Bug 259507

Summary:	WebKit Debug DFGFixupPhase Assertion Failure
Product:	WebKit	Reporter:	bigsean123
Component:	JavaScriptCore	Assignee:	WebKit Security Group <webkit-security-unassigned>
Status:	NEW
Severity:	Normal	CC:	bfulgham, webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Mac (Apple Silicon)
OS:	macOS 13

bigsean123

Reported 2023-07-25 16:47:47 PDT

running git log shows commit a5fec4a8500ecf6353ba31991c4b81e2029a6afc (HEAD, origin/main, origin/HEAD, main) Author: Charlie Wolfe <charliew@apple.com> Date: Thu Jul 6 16:57:52 2023 -0700 Fix internal Apple builds after 265828@main https://bugs.webkit.org/show_bug.cgi?id=258952 rdar://111877556 Unreviewed build fix. UUID -> WTF::UUID Both Debug with assertion failure Seems to only crash with Debug build with --useConcurrentJIT=false flag banned as follows: ./jsc --validateOptions=true --useConcurrentGC=true --useConcurrentJIT=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=false /Users/bootywarrior/Desktop/oob.js [COV] no shared memory bitmap available, skipping [COV] edge counters initialized. Shared memory: (null) with 1067055 edges ASSERTION FAILED: m_graph.canOptimizeStringObjectAccess(node->origin.semantic) /Users/bootywarrior/Desktop/WebKit/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp(3757) : auto JSC::DFG::FixupPhase::attemptToMakeFastStringAdd(JSC::DFG::Node *)::(anonymous class)::operator()(JSC::DFG::Edge &) const 1 0x106eabac8 WTFCrash 2 0x1061a1390 WTFCrashWithInfo(int, char const*, char const*, int) 3 0x1054d51c4 JSC::DFG::FixupPhase::attemptToMakeFastStringAdd(JSC::DFG::Node*)::'lambda0'(JSC::DFG::Edge&)::operator()(JSC::DFG::Edge&) const 4 0x1054c20ac JSC::DFG::FixupPhase::attemptToMakeFastStringAdd(JSC::DFG::Node*) 5 0x1054b5660 JSC::DFG::FixupPhase::fixupNode(JSC::DFG::Node*) 6 0x1054b2d3c JSC::DFG::FixupPhase::run() 7 0x10546de90 bool JSC::DFG::runPhase<JSC::DFG::FixupPhase>(JSC::DFG::Graph&) 8 0x1055ed4e4 JSC::DFG::Plan::compileInThreadImpl() 9 0x105f36330 JSC::JITPlan::compileInThread(JSC::JITWorklistThread*) 10 0x105f8acc4 JSC::JITWorklist::enqueue(WTF::Ref<JSC::JITPlan, WTF::RawPtrTraits<JSC::JITPlan>>) 11 0x10546c4c4 JSC::DFG::compile(JSC::VM&, JSC::CodeBlock*, JSC::CodeBlock*, JSC::JITCompilationMode, JSC::BytecodeIndex, JSC::Operands<std::__1::optional<JSC::JSValue>, WTF::Vector<std::__1::optional<JSC::JSValue>, 0ul, WTF::UnsafeVectorOverflow, 16ul, WTF::FastMalloc>> const&, WTF::Ref<JSC::DeferredCompilationCallback, WTF::RawPtrTraits<JSC::DeferredCompilationCallback>>&&) 12 0x105ef17f4 operationOptimize 13 0x130840d14 (null) 14 0x104ad2b80 vmEntryToJavaScript 15 0x105df8da8 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) 16 0x10623d7b4 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 17 0x104a80dfc int runJSC<jscmain(int, char**)::$_7>(CommandLine const&, bool, jscmain(int, char**)::$_7 const&) 18 0x104a7d2e8 jscmain(int, char**) 19 0x104a7cd7c main 20 0x195897f28 start UndefinedBehaviorSanitizer:DEADLYSIGNAL ==50397==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x000106eabad0 bp 0x00016b38bff0 sp 0x00016b38bff0 T6938220) ==50397==The signal is caused by a WRITE memory access. #0 0x106eabad0 in WTFCrash Assertions.cpp:327 #1 0x1061a138c in WTFCrashWithInfo(int, char const*, char const*, int) Assertions.h:762 #2 0x1054d51c0 in JSC::DFG::FixupPhase::attemptToMakeFastStringAdd(JSC::DFG::Node*)::'lambda0'(JSC::DFG::Edge&)::operator()(JSC::DFG::Edge&) const DFGFixupPhase.cpp:3757 #3 0x1054c20a8 in JSC::DFG::FixupPhase::attemptToMakeFastStringAdd(JSC::DFG::Node*) DFGFixupPhase.cpp:3745 #4 0x1054b565c in JSC::DFG::FixupPhase::fixupNode(JSC::DFG::Node*) DFGFixupPhase.cpp:550 #5 0x1054b2d38 in JSC::DFG::FixupPhase::run() DFGFixupPhase.cpp:57 #6 0x10546de8c in bool JSC::DFG::runPhase<JSC::DFG::FixupPhase>(JSC::DFG::Graph&) DFGPhase.h:95 #7 0x1055ed4e0 in JSC::DFG::Plan::compileInThreadImpl() DFGPlan.cpp:259 #8 0x105f3632c in JSC::JITPlan::compileInThread(JSC::JITWorklistThread*) JITPlan.cpp:172 #9 0x105f8acc0 in JSC::JITWorklist::enqueue(WTF::Ref<JSC::JITPlan, WTF::RawPtrTraits<JSC::JITPlan>>) JITWorklist.cpp:84 #10 0x10546c4c0 in JSC::DFG::compile(JSC::VM&, JSC::CodeBlock*, JSC::CodeBlock*, JSC::JITCompilationMode, JSC::BytecodeIndex, JSC::Operands<std::__1::optional<JSC::JSValue>, WTF::Vector<std::__1::optional<JSC::JSValue>, 0ul, WTF::UnsafeVectorOverflow, 16ul, WTF::FastMalloc>> const&, WTF::Ref<JSC::DeferredCompilationCallback, WTF::RawPtrTraits<JSC::DeferredCompilationCallback>>&&) DFGDriver.cpp:106 #11 0x105ef17f0 in operationOptimize JITOperations.cpp:2309 #12 0x130840d10 (<unknown module>) #13 0x104ad2b7c in vmEntryToJavaScript+0x100 (jsc:arm64+0x100062b7c) (BuildId: 2be14f68bcb33bc1be765002813ed97232000000200000000100000000000d00) #14 0x105df8da4 in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) Interpreter.cpp:1025 #15 0x10623d7b0 in JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) Completion.cpp:137 #16 0x104a80df8 in int runJSC<jscmain(int, char**)::$_7>(CommandLine const&, bool, jscmain(int, char**)::$_7 const&) jsc.cpp:4087 #17 0x104a7d2e4 in jscmain(int, char**) jsc.cpp:4286 #18 0x104a7cd78 in main jsc.cpp:3426 #19 0x195897f24 (<unknown module>) ==50397==Register values: x[0] = 0x000000016b38be90 x[1] = 0x0000000000000000 x[2] = 0x00000000000120a8 x[3] = 0x000000016b38b87e x[4] = 0x0000000195b00a6f x[5] = 0x000000016b38bdd0 x[6] = 0x000000000000000a x[7] = 0x0000000000000000 x[8] = 0x00000000bbadbeef x[9] = 0x7e6fc1bbda4400a0 x[10] = 0x0000000000000001 x[11] = 0x00000000fffffffd x[12] = 0x0000010000000000 x[13] = 0x0000000000000000 x[14] = 0x0000000000000000 x[15] = 0x0000000000000000 x[16] = 0x0000000195bb08ec x[17] = 0x00000001f5b78e18 x[18] = 0x0000000000000000 x[19] = 0x00000001075cae0b x[20] = 0x00000001075cb3e2 x[21] = 0x000000016b38c078 x[22] = 0x0000000112042480 x[23] = 0x0000000107fb4000 x[24] = 0x000000000000005b x[25] = 0x000000016b38c390 x[26] = 0x0000000000000000 x[27] = 0x0000000112042600 x[28] = 0x000000016b38c390 fp = 0x000000016b38bff0 lr = 0x0000000106eabac8 sp = 0x000000016b38bff0 UndefinedBehaviorSanitizer can not provide additional info. SUMMARY: UndefinedBehaviorSanitizer: SEGV Assertions.cpp:327 in WTFCrash ==50397==ABORTING minimal POC : for(var i = 0; i < 1000; i++) { (-2 + "-2147483647")+{}; } Original POC : for (let [i14, i15] = (() => { function F2(a4) { if (!new.target) { throw 'must be called with new'; } } const v5 = new F2(10); const v10 = JSON.stringify(2).substring(); ("O" + v5) + v10; for (let v13 = 0; v13 < 1000000; v13++) { } return [-4294967297, 10]; })(); i15; i15--) { } // CRASH INFO // ========== // INSTANCE TAG: // TERMSIG: 11 // STDERR: // ASSERTION FAILED: m_graph.canOptimizeStringObjectAccess(node->origin.semantic) // /Users/bootywarrior/Desktop/WebKit/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp(3757) : auto JSC::DFG::FixupPhase::attemptToMakeFastStringAdd(JSC::DFG::Node *)::(anonymous class)::operator()(JSC::DFG::Edge &) const // 1 0x106d67ac8 WTFCrash // 2 0x10605d390 WTFCrashWithInfo(int, char const*, char const*, int) // 3 0x1053911c4 JSC::DFG::FixupPhase::attemptToMakeFastStringAdd(JSC::DFG::Node*)::'lambda0'(JSC::DFG::Edge&)::operator()(JSC::DFG::Edge&) const // 4 0x105390e64 void JSC::DFG::Graph::doToChildrenWithNode<void JSC::DFG::Graph::doToChildren<JSC::DFG::FixupPhase::attemptToMakeFastStringAdd(JSC::DFG::Node*)::'lambda0'(JSC::DFG::Edge&)>(JSC::DFG::Node*, JSC::DFG::FixupPhase::attemptToMakeFastStringAdd(JSC::DFG::Node*)::'lambda0'(JSC::DFG::Edge&) const&)::ForwardingFunc>(JSC::DFG::Node*, JSC::DFG::FixupPhase::attemptToMakeFastStringAdd(JSC::DFG::Node*)::'lambda0'(JSC::DFG::Edge&) const&) // 5 0x10537e0ac JSC::DFG::FixupPhase::attemptToMakeFastStringAdd(JSC::DFG::Node*) // 6 0x105371660 JSC::DFG::FixupPhase::fixupNode(JSC::DFG::Node*) // 7 0x10536ed3c JSC::DFG::FixupPhase::run() // 8 0x105329e90 bool JSC::DFG::runPhase<JSC::DFG::FixupPhase>(JSC::DFG::Graph&) // 9 0x1054a94e4 JSC::DFG::Plan::compileInThreadImpl() // 10 0x105df2330 JSC::JITPlan::compileInThread(JSC::JITWorklistThread*) // 11 0x105e46cc4 JSC::JITWorklist::enqueue(WTF::Ref<JSC::JITPlan, WTF::RawPtrTraits<JSC::JITPlan>>) // 12 0x1053284c4 JSC::DFG::compile(JSC::VM&, JSC::CodeBlock*, JSC::CodeBlock*, JSC::JITCompilationMode, JSC::BytecodeIndex, JSC::Operands<std::__1::optional<JSC::JSValue>, WTF::Vector<std::__1::optional<JSC::JSValue>, 0ul, WTF::UnsafeVectorOverflow, 16ul, WTF::FastMalloc>> const&, WTF::Ref<JSC::DeferredCompilationCallback, WTF::RawPtrTraits<JSC::DeferredCompilationCallback>>&&) // 13 0x105dad7f4 operationOptimize // 14 0x12c0507d8 (null) // 15 0x1049b4d2c llint_entry // 16 0x10498eb80 vmEntryToJavaScript // 17 0x105cb4da8 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) // 18 0x1060f97b4 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) // 19 0x10493cdfc int runJSC<jscmain(int, char**)::$_7>(CommandLine const&, bool, jscmain(int, char**)::$_7 const&) // 20 0x1049392e8 jscmain(int, char**) // 21 0x104938d7c main // 22 0x195897f28 start // STDOUT:

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2023-07-25 16:47:59 PDT

<rdar://problem/112868556>

bigsean123

Comment 2 2023-08-30 17:11:11 PDT

possible duplicate ? https://github.com/WebKit/WebKit/commit/80a97a5a3797380f436a4f76819caf1fca035d37

Note You need to log in before you can comment on or make changes to this bug.