WebKit/build/JSCOnly/Debug/bin/jsc(+0x2ea327d) [0x55bdb2e7e27d] 7 0x55bdb2e7e99e /WebKit/build/JSCOnly/Debug/bin/jsc(+0x2ea399e) [0x55bdb2e7e99e] 8 0x55bdb31ad2dd /WebKit/build/JSCOnly/Debug/bin/jsc(+0x31d22dd) [0x55bdb31ad2dd] 9 0x55bdb31a8360 /WebKit/build/JSCOnly/Debug/bin/jsc(+0x31cd360) [0x55bdb31a8360] 10 0x55bdb317268b /WebKit/build/JSCOnly/Debug/bin/jsc(+0x319768b) [0x55bdb317268b] 11 0x55bdb31983f4 /WebKit/build/JSCOnly/Debug/bin/jsc(+0x31bd3f4) [0x55bdb31983f4] 12 0x7f662ae203e7 [0x7f662ae203e7] Aborted ``` ### Stack dump ``` gdb-peda$ r ./1108poc.js Starting program: /WebKit/build/JSCOnly/Debug/bin/jsc ./1108poc.js [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [New Thread 0x7fffed767700 (LWP 1366259)] [New Thread 0x7fffa8f64700 (LWP 1366416)] [New Thread 0x7fffa8763700 (LWP 1366445)] [New Thread 0x7fffa7f62700 (LWP 1366469)] [New Thread 0x7fffa7761700 (LWP 1366470)] [New Thread 0x7fffa6f60700 (LWP 1366471)] [New Thread 0x7fffa675f700 (LWP 1366472)] [New Thread 0x7fffa5f5e700 (LWP 1366473)] [New Thread 0x7fffa575d700 (LWP 1366474)] [New Thread 0x7fffa4f5c700 (LWP 1366510)] [New Thread 0x7fffa475b700 (LWP 1366511)] [----------------------------------registers-----------------------------------] RAX: 0x0 RBX: 0x7ffff5869740 (0x00007ffff5869740) RCX: 0x7ffff5a9300b (<raise+203>: mov rax,QWORD PTR [rsp+0x108]) RDX: 0x0 RSI: 0x7ffffffee5e0 --> 0x0 RDI: 0x2 RBP: 0x55555598dc8b ("JSC::EncodedJSValue JSC::Wasm::arrayNew(JSC::JSWebAssemblyInstance *, uint32_t, uint32_t, JSC::EncodedJSValue)") RSP: 0x7ffffffee5e0 --> 0x0 RIP: 0x7ffff5a9300b (<raise+203>: mov rax,QWORD PTR [rsp+0x108]) R8 : 0x0 R9 : 0x7ffffffee5e0 --> 0x0 R10: 0x8 R11: 0x246 R12: 0x7fffeb0a43c8 --> 0x10050000000a710 R13: 0x4 R14: 0xe708661893211b8 R15: 0x11 EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) b[-------------------------------------code-------------------------------------] 0x7ffff5a92fff <raise+191>: mov edi,0x2 0x7ffff5a93004 <raise+196>: mov eax,0xe 0x7ffff5a93009 <raise+201>: syscall => 0x7ffff5a9300b <raise+203>: mov rax,QWORD PTR [rsp+0x108] 0x7ffff5a93013 <raise+211>: xor rax,QWORD PTR fs:0x28 0x7ffff5a9301c <raise+220>: jne 0x7ffff5a93044 <raise+260> 0x7ffff5a9301e <raise+222>: mov eax,r8d 0x7ffff5a93021 <raise+225>: add rsp,0x118 [------------------------------------stack-------------------------------------] 0000| 0x7ffffffee5e0 --> 0x0 0008| 0x7ffffffee5e8 ("sult != ") 0016| 0x7ffffffee5f0 --> 0x0 0024| 0x7ffffffee5f8 --> 0x0 0032| 0x7ffffffee600 --> 0xbfe552222222222d 0040| 0x7ffffffee608 --> 0x0 0048| 0x7ffffffee610 --> 0x3fe99555551519c7 0056| 0x7ffffffee618 --> 0x0 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGABRT t 0x00007ffff5a9300b in raise () from /lib/x86_64-linux-gnu/libc.so.6 gdb-peda$ bt #0 0x00007ffff5a9300b in raise () from /lib/x86_64-linux-gnu/libc.so.6 #1 0x00007ffff5a72859 in abort () from /lib/x86_64-linux-gnu/libc.so.6 #2 0x000055555641399a in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:912 #3 0x0000555558455a51 in JSC::Wasm::arrayNew (instance=instance@entry=0x7fffeb0a43c8, typeIndex=typeIndex@entry=0x4, size=size@entry=0x11, encValue=0xe708661893211b8) at /WebKit/Source/JavaScriptCore/wasm/WasmOperationsInlines.h:86 #4 0x0000555558454908 in JSC::Wasm::ConstExprGenerator::createNewArray (this=this@entry=0x7fffffff4300, typeIndex=typeIndex@entry=0x4, size=size@entry=0x11, value=...) at /WebKit/Source/JavaScriptCore/wasm/WasmConstExprGenerator.cpp:315 #5 0x0000555558439075 in JSC::Wasm::ConstExprGenerator::addArrayNew (this=this@entry=0x7fffffff4300, typeIndex=typeIndex@entry=0x4, size=..., value=..., result=...) at /WebKit/Source/JavaScriptCore/wasm/WasmConstExprGenerator.cpp:326 #6 0x0000555558412ac7 in JSC::Wasm::FunctionParser<JSC::Wasm::ConstExprGenerator>::parseExpression (this=this@entry=0x7fffffff4590) at /WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:2241 #7 0x00005555583fd91b in JSC::Wasm::FunctionParser<JSC::Wasm::ConstExprGenerator>::parseBody (this=this@entry=0x7fffffff4590) at /WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:526 #8 0x00005555583f727d in JSC::Wasm::FunctionParser<JSC::Wasm::ConstExprGenerator>::parseConstantExpression (this=this@entry=0x7fffffff4590) at /WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:496 #9 0x00005555583f799e in JSC::Wasm::evaluateExtendedConstExpr (constantExpression=..., instance=instance@entry=0x7fffeb0a43c8, info=..., expectedType=...) at /WebKit/Source/JavaScriptCore/wasm/WasmConstExprGenerator.cpp:763 #10 0x00005555587262dd in JSC::WebAssemblyModuleRecord::evaluateConstantExpression (this=this@entry=0x7fffeb014708, globalObject=0x7fffa941a088, constantExpression=..., info=..., expectedType=..., result=@0x7fffffffcfe0: 0x0) at /WebKit/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp:784 #11 0x0000555558721360 in JSC::WebAssemblyModuleRecord::initializeExports (this=0x7fffeb014708, globalObject=0x7ffffffee5e0) at /WebKit/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp:635 #12 0x00005555586eb68b in JSC::JSWebAssemblyInstance::finalizeCreation (this=0x7fffeb0a43c8, vm=..., globalObject=0x7fffa941a088, wasmCalleeGroup=..., creationMode=JSC::Wasm::CreationMode::FromJS) at /WebKit/Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp:202 #13 0x00005555587113f4 in JSC::constructJSWebAssemblyInstance (globalObject=0x7fffa941a088, callFrame=<optimized out>) at /WebKit/Source/JavaScriptCore/wasm/js/WebAssemblyInstanceConstructor.cpp:71 #14 0x00007fffaaf743e7 in ?? () #15 0x00007fffffffd3c0 in ?? () #16 0x00005555567233a8 in llint_op_construct () #17 0x0000000000000000 in ?? () ``` ### Credit Q1IQ(@q1iqF) and P1umer(@p1umer)
Attachments
poc.js (808 bytes, application/x-javascript)
2024-11-07 21:01 PST, Q1IQ 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2024-11-08 02:53:08 PST
<rdar://problem/139502462>
Yusuke Suzuki
Comment 2 2024-11-11 13:48:46 PST
This is stale assertion. No security issue.
Yusuke Suzuki
Comment 3 2024-11-11 13:50:40 PST
Pull request: https://github.com/WebKit/WebKit/pull/36504
EWS
Comment 4 2024-11-11 16:14:35 PST
Committed 286463@main (9335dacba16b): <https://commits.webkit.org/286463@main> Reviewed commits have been landed. Closing PR #36504 and removing active labels.
Yusuke Suzuki
Comment 5 2024-11-12 10:14:34 PST
*** Bug 282594 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.