[Webkit-unassigned] [Bug 282812] New: ASSERTION FAILED: JSValue::decode(structValue.asRef()).isNull()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Nov 7 21:56:02 PST 2024 

https://bugs.webkit.org/show_bug.cgi?id=282812

            Bug ID: 282812
           Summary: ASSERTION FAILED:
                    JSValue::decode(structValue.asRef()).isNull()
           Product: WebKit
           Version: Other
          Hardware: Unspecified
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: fufuyqqqqqq at gmail.com

Created attachment 473180

  --> https://bugs.webkit.org/attachment.cgi?id=473180&action=review

poc.js

### Title
ASSERTION FAILED: JSValue::decode(structValue.asRef()).isNull()
### Environment
```
OS      : Linux Ubuntu
Commit  : a6d261838dcb9f9e9c7bad991bc3d880ae5358ee
Build   : ./Tools/Scripts/build-jsc  --debug --jsc-only --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang-15' -DCMAKE_CXX_COMPILER='/usr/bin/clang++-15' -DCMAKE_CXX_FLAGS='-O3 -lrt  -Wno-error=cast-align -std=c++20 -stdlib=libc++'"
```

### Proof of concept
Run jsc:
```
/WebKit/build/JSCOnly/Debug/bin/jsc  /tmp/poc.js
```

### Output
```
ASSERTION FAILED: JSValue::decode(structValue.asRef()).isNull()
/WebKit/Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp(2197) : JSC::Wasm::BBQJITImpl::PartialResult JSC::Wasm::BBQJITImpl::BBQJIT::addStructGet(JSC::Wasm::ExtGCOpType, JSC::Wasm::BBQJITImpl::BBQJIT::Value, const JSC::Wasm::StructType &, uint32_t, JSC::Wasm::BBQJITImpl::BBQJIT::Value &)
1   0x55a16b7255b9 /WebKit/build/JSCOnly/Debug/bin/jsc(+0x2e735b9) [0x55a16b7255b9]
2   0x55a16b6c4842 /WebKit/build/JSCOnly/Debug/bin/jsc(+0x2e12842) [0x55a16b6c4842]
3   0x55a16b6aca9b /WebKit/build/JSCOnly/Debug/bin/jsc(+0x2dfaa9b) [0x55a16b6aca9b]
4   0x55a16b691019 /WebKit/build/JSCOnly/Debug/bin/jsc(+0x2ddf019) [0x55a16b691019]
5   0x55a16b68fda1 /WebKit/build/JSCOnly/Debug/bin/jsc(+0x2dddda1) [0x55a16b68fda1]
6   0x55a16b613236 /WebKit/build/JSCOnly/Debug/bin/jsc(+0x2d61236) [0x55a16b613236]
7   0x55a16b6109c4 /WebKit/build/JSCOnly/Debug/bin/jsc(+0x2d5e9c4) [0x55a16b6109c4]
8   0x55a16ba402f1 /WebKit/build/JSCOnly/Debug/bin/jsc(+0x318e2f1) [0x55a16ba402f1]
9   0x55a16bbd6d94 /WebKit/build/JSCOnly/Debug/bin/jsc(+0x3324d94) [0x55a16bbd6d94]
10  0x55a16bc0ae8a /WebKit/build/JSCOnly/Debug/bin/jsc(+0x3358e8a) [0x55a16bc0ae8a]
11  0x55a16bcef768 /WebKit/build/JSCOnly/Debug/bin/jsc(+0x343d768) [0x55a16bcef768]
12  0x7f37db864609 /lib/x86_64-linux-gnu/libpthread.so.0(+0x8609) [0x7f37db864609]
13  0x7f37db4b4353 clone
Aborted
```

### Stack dump
```
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x7fffa8f64700 (0x00007fffa8f64700)
RCX: 0x7ffff5a9300b (<raise+203>:       mov    rax,QWORD PTR [rsp+0x108])
RDX: 0x0 
RSI: 0x7fffa8f59ce0 --> 0x0 
RDI: 0x2 
RBP: 0x55555584a192 ("JSC::Wasm::BBQJITImpl::PartialResult JSC::Wasm::BBQJITImpl::BBQJIT::addStructGet(JSC::Wasm::ExtGCOpType, JSC::Wasm::BBQJITImpl::BBQJIT::Value, const JSC::Wasm::StructType &, uint32_t, JSC::Wasm::BBQJI"...)
RSP: 0x7fffa8f59ce0 --> 0x0 
RIP: 0x7ffff5a9300b (<raise+203>:       mov    rax,QWORD PTR [rsp+0x108])
R8 : 0x0 
R9 : 0x7fffa8f59ce0 --> 0x0 
R10: 0x8 
R11: 0x246 
R12: 0x40fe01 
R13: 0x7fffa8f5d4b8 --> 0x555500000000 ('')
R14: 0xe3 
R15: 0x0
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
bt[-------------------------------------code-------------------------------------]
   0x7ffff5a92fff <raise+191>:  mov    edi,0x2
   0x7ffff5a93004 <raise+196>:  mov    eax,0xe
   0x7ffff5a93009 <raise+201>:  syscall 
=> 0x7ffff5a9300b <raise+203>:  mov    rax,QWORD PTR [rsp+0x108]
   0x7ffff5a93013 <raise+211>:  xor    rax,QWORD PTR fs:0x28
   0x7ffff5a9301c <raise+220>:  jne    0x7ffff5a93044 <raise+260>
   0x7ffff5a9301e <raise+222>:  mov    eax,r8d
   0x7ffff5a93021 <raise+225>:  add    rsp,0x118
[------------------------------------stack-------------------------------------]
0000| 0x7fffa8f59ce0 --> 0x0 
0008| 0x7fffa8f59ce8 ("sult != ")
0016| 0x7fffa8f59cf0 --> 0x0 
0024| 0x7fffa8f59cf8 --> 0x0 
0032| 0x7fffa8f59d00 --> 0xbfe552222222222d 
0040| 0x7fffa8f59d08 --> 0x0 
0048| 0x7fffa8f59d10 --> 0x3fe99555551519c7 
0056| 0x7fffa8f59d18 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
0x00007ffff5a9300b in raise () from /lib/x86_64-linux-gnu/libc.so.6
gdb-peda$ bt
#0  0x00007ffff5a9300b in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007ffff5a72859 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x000055555641399a in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:912
#3  0x00005555583c75ce in JSC::Wasm::BBQJITImpl::BBQJIT::addStructGet (this=0x7fffa8f5d4b8, structGetKind=JSC::Wasm::ExtGCOpType::StructGet, structValue=..., structType=..., fieldIndex=<optimized out>, result=...) at /WebKit/Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp:2197
#4  0x0000555558366842 in JSC::Wasm::FunctionParser<JSC::Wasm::BBQJITImpl::BBQJIT>::parseExpression (this=this at entry=0x7fffa8f5dea0) at /WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:2646
#5  0x000055555834ea9b in JSC::Wasm::FunctionParser<JSC::Wasm::BBQJITImpl::BBQJIT>::parseBody (this=this at entry=0x7fffa8f5dea0) at /WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:526
#6  0x0000555558333019 in JSC::Wasm::FunctionParser<JSC::Wasm::BBQJITImpl::BBQJIT>::parse (this=this at entry=0x7fffa8f5dea0) at /WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:479
#7  0x0000555558331da1 in JSC::Wasm::parseAndCompileBBQ (compilationContext=..., callee=..., function=..., signature=..., unlinkedWasmToWasmCalls=..., info=..., mode=<optimized out>, functionIndex=..., hasExceptionHandlers=..., loopIndexForOSREntry=<optimized out>)
    at /WebKit/Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:5078
#8  0x00005555582b5236 in JSC::Wasm::BBQPlan::compileFunction (this=this at entry=0x7fffeb08f240, functionIndex=..., callee=..., context=..., unlinkedWasmToWasmCalls=...) at /WebKit/Source/JavaScriptCore/wasm/WasmBBQPlan.cpp:187
#9  0x00005555582b29c4 in JSC::Wasm::BBQPlan::work (this=0x7fffeb08f240) at /WebKit/Source/JavaScriptCore/wasm/WasmBBQPlan.cpp:99
#10 0x00005555586e22f1 in JSC::Wasm::Worklist::Thread::work (this=0x7fffeb037290) at /WebKit/Source/JavaScriptCore/wasm/WasmWorklist.cpp:108
#11 0x0000555558878d94 in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const (this=<optimized out>) at /WebKit/Source/WTF/wtf/AutomaticThread.cpp:225
#12 WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() (this=<optimized out>) at /WebKit/Source/WTF/wtf/Function.h:53
#13 0x00005555588ace8a in WTF::Function<void ()>::operator()() const (this=<optimized out>) at /WebKit/Source/WTF/wtf/Function.h:82
#14 WTF::Thread::entryPoint (newThreadContext=<optimized out>) at /WebKit/Source/WTF/wtf/Threading.cpp:266
#15 0x0000555558991768 in WTF::wtfThreadEntryPoint (context=0x7fffeb08d800) at /WebKit/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:241
#16 0x00007ffff5f1f609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#17 0x00007ffff5b6f353 in clone () from /lib/x86_64-linux-gnu/libc.so.6
```

### Credit
Q1IQ(@q1iqF) and P1umer(@p1umer)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20241108/579f121c/attachment.htm>

More information about the webkit-unassigned mailing list