[Webkit-unassigned] [Bug 276936] New: ASSERTION FAILED: !(attributes & (PropertyAttribute::Accessor | PropertyAttribute::CustomAccessor | PropertyAttribute::ReadOnly))

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jul 23 01:33:16 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=276936

            Bug ID: 276936
           Summary: ASSERTION FAILED: !(attributes &
                    (PropertyAttribute::Accessor |
                    PropertyAttribute::CustomAccessor |
                    PropertyAttribute::ReadOnly))
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: entryhii at gmail.com

=============poc.js=============
class C4 {
    __proto__;
}
const v5 = new C4();
const o7 = {
    get __proto__() {
        return C4;
    },
    ...v5,
};
================================

Run args:
./jsc ./poc.js

Result:
ASSERTION FAILED: !(attributes & (PropertyAttribute::Accessor | PropertyAttribute::CustomAccessor | PropertyAttribute::ReadOnly))
webkit/Source/JavaScriptCore/runtime/JSObjectInlines.h(640) : void JSC::JSObject::validatePutOwnDataProperty(JSC::VM &, JSC::PropertyName, JSC::JSValue)

Crash Stack:
* thread #1, name = 'jsc', stop reason = signal SIGABRT
  * frame #0: 0x00007ffff56afe5c libc.so.6`__pthread_kill_implementation + 268
    frame #1: 0x00007ffff565fa76 libc.so.6`raise + 22
    frame #2: 0x00007ffff56497fc libc.so.6`abort + 215
    frame #3: 0x0000000000dc210a jsc`WTFCrashWithInfo((null)=640, (null)="/data/wjm/webkit_validate/Source/JavaScriptCore/runtime/JSObjectInlines.h", (null)="void JSC::JSObject::validatePutOwnDataProperty(JSC::VM &, JSC::PropertyName, JSC::JSValue)", (null)=2494) at Assertions.h:846:5
    frame #4: 0x0000000001f2a952 jsc`JSC::JSObject::validatePutOwnDataProperty(this=<unavailable>, vm=0x00007fffa9000000, propertyName=PropertyName @ scalar, value=JSValue @ scalar) at JSObjectInlines.h:640:9
    frame #5: 0x0000000001f54555 jsc`JSC::JSObject::putOwnDataPropertyBatching(JSC::VM&, WTF::RefPtr<WTF::UniquedStringImpl, WTF::RawPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl>> const*, long const*, unsigned int) [inlined] JSC::JSObject::putOwnDataProperty(this=0x00007fffa94dc140, vm=0x00007fffa9000000, propertyName=PropertyName @ rbx, value=JSValue @ rbp, slot=0x00007fffffffd250) at JSObjectInlines.h:654:5
    frame #6: 0x0000000001f54544 jsc`JSC::JSObject::putOwnDataPropertyBatching(this=0x00007fffa94dc140, vm=0x00007fffa9000000, properties=0x00007fffffffd400, values=<unavailable>, size=1) at JSObject.cpp:4145:9
    frame #7: 0x0000000001ed15f1 jsc`JSC::globalFuncCopyDataProperties(globalObject=0x00007fffa941a088, callFrame=<unavailable>) at JSGlobalObjectFunctions.cpp:977:21
    frame #8: 0x00007fffaae2c038
    frame #9: 0x0000000000fd17d4 jsc`llint_op_call_ignore_result + 187
    frame #10: 0x0000000000faecee jsc`llint_call_javascript + 6
    frame #11: 0x0000000001a8cc64 jsc`JSC::Interpreter::executeProgram(this=<unavailable>, source=<unavailable>, (null)=<unavailable>, thisObj=0x00007fffeb01df48) at Interpreter.cpp:1144:28
    frame #12: 0x0000000001d7235f jsc`JSC::evaluate(globalObject=0x00007fffa941a088, source=0x00007fffffffdb00, thisValue=JSValue @ 0x00007fffffffd9a8, returnedException=0x00007fffffffdb38) at Completion.cpp:138:37
    frame #13: 0x0000000000dc61be jsc`int runJSC<jscmain(int, char**)::$_11>(CommandLine const&, bool, jscmain(int, char**)::$_11 const&) at jsc.cpp:3779:35
    frame #14: 0x0000000000dc5cf1 jsc`int runJSC<jscmain(int, char**)::$_11>(CommandLine const&, bool, jscmain(int, char**)::$_11 const&) [inlined] jscmain(this=<unavailable>, vm=<unavailable>, globalObject=<unavailable>, success=0x00007fffffffda77)::$_11::operator()(JSC::VM&, GlobalObject*, bool&) const at jsc.cpp:4469:13
    frame #15: 0x0000000000dc5ce4 jsc`int runJSC<jscmain(int, char**)::$_11>(options=0x000000000295a040, isWorker=false, func=<unavailable>)::$_11 const&) at jsc.cpp:4251:13
    frame #16: 0x0000000000dc3e6c jsc`jscmain(argc=2, argv=0x00007fffffffdec8) at jsc.cpp:4462:18
    frame #17: 0x0000000000dc3a67 jsc`main(argc=2, argv=0x00007fffffffdec8) at jsc.cpp:3537:15
    frame #18: 0x00007ffff564a510 libc.so.6`__libc_start_call_main + 128
    frame #19: 0x00007ffff564a5c9 libc.so.6`__libc_start_main@@GLIBC_2.34 + 137
    frame #20: 0x0000000000dbf525 jsc`_start + 37

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240723/ad220fc2/attachment.htm>

More information about the webkit-unassigned mailing list