285179 – [JSC] Retry with SlowPutArrayStorage properly

RESOLVED FIXED 285179

[JSC] Retry with SlowPutArrayStorage properly

https://bugs.webkit.org/show_bug.cgi?id=285179

Summary [JSC] Retry with SlowPutArrayStorage properly

EntryHi

Reported 2024-12-26 19:29:20 PST

Hello, I found a bug in JavaScriptCore. The PoC is shown as below: ========================poc.js============ class C31 { constructor(a33) { a33[536870912] = 2; for (const v38 in a33) { print(v38); } } } Object.defineProperty(C31.__proto__, 536870912, { enumerable: true, value: {}}); new C31(C31); new C31(C31); new C31(C31); new C31(Map); ======================================== Reproduce bug: Step 1: ./jsc poc.js --useConcurrentJIT=0 --jitPolicyScale=0 Step 2: ./jsc poc.js --useConcurrentJIT=0 --jitPolicyScale=1 The result of Step 1: 536870912 536870912 536870912 Exception: TypeError: Attempted to assign to readonly property. C31@poc.js:3:8 global code@poc.js:13:8 The result of Step 2: 536870912 536870912 536870912 536870912 V8 throw an exception in the first new operation which is also diffrent from that in Step 1 or Step 2.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2025-01-02 19:30:14 PST

<rdar://problem/142297349>

Yusuke Suzuki

Comment 2 2025-01-14 16:04:37 PST

Pull request: https://github.com/WebKit/WebKit/pull/39034

EWS

Comment 3 2025-01-14 17:27:42 PST

Committed 288905@main (5aa0914c99ba): <https://commits.webkit.org/288905@main> Reviewed commits have been landed. Closing PR #39034 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware PC

OS Linux

Product WebKit

Component JavaScriptCore

Assignee

Yusuke Suzuki

Reported

2024-12-26 19:29 PST

Modified

2025-01-14 17:27 PST History

CC List

3 users Show

URL

Keywords InRadar

Depends on

Blocks