Bug 254728

The following sample causes an assertion failure on JSC debug builds from latest HEAD: function f1() { } const o2 = { "getOwnPropertyDescriptor": f1, }; const v4 = new Proxy(Date, o2); const v7 = new Int16Array(v4.bind()); // CRASH INFO // ========== // TERMSIG: 6 // STDERR: // ASSERTION FAILED: cursor->inherits<JSFunction>() // Source/JavaScriptCore/runtime/JSBoundFunction.cpp(330) : double JSC::JSBoundFunction::lengthSlow(JSC::VM &) // EXECUTION TIME: 57ms Here is the stacktrace from gdb: #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at ./nptl/pthread_kill.c:44 #1 0x00007ffff16add2f in __pthread_kill_internal (signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:78 #2 0x00007ffff165eef2 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00007ffff1649472 in __GI_abort () at ./stdlib/abort.c:79 #4 0x00007ffff520639b in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:758 #5 0x00007ffff6b3a645 in JSC::JSBoundFunction::lengthSlow (this=0x7fffe70519c8, vm=...) at Source/JavaScriptCore/runtime/JSBoundFunction.cpp:330 #6 0x00007ffff6b49e2c in JSC::JSBoundFunction::length (this=0x7fffe70519c8, vm=...) at Source/JavaScriptCore/runtime/JSBoundFunction.h:80 #7 0x00007ffff6b47eaf in JSC::JSFunction::originalLength (this=0x7fffe70519c8, vm=...) at Source/JavaScriptCore/runtime/JSFunctionInlines.h:129 #8 0x00007ffff6b73b83 in JSC::JSFunction::reifyLength (this=0x7fffe70519c8, vm=...) at Source/JavaScriptCore/runtime/JSFunction.cpp:555 #9 0x00007ffff6b7408e in JSC::JSFunction::reifyLazyLengthIfNeeded (this=0x7fffe70519c8, vm=..., propertyName=...) at Source/JavaScriptCore/runtime/JSFunction.cpp:652 #10 0x00007ffff6b73e41 in JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded (this=0x7fffe70519c8, vm=..., globalObject=0x7fffa541a068, propertyName=...) at Source/JavaScriptCore/runtime/JSFunction.cpp:627 #11 0x00007ffff6b72c8f in JSC::JSFunction::reifyLazyPropertyIfNeeded (this=0x7fffe70519c8, vm=..., globalObject=0x7fffa541a068, propertyName=...) at Source/JavaScriptCore/runtime/JSFunction.cpp:609 #12 0x00007ffff6b709f5 in JSC::JSFunction::getOwnPropertySlot (object=0x7fffe70519c8, globalObject=0x7fffa541a068, propertyName=..., slot=...) at Source/JavaScriptCore/runtime/JSFunction.cpp:348 #13 0x00007ffff53181b9 in JSC::JSObject::getNonIndexPropertySlot (this=0x7fffe70519c8, globalObject=0x7fffa541a068, propertyName=..., slot=...) at Source/JavaScriptCore/runtime/JSObjectInlines.h:161 #14 0x00007ffff5316da2 in JSC::JSObject::getPropertySlot<false> (this=0x7fffe70519c8, globalObject=0x7fffa541a068, propertyName=..., slot=...) at Source/JavaScriptCore/runtime/JSObject.h:1506 #15 0x00007ffff5dc42d3 in JSC::constructGenericTypedArrayViewWithArguments<JSC::JSGenericTypedArrayView<JSC::Int16Adaptor> > (globalObject=0x7fffa541a068, structure=0x7ffe000093d0, firstValue=..., offset=0, lengthOpt=std::optional<unsigned long> [no contained value]) at Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h:188 #16 0x00007ffff6d0c3b9 in JSC::constructGenericTypedArrayViewImpl<JSC::JSGenericTypedArrayView<JSC::Int16Adaptor> > (globalObject=0x7fffa541a068, callFrame=0x7fffffffc7a0) at Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h:285 #17 0x00007ffff6d07e0d in JSC::constructInt16Array (globalObject=0x7fffa541a068, callFrame=0x7fffffffc7a0) at Source/JavaScriptCore/runtime/JSTypedArrays.cpp:59 #18 0x00007fffa6c000c7 in ?? () #19 0x00007fffffffc830 in ?? () #20 0x00007ffff51e5463 in js_trampoline_op_construct () from WebKitBuild/Debug/lib/libJavaScriptCore.so.1 I'm not sure if this assertion has any security implications, so I'm filing this as a security issue as a precaution.