[Webkit-unassigned] [Bug 282746] New: ASSERTION FAILED in JSC::JSImmutableButterfly::create
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Nov 7 01:41:33 PST 2024
https://bugs.webkit.org/show_bug.cgi?id=282746
Bug ID: 282746
Summary: ASSERTION FAILED in JSC::JSImmutableButterfly::create
Product: WebKit
Version: Other
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: fufuyqqqqqq at gmail.com
Created attachment 473162
--> https://bugs.webkit.org/attachment.cgi?id=473162&action=review
poc.js
### Environment
```
OS : Linux Ubuntu
Commit : a6d261838dcb9f9e9c7bad991bc3d880ae5358ee
Build : ./Tools/Scripts/build-jsc --debug --jsc-only --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang-15' -DCMAKE_CXX_COMPILER='/usr/bin/clang++-15' -DCMAKE_CXX_FLAGS='-O3 -lrt -Wno-error=cast-align -std=c++20 -stdlib=libc++'"
```
Run jsc:
```
/WebKit/build/JSCOnly/Debug/bin/jsc /tmp/poc.js
```
### Output
```
ASSERTION FAILED: array
/WebKit/Source/JavaScriptCore/runtime/JSImmutableButterfly.h(68) : static JSC::JSImmutableButterfly *JSC::JSImmutableButterfly::create(JSC::VM &, JSC::IndexingType, unsigned int)
1 0x559e108cca70 /WebKit/build/JSCOnly/Debug/bin/jsc(+0x1351a70) [0x559e108cca70]
2 0x559e10868117 /WebKit/build/JSCOnly/Debug/bin/jsc(+0x12ed117) [0x559e10868117]
3 0x559e1086740c /WebKit/build/JSCOnly/Debug/bin/jsc(+0x12ec40c) [0x559e1086740c]
4 0x559e108708df /WebKit/build/JSCOnly/Debug/bin/jsc(+0x12f58df) [0x559e108708df]
5 0x559e1084e715 /WebKit/build/JSCOnly/Debug/bin/jsc(+0x12d3715) [0x559e1084e715]
6 0x559e10870d11 /WebKit/build/JSCOnly/Debug/bin/jsc(+0x12f5d11) [0x559e10870d11]
7 0x559e1089efb8 /WebKit/build/JSCOnly/Debug/bin/jsc(+0x1323fb8) [0x559e1089efb8]
8 0x559e10863653 /WebKit/build/JSCOnly/Debug/bin/jsc(+0x12e8653) [0x559e10863653]
9 0x559e108a3299 /WebKit/build/JSCOnly/Debug/bin/jsc(+0x1328299) [0x559e108a3299]
10 0x559e108a30bb /WebKit/build/JSCOnly/Debug/bin/jsc(+0x13280bb) [0x559e108a30bb]
11 0x559e108a3299 /WebKit/build/JSCOnly/Debug/bin/jsc(+0x1328299) [0x559e108a3299]
12 0x559e108ac54d /WebKit/build/JSCOnly/Debug/bin/jsc(+0x133154d) [0x559e108ac54d]
13 0x559e1081757d /WebKit/build/JSCOnly/Debug/bin/jsc(+0x129c57d) [0x559e1081757d]
14 0x559e1080f640 /WebKit/build/JSCOnly/Debug/bin/jsc(+0x1294640) [0x559e1080f640]
15 0x559e1080c04f /WebKit/build/JSCOnly/Debug/bin/jsc(+0x129104f) [0x559e1080c04f]
16 0x559e12179a91 /WebKit/build/JSCOnly/Debug/bin/jsc(+0x2bfea91) [0x559e12179a91]
17 0x559e1217b7fe /WebKit/build/JSCOnly/Debug/bin/jsc(+0x2c007fe) [0x559e1217b7fe]
18 0x559e118afdf7 /WebKit/build/JSCOnly/Debug/bin/jsc(+0x2334df7) [0x559e118afdf7]
19 0x559e118af6d8 /WebKit/build/JSCOnly/Debug/bin/jsc(+0x23346d8) [0x559e118af6d8]
20 0x7fc241b88017 [0x7fc241b88017]
```
### Stack dump
```
#0 0x1351a70 in JSC::JSImmutableButterfly::create(JSC::VM &, unsigned char, unsigned int) ()
#1 0x12ed117 in JSC::ArrayNode::emitBytecode(JSC::BytecodeGenerator &, JSC::RegisterID *)::$_43::operator()(JSC::RegisterID *, JSC::ElementNode *, unsigned int, bool)const ()
#2 0x12ec40c in JSC::ArrayNode::emitBytecode(JSC::BytecodeGenerator &, JSC::RegisterID *) ()
#3 0x12f58df in JSC::ArgumentListNode::emitBytecode(JSC::BytecodeGenerator &, JSC::RegisterID *) ()
#4 0x12d3715 in JSC::RegisterID * JSC::BytecodeGenerator::emitConstructImpl<JSC::OpConstruct>(JSC::RegisterID *, JSC::RegisterID *, JSC::RegisterID *, JSC::ExpectedFunction, JSC::CallArguments &, JSC::JSTextPosition const&, JSC::JSTextPosition const&, JSC::JSTextPosition const&) ()
#5 0x12f5d11 in JSC::NewExprNode::emitBytecode(JSC::BytecodeGenerator &, JSC::RegisterID *) ()
#6 0x13242a3 in JSC::AssignResolveNode::emitBytecode(JSC::BytecodeGenerator &, JSC::RegisterID *) ()
#7 0x12e8653 in JSC::BytecodeGenerator::emitNode(JSC::ExpressionNode *) ()
#8 0x1328299 in JSC::SourceElements::emitBytecode(JSC::BytecodeGenerator &, JSC::RegisterID *) ()
#9 0x13280bb in JSC::BlockNode::emitBytecode(JSC::BytecodeGenerator &, JSC::RegisterID *) ()
#10 0x1328299 in JSC::SourceElements::emitBytecode(JSC::BytecodeGenerator &, JSC::RegisterID *) ()
#11 0x133154d in JSC::FunctionNode::emitBytecode(JSC::BytecodeGenerator &, JSC::RegisterID *) ()
#12 0x129c57d in JSC::BytecodeGenerator::generate(unsigned int &) ()
#13 0x1294640 in JSC::ParserError JSC::BytecodeGenerator::generate<JSC::FunctionNode, JSC::UnlinkedFunctionCodeBlock>(JSC::VM &, JSC::FunctionNode *, JSC::SourceCode const&, JSC::UnlinkedFunctionCodeBlock *, WTF::OptionSet<JSC::CodeGenerationMode>, WTF::RefPtr<JSC::TDZEnvironmentLink, WTF::RawPtrTraits<JSC::TDZEnvironmentLink>, WTF::DefaultRefDerefTraits<JSC::TDZEnvironmentLink>> const&, WTF::FixedVector<JSC::Identifier> const*, WTF::HashMap<WTF::RefPtr<WTF::UniquedStringImpl, WTF::PackedPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl>>, JSC::PrivateNameEntry, JSC::IdentifierRepHash, WTF::HashTraits<WTF::RefPtr<WTF::UniquedStringImpl, WTF::RawPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl>>>, JSC::PrivateNameEntryHashTraits, WTF::HashTableTraits, (WTF::ShouldValidateKey)0> const*) ()
#14 0x129104f in JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor(JSC::VM &, JSC::SourceCode const&, JSC::CodeSpecializationKind, WTF::OptionSet<JSC::CodeGenerationMode>, JSC::ParserError &, JSC::SourceParseMode) ()
#15 0x2bfea91 in JSC::ScriptExecutable::newCodeBlockFor(JSC::CodeSpecializationKind, JSC::JSFunction *, JSC::JSScope *) ()
#16 0x2c007fe in JSC::ScriptExecutable::prepareForExecutionImpl(JSC::VM &, JSC::JSFunction *, JSC::JSScope *, JSC::CodeSpecializationKind, JSC::CodeBlock *&) ()
#17 0x2334df7 in JSC::linkFor(JSC::VM &, JSC::JSCell *, JSC::CallFrame *, JSC::CallLinkInfo *) ()
#18 0x23346d8 in operationDefaultCall ()
```
### Credit
Q1IQ(@q1iqF) and P1umer(@p1umer)
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20241107/9d73bc4c/attachment.htm>
More information about the webkit-unassigned
mailing list