[Webkit-unassigned] [Bug 212399] New: JSC::CallFrame::uncheckedR object assert failed

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue May 26 20:41:07 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=212399

            Bug ID: 212399
           Summary: JSC::CallFrame::uncheckedR object assert failed
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Macintosh
                OS: macOS 10.15
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: myoki.crystal at gmail.com

The bug is in object iterator, really simple.
Some type check must happen if the iterator can use `in` or not.
In this case, the index (string d) can not use `in` function. I know `1337` is not an Object, but it still crash in some way.
I am really new to JavaScriptCore and do not understand the design pattern fully, but I hope my POC can help. Thanks.

POC:
```
const v0 = {d:13.37};
for (const v1 in v0) {
        print(typeof(v1), v1);
        print(typeof(v0[v1]), v0[v1]);
        const v2 = v1 in 1337;
}
```

LOG:
```
string d
number 13.37

ASSERTION FAILED: !reg.isConstant()
../../Source/JavaScriptCore/interpreter/CallFrameInlines.h(44) : JSC::Register &JSC::CallFrame::uncheckedR(JSC::VirtualRegister)
1   0x114a6b8d9 WTFCrash
2   0x104896590 WTF::BasicRawSentinelNode<Worker, WTF::DumbPtrTraits<Worker> >::remove()
3   0x1113625a3 JSC::CallFrame::uncheckedR(JSC::VirtualRegister)
4   0x1134d367e slow_path_in_structure_property
5   0x10f6b2e02 llint_entry
6   0x10f69bf32 vmEntryToJavaScript
7   0x112ab449b JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
8   0x112ab1fa3 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*)
9   0x11351c4da JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
10  0x104975534 runWithOptions(GlobalObject*, CommandLine&, bool&)
11  0x1048f7174 jscmain(int, char**)::$_4::operator()(JSC::VM&, GlobalObject*, bool&) const
12  0x10489b6fe int runJSC<jscmain(int, char**)::$_4>(CommandLine const&, bool, jscmain(int, char**)::$_4 const&)
13  0x1048981ae jscmain(int, char**)
14  0x104897c8e main
15  0x7fff72122cc9 start
16  0xc
```

Steps to Reproduce:

1) Build Relaese with ASAN:
./Tools/Scripts/set-webkit-configuration --asan
./Tools/Scripts/build-webkit --jsc-only --release

2) Run JSC with JS file

Actual Results: JSC crashes with log like above

Expected Results: JSC should not crash (or raise Type Error because 1337 is not an Object)

Build Date & Hardware: commit at 751ec07c691376353670d0913d09a85d490395cd (Date:   Wed May 27 02:42:14 2020 +0000)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200527/c7ff7c5c/attachment.htm>

More information about the webkit-unassigned mailing list