[Webkit-unassigned] [Bug 281959] New: JavaScriptCore crashed in JSC::Wasm::slow_path_wasm_array_get
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Oct 23 02:21:19 PDT 2024
https://bugs.webkit.org/show_bug.cgi?id=281959
Bug ID: 281959
Summary: JavaScriptCore crashed in
JSC::Wasm::slow_path_wasm_array_get
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebAssembly
Assignee: webkit-unassigned at lists.webkit.org
Reporter: xiangwei1895 at gmail.com
Created attachment 473015
--> https://bugs.webkit.org/attachment.cgi?id=473015&action=review
This file can be usd to reproduce the issue.
JavaScriptCore crashed in JSC::Wasm::slow_path_wasm_array_get
I. Summary
The following sample causes JavaScriptCore to crash when executing a WebAssembly module that attempts to access an element of an array that failed to be created due to its excessive size. This issue exists in the latest version of JavaScriptCore.
PoC:
-----------------------------------
load("wasm-module-builder.js");
const builder = new WasmModuleBuilder();
builder.startRecGroup();
let $array6 = builder.addArray(kWasmI32, true, kNoSuperType, false);
builder.endRecGroup();
let $sig8 = builder.addType(kSig_i_iii);
let main0 = builder.addFunction(undefined, $sig8).exportAs('main');
let $global2 = builder.addGlobal(wasmRefType($array6), true, false, [
kExprI32Const, 8,
...wasmI32Const(2147483647),
kGCPrefix, kExprArrayNew, $array6
]);
// func $main: [kWasmI32, kWasmI32, kWasmI32] -> [kWasmI32]
main0.addBody([
kExprGlobalGet, $global2.index,
kExprLocalGet, 0,
kGCPrefix, kExprArrayGet, $array6
]);
const instance = builder.instantiate();
try {
print(instance.exports.main(1, 2, 3));
} catch (e) {
print('caught exception', e);
}
-----------------------------------
Backtrace:
-----------------------------------
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3598851==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000005 (pc 0x7fa523a865c6 bp 0x7ffff6662850 sp 0x7ffff6662780 T0)
==3598851==The signal is caused by a READ memory access.
==3598851==Hint: address points to the zero page.
#0 0x7fa523a865c6 in JSC::TypeInfo::isObject(JSC::JSType) /data/workspace/WebKit/Source/JavaScriptCore/runtime/JSTypeInfo.h:87:53
#1 0x7fa523a865c6 in JSC::JSCell::isObject() const /data/workspace/WebKit/Source/JavaScriptCore/runtime/JSCellInlines.h:230:12
#2 0x7fa523a865c6 in JSC::JSValue::isObject() const /data/workspace/WebKit/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:781:34
#3 0x7fa523a865c6 in slow_path_wasm_array_get /data/workspace/WebKit/Source/JavaScriptCore/wasm/WasmSlowPaths.cpp:412:5
#4 0x7fa51de985e9 in wasm_array_get LowLevelInterpreter.cpp
#5 0x7fa4d8c18756 (<unknown module>)
#6 0x7fa51de90896 in llint_op_call_wide16 LowLevelInterpreter.cpp
#7 0x7fa51de6d4ed in llint_call_javascript LowLevelInterpreter.cpp
#8 0x7fa5213275d1 in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) /data/workspace/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:1149:28
#9 0x7fa521eb9ba3 in JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) /data/workspace/WebKit/Source/JavaScriptCore/runtime/Completion.cpp:138:37
#10 0x558ecc4490d8 in runWithOptions(GlobalObject*, CommandLine&, bool&) /data/workspace/WebKit/Source/JavaScriptCore/jsc.cpp:3787:35
#11 0x558ecc4490d8 in jscmain(int, char**)::$_11::operator()(JSC::VM&, GlobalObject*, bool&) const /data/workspace/WebKit/Source/JavaScriptCore/jsc.cpp:4468:13
#12 0x558ecc4490d8 in int runJSC<jscmain(int, char**)::$_11>(CommandLine const&, bool, jscmain(int, char**)::$_11 const&) /data/workspace/WebKit/Source/JavaScriptCore/jsc.cpp:4259:13
#13 0x558ecc43f665 in jscmain(int, char**) /data/workspace/WebKit/Source/JavaScriptCore/jsc.cpp:4461:18
#14 0x558ecc43ead5 in main /data/workspace/WebKit/Source/JavaScriptCore/jsc.cpp:3545:15
#15 0x7fa51a90cd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /data/workspace/WebKit/Source/JavaScriptCore/runtime/JSTypeInfo.h:87:53 in JSC::TypeInfo::isObject(JSC::JSType)
==3598851==ABORTING
-----------------------------------
II. Root cause analysis
The crash occurs due to a mismatch between the error handling in the array creation process and the subsequent array access check. The key points are:
1. Array creation failure: In the `arrayNew` function, an attempt to create an excessively large array (size 4294967292) triggers an overflow check, causing the function to return an encoded `null` value.
2. Constant expression evaluation: The `evaluateConstantExpression` function interprets the result of the array creation as 0, which is then returned as `undefined` instead of `null`.
3. Slow path check: In the `slow_path_wasm_array_get` function, the `isNull()` check fails because the actual value is `undefined`, not `null`.
4. Incorrect assertion: The code proceeds to an assertion that should not be reached:
```cpp
ASSERT(arrayValue.isObject());
```
This leads to a null pointer dereference and causes the crash.
The root cause is the inconsistent handling of the array creation failure across different stages of execution, combined with insufficient type checking before accessing the array object.
III. Reproduce
JavaScript version: b4239a38c109a1f5980fc9c1cfe9a98cd3328741
Build platform: Ubuntu 22.04.2 LTS
Build Command: ./Tools/Scripts/build-jsc --debug --jsc-only
Execution Command: ./jsc poc.js
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20241023/ac270169/attachment.htm>
More information about the webkit-unassigned
mailing list