WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
285180
[JSC] ASSERTION FAILED: signature.is<FunctionSignature>()
https://bugs.webkit.org/show_bug.cgi?id=285180
Summary
[JSC] ASSERTION FAILED: signature.is<FunctionSignature>()
rhezashan
Reported
2024-12-26 19:31:35 PST
Created
attachment 473678
[details]
PoC 1. Tested on both Webkit branch (`@main` and `@safari-7260-branch`) 2. Target release or debug. 3. Run with `./bin/jsc ./poc1.js` my commit @main ``` commit ef2f9a1f717b8a12c7846107d62ba902363c1cac (HEAD -> main, origin/main, origin/HEAD) Author: Alan Baradlay <
zalan@apple.com
> Date: Wed Dec 25 05:11:22 2024 -0800 ``` ``` ASSERTION FAILED: signature.is<FunctionSignature>() /home/rheza/WebKit/Source/JavaScriptCore/wasm/WasmTypeDefinitionInlines.h(63) : static const FunctionSignature &JSC::Wasm::TypeInformation::getFunctionSignature(TypeIndex) 1 0x62ab9e037e14 ./webkit-debug-clang-main/bin/jsc(+0x74a5e14) [0x62ab9e037e14] 2 0x62ab9a2a5a91 ./webkit-debug-clang-main/bin/jsc(+0x3713a91) [0x62ab9a2a5a91] 3 0x62ab9d869002 ./webkit-debug-clang-main/bin/jsc(+0x6cd7002) [0x62ab9d869002] 4 0x62ab9d8153bb ./webkit-debug-clang-main/bin/jsc(+0x6c833bb) [0x62ab9d8153bb] 5 0x62ab9d70c4eb ./webkit-debug-clang-main/bin/jsc(+0x6b7a4eb) [0x62ab9d70c4eb] 6 0x62ab9d70ac4f ./webkit-debug-clang-main/bin/jsc(+0x6b78c4f) [0x62ab9d70ac4f] 7 0x62ab9d736455 ./webkit-debug-clang-main/bin/jsc(+0x6ba4455) [0x62ab9d736455] 8 0x62ab9d5e1c14 ./webkit-debug-clang-main/bin/jsc(+0x6a4fc14) [0x62ab9d5e1c14] 9 0x62ab9d739504 ./webkit-debug-clang-main/bin/jsc(+0x6ba7504) [0x62ab9d739504] 10 0x62ab9dc72388 ./webkit-debug-clang-main/bin/jsc(+0x70e0388) [0x62ab9dc72388] 11 0x62ab9e03fcde ./webkit-debug-clang-main/bin/jsc(+0x74adcde) [0x62ab9e03fcde] 12 0x62ab9e03f359 ./webkit-debug-clang-main/bin/jsc(+0x74ad359) [0x62ab9e03f359] 13 0x62ab9aa66b14 ./webkit-debug-clang-main/bin/jsc(+0x3ed4b14) [0x62ab9aa66b14] 14 0x62ab9e27984b ./webkit-debug-clang-main/bin/jsc(+0x76e784b) [0x62ab9e27984b] 15 0x62ab9e552955 ./webkit-debug-clang-main/bin/jsc(+0x79c0955) [0x62ab9e552955] 16 0x62ab994aaccd ./webkit-debug-clang-main/bin/jsc(+0x2918ccd) [0x62ab994aaccd] 17 0x7a19a169ca94 /lib/x86_64-linux-gnu/libc.so.6(+0x9ca94) [0x7a19a169ca94] 18 0x7a19a1729c3c /lib/x86_64-linux-gnu/libc.so.6(+0x129c3c) [0x7a19a1729c3c] AddressSanitizer:DEADLYSIGNAL ================================================================= ==3429785==ERROR: AddressSanitizer: ABRT on unknown address 0x03e800345599 (pc 0x7a19a169eb1c bp 0x7a1951be42e0 sp 0x7a1951be42a0 T5) SCARINESS: 10 (signal) #0 0x7a19a169eb1c in pthread_kill nptl/pthread_kill.c:44:76 #1 0x7a19a164526d in raise signal/../sysdeps/posix/raise.c:26:13 #2 0x7a19a16288fe in abort stdlib/abort.c:79:7 #3 0x62ab994e8b0f in WTFCrashWithInfo(int, char const*, char const*, int) /home/rheza/webkit-debug-clang-main/WTF/Headers/wtf/Assertions.h:913:5 #4 0x62ab9a2a5ac6 in JSC::Wasm::TypeInformation::getFunctionSignature(unsigned long) /home/rheza/WebKit/Source/JavaScriptCore/wasm/WasmTypeDefinitionInlines.h:63:5 #5 0x62ab9d869001 in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseExpression() /home/rheza/WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:3524:42 #6 0x62ab9d8153ba in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseBody() /home/rheza/WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:534:13 #7 0x62ab9d70c4ea in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parse() /home/rheza/WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:487:5 #8 0x62ab9d70ac4e in JSC::Wasm::parseAndCompileBytecode(std::span<unsigned char const, 18446744073709551615ul>, JSC::Wasm::TypeDefinition const&, JSC::Wasm::ModuleInformation&, JSC::Wasm::FunctionCodeIndex) /home/rheza/WebKit/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:634:5 #9 0x62ab9d736454 in JSC::Wasm::LLIntPlan::compileFunction(JSC::Wasm::FunctionCodeIndex) /home/rheza/WebKit/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp:105:34 #10 0x62ab9d5e1c13 in JSC::Wasm::EntryPlan::compileFunctions(JSC::Wasm::Plan::CompilationEffort) /home/rheza/WebKit/Source/JavaScriptCore/wasm/WasmEntryPlan.cpp:218:13 #11 0x62ab9d739503 in JSC::Wasm::LLIntPlan::work(JSC::Wasm::Plan::CompilationEffort) /home/rheza/WebKit/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp:249:9 #12 0x62ab9dc72387 in JSC::Wasm::Worklist::Thread::work() /home/rheza/WebKit/Source/JavaScriptCore/wasm/WasmWorklist.cpp:108:15 #13 0x62ab9e03fcdd in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const /home/rheza/WebKit/Source/WTF/wtf/AutomaticThread.cpp:225:37 #14 0x62ab9e03f358 in WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() /home/rheza/WebKit/Source/WTF/wtf/Function.h:53:39 #15 0x62ab9aa66b13 in WTF::Function<void ()>::operator()() const /home/rheza/webkit-debug-clang-main/WTF/Headers/wtf/Function.h:82:35 #16 0x62ab9e27984a in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) /home/rheza/WebKit/Source/WTF/wtf/Threading.cpp:265:5 #17 0x62ab9e552954 in WTF::wtfThreadEntryPoint(void*) /home/rheza/WebKit/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:241:5 #18 0x62ab994aaccc in asan_thread_start(void*) crtstuff.c AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: ABRT nptl/pthread_kill.c:44:76 in pthread_kill Thread T5 (t Helper Thread) created by T0 here: #0 0x62ab99492b55 in pthread_create (/home/rheza/webkit-debug-clang-main/bin/jsc+0x2900b55) (BuildId: 0645272ac1ada3fe) #1 0x62ab9e5526f3 in WTF::Thread::establishHandle(WTF::Thread::NewThreadContext*, std::optional<unsigned long>, WTF::Thread::QOS, WTF::Thread::SchedulingPolicy) /home/rheza/WebKit/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:315:17 #2 0x62ab9e279eae in WTF::Thread::create(WTF::ASCIILiteral, WTF::Function<void ()>&&, WTF::ThreadType, WTF::Thread::QOS, WTF::Thread::SchedulingPolicy) /home/rheza/WebKit/Source/WTF/wtf/Threading.cpp:281:32 #3 0x62ab9e03bf31 in WTF::AutomaticThread::start(WTF::AbstractLocker const&) /home/rheza/WebKit/Source/WTF/wtf/AutomaticThread.cpp:167:5 #4 0x62ab9e03c0f4 in WTF::AutomaticThreadCondition::notifyAll(WTF::AbstractLocker const&) /home/rheza/WebKit/Source/WTF/wtf/AutomaticThread.cpp:72:21 #5 0x62ab9dc37bb6 in JSC::Wasm::Worklist::enqueue(WTF::Ref<JSC::Wasm::Plan, WTF::RawPtrTraits<JSC::Wasm::Plan>, WTF::DefaultRefDerefTraits<JSC::Wasm::Plan>>) /home/rheza/WebKit/Source/JavaScriptCore/wasm/WasmWorklist.cpp:161:25 #6 0x62ab9d9a3eb6 in JSC::Wasm::Module::validateSync(JSC::VM&, WTF::Vector<unsigned char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&&) /home/rheza/WebKit/Source/JavaScriptCore/wasm/WasmModule.cpp:99:28 #7 0x62ab9dcd9ced in JSC::WebAssemblyModuleConstructor::createModule(JSC::JSGlobalObject*, JSC::CallFrame*, WTF::Vector<unsigned char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&&) /home/rheza/WebKit/Source/JavaScriptCore/wasm/js/WebAssemblyModuleConstructor.cpp:301:19 #8 0x62ab9dcdb14e in JSC::constructJSWebAssemblyModule(JSC::JSGlobalObject*, JSC::CallFrame*) /home/rheza/WebKit/Source/JavaScriptCore/wasm/js/WebAssemblyModuleConstructor.cpp:282:5 #9 0x7a195ea103e6 (<unknown module>) #10 0x62ab99ce01df in llint_op_construct LowLevelInterpreter.cpp #11 0x62ab99cb94af in llint_call_javascript LowLevelInterpreter.cpp #12 0x62ab9be51bc7 in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) /home/rheza/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:1177:28 #13 0x62ab9c71802d in JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) /home/rheza/WebKit/Source/JavaScriptCore/runtime/Completion.cpp:138:37 #14 0x62ab9961eff5 in runWithOptions(GlobalObject*, CommandLine&, bool&) /home/rheza/WebKit/Source/JavaScriptCore/jsc.cpp:3820:35 #15 0x62ab99574bcb in jscmain(int, char**)::$_0::operator()(JSC::VM&, GlobalObject*, bool&) const /home/rheza/WebKit/Source/JavaScriptCore/jsc.cpp:4509:13 #16 0x62ab994f6353 in int runJSC<jscmain(int, char**)::$_0>(CommandLine const&, bool, jscmain(int, char**)::$_0 const&) /home/rheza/WebKit/Source/JavaScriptCore/jsc.cpp:4300:13 #17 0x62ab994f0b98 in jscmain(int, char**) /home/rheza/WebKit/Source/JavaScriptCore/jsc.cpp:4502:18 #18 0x62ab994f039e in main /home/rheza/WebKit/Source/JavaScriptCore/jsc.cpp:3576:15 #19 0x7a19a162a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #20 0x7a19a162a28a in __libc_start_main csu/../csu/libc-start.c:360:3 #21 0x62ab99414124 in _start (/home/rheza/webkit-debug-clang-main/bin/jsc+0x2882124) (BuildId: 0645272ac1ada3fe) ==3429785==ABORTING ```
Attachments
PoC
(505 bytes, text/javascript)
2024-12-26 19:31 PST
,
rhezashan
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2024-12-26 19:31:46 PST
<
rdar://problem/142081680
>
Yusuke Suzuki
Comment 2
2025-01-07 17:24:30 PST
Deterministic nullptr crash => non-security.
Yusuke Suzuki
Comment 3
2025-01-07 17:25:00 PST
Pull request:
https://github.com/WebKit/WebKit/pull/38689
Yusuke Suzuki
Comment 4
2025-01-07 17:33:19 PST
***
Bug 285181
has been marked as a duplicate of this bug. ***
Yusuke Suzuki
Comment 5
2025-01-07 17:34:50 PST
***
Bug 285207
has been marked as a duplicate of this bug. ***
EWS
Comment 6
2025-01-07 18:25:30 PST
Committed
288575@main
(e3ac9340710c): <
https://commits.webkit.org/288575@main
> Reviewed commits have been landed. Closing PR #38689 and removing active labels.
rhezashan
Comment 7
2025-01-07 18:30:20 PST
@ysuzuki, Thank you for fixing this issue!
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug