Bug 254728

The following sample causes an assertion failure on JSC debug builds from latest HEAD:

    function f1() {
    }
    const o2 = {
        "getOwnPropertyDescriptor": f1,
    };
    const v4 = new Proxy(Date, o2);
    const v7 = new Int16Array(v4.bind());
    // CRASH INFO
    // ==========
    // TERMSIG: 6
    // STDERR:
    // ASSERTION FAILED: cursor->inherits<JSFunction>()
    // Source/JavaScriptCore/runtime/JSBoundFunction.cpp(330) : double JSC::JSBoundFunction::lengthSlow(JSC::VM &)
    // EXECUTION TIME: 57ms

Here is the stacktrace from gdb:

    #0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at ./nptl/pthread_kill.c:44
    #1  0x00007ffff16add2f in __pthread_kill_internal (signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:78
    #2  0x00007ffff165eef2 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
    #3  0x00007ffff1649472 in __GI_abort () at ./stdlib/abort.c:79
    #4  0x00007ffff520639b in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:758
    #5  0x00007ffff6b3a645 in JSC::JSBoundFunction::lengthSlow (this=0x7fffe70519c8, vm=...) at Source/JavaScriptCore/runtime/JSBoundFunction.cpp:330
    #6  0x00007ffff6b49e2c in JSC::JSBoundFunction::length (this=0x7fffe70519c8, vm=...) at Source/JavaScriptCore/runtime/JSBoundFunction.h:80
    #7  0x00007ffff6b47eaf in JSC::JSFunction::originalLength (this=0x7fffe70519c8, vm=...) at Source/JavaScriptCore/runtime/JSFunctionInlines.h:129
    #8  0x00007ffff6b73b83 in JSC::JSFunction::reifyLength (this=0x7fffe70519c8, vm=...) at Source/JavaScriptCore/runtime/JSFunction.cpp:555
    #9  0x00007ffff6b7408e in JSC::JSFunction::reifyLazyLengthIfNeeded (this=0x7fffe70519c8, vm=..., propertyName=...) at Source/JavaScriptCore/runtime/JSFunction.cpp:652
    #10 0x00007ffff6b73e41 in JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded (this=0x7fffe70519c8, vm=..., globalObject=0x7fffa541a068, propertyName=...) at Source/JavaScriptCore/runtime/JSFunction.cpp:627
    #11 0x00007ffff6b72c8f in JSC::JSFunction::reifyLazyPropertyIfNeeded (this=0x7fffe70519c8, vm=..., globalObject=0x7fffa541a068, propertyName=...) at Source/JavaScriptCore/runtime/JSFunction.cpp:609
    #12 0x00007ffff6b709f5 in JSC::JSFunction::getOwnPropertySlot (object=0x7fffe70519c8, globalObject=0x7fffa541a068, propertyName=..., slot=...) at Source/JavaScriptCore/runtime/JSFunction.cpp:348
    #13 0x00007ffff53181b9 in JSC::JSObject::getNonIndexPropertySlot (this=0x7fffe70519c8, globalObject=0x7fffa541a068, propertyName=..., slot=...) at Source/JavaScriptCore/runtime/JSObjectInlines.h:161
    #14 0x00007ffff5316da2 in JSC::JSObject::getPropertySlot<false> (this=0x7fffe70519c8, globalObject=0x7fffa541a068, propertyName=..., slot=...) at Source/JavaScriptCore/runtime/JSObject.h:1506
    #15 0x00007ffff5dc42d3 in JSC::constructGenericTypedArrayViewWithArguments<JSC::JSGenericTypedArrayView<JSC::Int16Adaptor> > (globalObject=0x7fffa541a068, structure=0x7ffe000093d0, firstValue=..., offset=0, lengthOpt=std::optional<unsigned long> [no contained value])
        at Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h:188
    #16 0x00007ffff6d0c3b9 in JSC::constructGenericTypedArrayViewImpl<JSC::JSGenericTypedArrayView<JSC::Int16Adaptor> > (globalObject=0x7fffa541a068, callFrame=0x7fffffffc7a0) at Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h:285
    #17 0x00007ffff6d07e0d in JSC::constructInt16Array (globalObject=0x7fffa541a068, callFrame=0x7fffffffc7a0) at Source/JavaScriptCore/runtime/JSTypedArrays.cpp:59
    #18 0x00007fffa6c000c7 in ?? ()
    #19 0x00007fffffffc830 in ?? ()
    #20 0x00007ffff51e5463 in js_trampoline_op_construct () from WebKitBuild/Debug/lib/libJavaScriptCore.so.1

I'm not sure if this assertion has any security implications, so I'm filing this as a security issue as a precaution.