Bug 259507

Summary: WebKit Debug DFGFixupPhase Assertion Failure
Product: WebKit Reporter: bigsean123
Component: JavaScriptCoreAssignee: WebKit Security Group <webkit-security-unassigned>
Status: NEW ---    
Severity: Normal CC: bfulgham, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Mac (Apple Silicon)   
OS: macOS 13   

Description bigsean123 2023-07-25 16:47:47 PDT 
running git log shows commit a5fec4a8500ecf6353ba31991c4b81e2029a6afc (HEAD, origin/main, origin/HEAD, main)
Author: Charlie Wolfe <charliew@apple.com>
Date:   Thu Jul 6 16:57:52 2023 -0700

    Fix internal Apple builds after 265828@main
    https://bugs.webkit.org/show_bug.cgi?id=258952
    rdar://111877556
    
    Unreviewed build fix.
    
    UUID -> WTF::UUID


Both Debug with assertion failure 
Seems to only crash with Debug build with --useConcurrentJIT=false flag banned as follows:

./jsc --validateOptions=true --useConcurrentGC=true --useConcurrentJIT=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=false /Users/bootywarrior/Desktop/oob.js

[COV] no shared memory bitmap available, skipping
[COV] edge counters initialized. Shared memory: (null) with 1067055 edges
ASSERTION FAILED: m_graph.canOptimizeStringObjectAccess(node->origin.semantic)
/Users/bootywarrior/Desktop/WebKit/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp(3757) : auto JSC::DFG::FixupPhase::attemptToMakeFastStringAdd(JSC::DFG::Node *)::(anonymous class)::operator()(JSC::DFG::Edge &) const
1   0x106eabac8 WTFCrash
2   0x1061a1390 WTFCrashWithInfo(int, char const*, char const*, int)
3   0x1054d51c4 JSC::DFG::FixupPhase::attemptToMakeFastStringAdd(JSC::DFG::Node*)::'lambda0'(JSC::DFG::Edge&)::operator()(JSC::DFG::Edge&) const
4   0x1054c20ac JSC::DFG::FixupPhase::attemptToMakeFastStringAdd(JSC::DFG::Node*)
5   0x1054b5660 JSC::DFG::FixupPhase::fixupNode(JSC::DFG::Node*)
6   0x1054b2d3c JSC::DFG::FixupPhase::run()
7   0x10546de90 bool JSC::DFG::runPhase<JSC::DFG::FixupPhase>(JSC::DFG::Graph&)
8   0x1055ed4e4 JSC::DFG::Plan::compileInThreadImpl()
9   0x105f36330 JSC::JITPlan::compileInThread(JSC::JITWorklistThread*)
10  0x105f8acc4 JSC::JITWorklist::enqueue(WTF::Ref<JSC::JITPlan, WTF::RawPtrTraits<JSC::JITPlan>>)
11  0x10546c4c4 JSC::DFG::compile(JSC::VM&, JSC::CodeBlock*, JSC::CodeBlock*, JSC::JITCompilationMode, JSC::BytecodeIndex, JSC::Operands<std::__1::optional<JSC::JSValue>, WTF::Vector<std::__1::optional<JSC::JSValue>, 0ul, WTF::UnsafeVectorOverflow, 16ul, WTF::FastMalloc>> const&, WTF::Ref<JSC::DeferredCompilationCallback, WTF::RawPtrTraits<JSC::DeferredCompilationCallback>>&&)
12  0x105ef17f4 operationOptimize
13  0x130840d14 (null)
14  0x104ad2b80 vmEntryToJavaScript
15  0x105df8da8 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*)
16  0x10623d7b4 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
17  0x104a80dfc int runJSC<jscmain(int, char**)::$_7>(CommandLine const&, bool, jscmain(int, char**)::$_7 const&)
18  0x104a7d2e8 jscmain(int, char**)
19  0x104a7cd7c main
20  0x195897f28 start
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==50397==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x000106eabad0 bp 0x00016b38bff0 sp 0x00016b38bff0 T6938220)
==50397==The signal is caused by a WRITE memory access.
    #0 0x106eabad0 in WTFCrash Assertions.cpp:327
    #1 0x1061a138c in WTFCrashWithInfo(int, char const*, char const*, int) Assertions.h:762
    #2 0x1054d51c0 in JSC::DFG::FixupPhase::attemptToMakeFastStringAdd(JSC::DFG::Node*)::'lambda0'(JSC::DFG::Edge&)::operator()(JSC::DFG::Edge&) const DFGFixupPhase.cpp:3757
    #3 0x1054c20a8 in JSC::DFG::FixupPhase::attemptToMakeFastStringAdd(JSC::DFG::Node*) DFGFixupPhase.cpp:3745
    #4 0x1054b565c in JSC::DFG::FixupPhase::fixupNode(JSC::DFG::Node*) DFGFixupPhase.cpp:550
    #5 0x1054b2d38 in JSC::DFG::FixupPhase::run() DFGFixupPhase.cpp:57
    #6 0x10546de8c in bool JSC::DFG::runPhase<JSC::DFG::FixupPhase>(JSC::DFG::Graph&) DFGPhase.h:95
    #7 0x1055ed4e0 in JSC::DFG::Plan::compileInThreadImpl() DFGPlan.cpp:259
    #8 0x105f3632c in JSC::JITPlan::compileInThread(JSC::JITWorklistThread*) JITPlan.cpp:172
    #9 0x105f8acc0 in JSC::JITWorklist::enqueue(WTF::Ref<JSC::JITPlan, WTF::RawPtrTraits<JSC::JITPlan>>) JITWorklist.cpp:84
    #10 0x10546c4c0 in JSC::DFG::compile(JSC::VM&, JSC::CodeBlock*, JSC::CodeBlock*, JSC::JITCompilationMode, JSC::BytecodeIndex, JSC::Operands<std::__1::optional<JSC::JSValue>, WTF::Vector<std::__1::optional<JSC::JSValue>, 0ul, WTF::UnsafeVectorOverflow, 16ul, WTF::FastMalloc>> const&, WTF::Ref<JSC::DeferredCompilationCallback, WTF::RawPtrTraits<JSC::DeferredCompilationCallback>>&&) DFGDriver.cpp:106
    #11 0x105ef17f0 in operationOptimize JITOperations.cpp:2309
    #12 0x130840d10  (<unknown module>)
    #13 0x104ad2b7c in vmEntryToJavaScript+0x100 (jsc:arm64+0x100062b7c) (BuildId: 2be14f68bcb33bc1be765002813ed97232000000200000000100000000000d00)
    #14 0x105df8da4 in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) Interpreter.cpp:1025
    #15 0x10623d7b0 in JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) Completion.cpp:137
    #16 0x104a80df8 in int runJSC<jscmain(int, char**)::$_7>(CommandLine const&, bool, jscmain(int, char**)::$_7 const&) jsc.cpp:4087
    #17 0x104a7d2e4 in jscmain(int, char**) jsc.cpp:4286
    #18 0x104a7cd78 in main jsc.cpp:3426
    #19 0x195897f24  (<unknown module>)

==50397==Register values:
 x[0] = 0x000000016b38be90   x[1] = 0x0000000000000000   x[2] = 0x00000000000120a8   x[3] = 0x000000016b38b87e  
 x[4] = 0x0000000195b00a6f   x[5] = 0x000000016b38bdd0   x[6] = 0x000000000000000a   x[7] = 0x0000000000000000  
 x[8] = 0x00000000bbadbeef   x[9] = 0x7e6fc1bbda4400a0  x[10] = 0x0000000000000001  x[11] = 0x00000000fffffffd  
x[12] = 0x0000010000000000  x[13] = 0x0000000000000000  x[14] = 0x0000000000000000  x[15] = 0x0000000000000000  
x[16] = 0x0000000195bb08ec  x[17] = 0x00000001f5b78e18  x[18] = 0x0000000000000000  x[19] = 0x00000001075cae0b  
x[20] = 0x00000001075cb3e2  x[21] = 0x000000016b38c078  x[22] = 0x0000000112042480  x[23] = 0x0000000107fb4000  
x[24] = 0x000000000000005b  x[25] = 0x000000016b38c390  x[26] = 0x0000000000000000  x[27] = 0x0000000112042600  
x[28] = 0x000000016b38c390     fp = 0x000000016b38bff0     lr = 0x0000000106eabac8     sp = 0x000000016b38bff0  
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV Assertions.cpp:327 in WTFCrash
==50397==ABORTING

minimal POC : 

for(var i = 0; i < 1000; i++) {
    (-2 + "-2147483647")+{};
}


Original POC :

for (let [i14, i15] = (() => {
        function F2(a4) {
            if (!new.target) { throw 'must be called with new'; }
        }
        const v5 = new F2(10);
        const v10 = JSON.stringify(2).substring();
        ("O" + v5) + v10;
        for (let v13 = 0; v13 < 1000000; v13++) {
        }
        return [-4294967297, 10];
    })();
    i15;
    i15--) {
}
// CRASH INFO
// ==========
// INSTANCE TAG: 
// TERMSIG: 11
// STDERR:
// ASSERTION FAILED: m_graph.canOptimizeStringObjectAccess(node->origin.semantic)
// /Users/bootywarrior/Desktop/WebKit/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp(3757) : auto JSC::DFG::FixupPhase::attemptToMakeFastStringAdd(JSC::DFG::Node *)::(anonymous class)::operator()(JSC::DFG::Edge &) const
// 1   0x106d67ac8 WTFCrash
// 2   0x10605d390 WTFCrashWithInfo(int, char const*, char const*, int)
// 3   0x1053911c4 JSC::DFG::FixupPhase::attemptToMakeFastStringAdd(JSC::DFG::Node*)::'lambda0'(JSC::DFG::Edge&)::operator()(JSC::DFG::Edge&) const
// 4   0x105390e64 void JSC::DFG::Graph::doToChildrenWithNode<void JSC::DFG::Graph::doToChildren<JSC::DFG::FixupPhase::attemptToMakeFastStringAdd(JSC::DFG::Node*)::'lambda0'(JSC::DFG::Edge&)>(JSC::DFG::Node*, JSC::DFG::FixupPhase::attemptToMakeFastStringAdd(JSC::DFG::Node*)::'lambda0'(JSC::DFG::Edge&) const&)::ForwardingFunc>(JSC::DFG::Node*, JSC::DFG::FixupPhase::attemptToMakeFastStringAdd(JSC::DFG::Node*)::'lambda0'(JSC::DFG::Edge&) const&)
// 5   0x10537e0ac JSC::DFG::FixupPhase::attemptToMakeFastStringAdd(JSC::DFG::Node*)
// 6   0x105371660 JSC::DFG::FixupPhase::fixupNode(JSC::DFG::Node*)
// 7   0x10536ed3c JSC::DFG::FixupPhase::run()
// 8   0x105329e90 bool JSC::DFG::runPhase<JSC::DFG::FixupPhase>(JSC::DFG::Graph&)
// 9   0x1054a94e4 JSC::DFG::Plan::compileInThreadImpl()
// 10  0x105df2330 JSC::JITPlan::compileInThread(JSC::JITWorklistThread*)
// 11  0x105e46cc4 JSC::JITWorklist::enqueue(WTF::Ref<JSC::JITPlan, WTF::RawPtrTraits<JSC::JITPlan>>)
// 12  0x1053284c4 JSC::DFG::compile(JSC::VM&, JSC::CodeBlock*, JSC::CodeBlock*, JSC::JITCompilationMode, JSC::BytecodeIndex, JSC::Operands<std::__1::optional<JSC::JSValue>, WTF::Vector<std::__1::optional<JSC::JSValue>, 0ul, WTF::UnsafeVectorOverflow, 16ul, WTF::FastMalloc>> const&, WTF::Ref<JSC::DeferredCompilationCallback, WTF::RawPtrTraits<JSC::DeferredCompilationCallback>>&&)
// 13  0x105dad7f4 operationOptimize
// 14  0x12c0507d8 (null)
// 15  0x1049b4d2c llint_entry
// 16  0x10498eb80 vmEntryToJavaScript
// 17  0x105cb4da8 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*)
// 18  0x1060f97b4 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
// 19  0x10493cdfc int runJSC<jscmain(int, char**)::$_7>(CommandLine const&, bool, jscmain(int, char**)::$_7 const&)
// 20  0x1049392e8 jscmain(int, char**)
// 21  0x104938d7c main
// 22  0x195897f28 start
// STDOUT:
Comment 1 Radar WebKit Bug Importer 2023-07-25 16:47:59 PDT 
<rdar://problem/112868556>