274052 2024-05-12 04:22:13 -0700 [JSC] Add JSString::resolveRopeWithoutGC and use it in GC end phase 2024-06-20 23:32:29 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Local Build Unspecified Linux RESOLVED FIXED InRadar P2 Normal --- 1 qbtly201 ysuzuki mark.lam nth10sd webkit-bug-importer ysuzuki oldest_to_newest 2034769 0 471376 qbtly201 2024-05-12 04:22:13 -0700 Created attachment 471376 original_poc ###### Webkit af7bd70a44bb1e3adae77f36bcc34a47daeeb9a4 ###### Build platform Ubuntu 22.04.3 ###### Build steps ./Tools/Scripts/build-jsc --jsc-only --debug --build-dir=0512 --cmakeargs="-DENABLE_STATIC_JSC=ON" ###### Test case ``` function main() { error = (new Function(`return (function () { arguments.callee.displayName = 'a'.repeat(0x100000) + 'b'; `.repeat(100) + `return new Error();` + ` })();`.repeat(100)))(); main.apply(); } main(); ``` ###### Execution steps ./jsc poc.js ###### Output ASSERTION FAILED: isMarked(cell) ../../../Source/JavaScriptCore/heap/Heap.cpp(615) : void JSC::Heap::reportExtraMemoryAllocatedPossiblyFromAlreadyMarkedCell(const JSC::JSCell *, size_t) Thread 1 "jsc" received signal SIGABRT, Aborted. pwndbg> bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007ffff5aa3859 in __GI_abort () at abort.c:79 #2 0x000000000042777a in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:846 #3 0x00000000013804a0 in JSC::Heap::reportExtraMemoryAllocatedPossiblyFromAlreadyMarkedCell (this=this@entry=0x7fffa90000c8, cell=<optimized out>, cell@entry=0x7fffa94d94a0, size=<optimized out>, size@entry=1048577) at ../../../Source/JavaScriptCore/heap/Heap.cpp:615 #4 0x0000000001380828 in JSC::Heap::reportExtraMemoryAllocatedSlowCase (this=0x7fffa90000c8, deferralContext=0x0, cell=0x7fffa94d94a0, size=1048577) at ../../../Source/JavaScriptCore/heap/Heap.cpp:630 #5 0x0000000001c6a7da in JSC::Heap::reportExtraMemoryAllocated (this=0x7fffa90000c8, cell=0x7fffa94d94a0, size=1048577) at ../../../Source/JavaScriptCore/heap/HeapInlines.h:216 #6 JSC::JSRopeString::resolveRopeWithFunction<JSC::JSRopeString::resolveRope(JSC::JSGlobalObject*) const::$_3>(JSC::JSGlobalObject*, JSC::JSRopeString::resolveRope(JSC::JSGlobalObject*) const::$_3&&) const (this=0x7fffa94d94a0, nullOrGlobalObjectForOOM=<optimized out>, function=...) at ../../../Source/JavaScriptCore/runtime/JSString.cpp:249 #7 JSC::JSRopeString::resolveRope (this=0x7fffa94d94a0, nullOrGlobalObjectForOOM=<optimized out>) at ../../../Source/JavaScriptCore/runtime/JSString.cpp:270 #8 0x0000000001b18fa2 in JSC::JSString::tryGetValue (this=0x7fffa94d94a0, allocationAllowed=true) at ../../../Source/JavaScriptCore/runtime/JSString.h:889 #9 JSC::getCalculatedDisplayName (vm=..., object=object@entry=0x7fffa947b440) at ../../../Source/JavaScriptCore/runtime/JSFunction.cpp:496 #10 0x0000000001eab3ff in JSC::StackFrame::functionName (this=<optimized out>, this@entry=0x7fffa95409b0, vm=...) at ../../../Source/JavaScriptCore/runtime/StackFrame.cpp:125 #11 0x0000000001eab881 in JSC::StackFrame::toString (this=0x7fffa95409b0, vm=...) at ../../../Source/JavaScriptCore/runtime/StackFrame.cpp:154 #12 0x00000000014d3067 in JSC::Interpreter::stackTraceAsString (vm=..., stackTrace=...) at ../../../Source/JavaScriptCore/interpreter/Interpreter.cpp:548 #13 0x00000000019b67ef in JSC::ErrorInstance::computeErrorInfo (this=0x7fffeb0384d8, vm=...) at ../../../Source/JavaScriptCore/runtime/ErrorInstance.cpp:266 #14 0x0000000001383588 in JSC::Heap::finalizeMarkedUnconditionalFinalizers<JSC::ErrorInstance, JSC::IsoSubspace>(JSC::IsoSubspace&, JSC::CollectionScope)::{lambda(JSC::HeapCell*, JSC::HeapCell::Kind)#1}::operator()(JSC::HeapCell*, JSC::HeapCell::Kind) const (this=<optimized out>, cell=0x2, cell@entry=0x7fffa9000000) at ../../../Source/JavaScriptCore/heap/Heap.cpp:712 #15 JSC::Subspace::forEachMarkedCell<JSC::Heap::finalizeMarkedUnconditionalFinalizers<JSC::ErrorInstance, JSC::IsoSubspace>(JSC::IsoSubspace&, JSC::CollectionScope)::{lambda(JSC::HeapCell*, JSC::HeapCell::Kind)#1}>(JSC::Heap::finalizeMarkedUnconditionalFinalizers<JSC::ErrorInstance, JSC::IsoSubspace>(JSC::IsoSubspace&, JSC::CollectionScope)::{lambda(JSC::HeapCell*, JSC::HeapCell::Kind)#1} const&)::{lambda(JSC::PreciseAllocation*)#1}::operator()(JSC::PreciseAllocation*) const (this=<optimized out>, allocation=0x7fffeb038468) at ../../../Source/JavaScriptCore/heap/SubspaceInlines.h:84 #16 JSC::Subspace::forEachPreciseAllocation<JSC::Subspace::forEachMarkedCell<JSC::Heap::finalizeMarkedUnconditionalFinalizers<JSC::ErrorInstance, JSC::IsoSubspace>(JSC::IsoSubspace&, JSC::CollectionScope)::{lambda(JSC::HeapCell*, JSC::HeapCell::Kind)#1}>(JSC::Heap::finalizeMarkedUnconditionalFinalizers<JSC::ErrorInstance, JSC::IsoSubspace>(JSC::IsoSubspace&, JSC::CollectionScope)::{lambda(JSC::HeapCell*, JSC::HeapCell::Kind)#1} const&)::{lambda(JSC::PreciseAllocation*)#1}>(JSC::Subspace::forEachMarkedCell<JSC::Heap::finalizeMarkedUnconditionalFinalizers<JSC::ErrorInstance, JSC::IsoSubspace>(JSC::IsoSubspace&, JSC::CollectionScope)::{lambda(JSC::HeapCell*, JSC::HeapCell::Kind)#1}>(JSC::Heap::finalizeMarkedUnconditionalFinalizers<JSC::ErrorInstance, JSC::IsoSubspace>(JSC::IsoSubspace&, JSC::CollectionScope)::{lambda(JSC::HeapCell*, JSC::HeapCell::Kind)#1} const&)::{lambda(JSC::PreciseAllocation*)#1} const&) (this=<optimized out>, func=...) at ../../../Source/JavaScriptCore/heap/SubspaceInlines.h:66 #17 JSC::Subspace::forEachMarkedCell<JSC::Heap::finalizeMarkedUnconditionalFinalizers<JSC::ErrorInstance, JSC::IsoSubspace>(JSC::IsoSubspace&, JSC::CollectionScope)::{lambda(JSC::HeapCell*, JSC::HeapCell::Kind)#1}>(JSC::Heap::finalizeMarkedUnconditionalFinalizers<JSC::ErrorInstance, JSC::IsoSubspace>(JSC::IsoSubspace&, JSC::CollectionScope)::{lambda(JSC::HeapCell*, JSC::HeapCell::Kind)#1} const&) (this=<optimized out>, func=...) at ../../../Source/JavaScriptCore/heap/SubspaceInlines.h:81 #18 JSC::Heap::finalizeMarkedUnconditionalFinalizers<JSC::ErrorInstance, JSC::IsoSubspace> (this=0x7fffa90000c8, cellSet=..., collectionScope=<optimized out>) at ../../../Source/JavaScriptCore/heap/Heap.cpp:710 #19 JSC::Heap::finalizeUnconditionalFinalizers (this=this@entry=0x7fffa90000c8) at ../../../Source/JavaScriptCore/heap/Heap.cpp:752 #20 0x000000000138e6aa in JSC::Heap::runEndPhase (this=<optimized out>, this@entry=0x7fffa90000c8, conn=JSC::GCConductor::Mutator) at ../../../Source/JavaScriptCore/heap/Heap.cpp:1667 #21 0x000000000138b308 in JSC::Heap::runCurrentPhase (this=this@entry=0x7fffa90000c8, conn=conn@entry=JSC::GCConductor::Mutator, currentThreadState=currentThreadState@entry=0x7fffffffcb00) at ../../../Source/JavaScriptCore/heap/Heap.cpp:1372 #22 0x00000000013d0edd in JSC::Heap::collectInMutatorThread()::$_0::operator()(JSC::CurrentThreadState&) const (this=<optimized out>, state=...) at ../../../Source/JavaScriptCore/heap/Heap.cpp:1993 #23 WTF::ScopedLambdaFunctor<void (JSC::CurrentThreadState&), JSC::Heap::collectInMutatorThread()::$_0>::implFunction(void*, JSC::CurrentThreadState&) (argument=<optimized out>, arguments=...) at WTF/Headers/wtf/ScopedLambda.h:106 #24 0x0000000001418149 in WTF::ScopedLambda<void (JSC::CurrentThreadState&)>::operator()<JSC::CurrentThreadState&>(JSC::CurrentThreadState&) const (this=0x7fffffffcb68, arguments=...) at WTF/Headers/wtf/ScopedLambda.h:58 #25 JSC::callWithCurrentThreadState(WTF::ScopedLambda<void (JSC::CurrentThreadState&)> const&) (lambda=...) at ../../../Source/JavaScriptCore/heap/MachineStackMarker.cpp:227 #26 0x0000000001393977 in JSC::Heap::collectInMutatorThread (this=this@entry=0x7fffa90000c8) at ../../../Source/JavaScriptCore/heap/Heap.cpp:2005 #27 0x0000000001393724 in JSC::Heap::stopIfNecessarySlow (this=this@entry=0x7fffa90000c8, oldState=5) at ../../../Source/JavaScriptCore/heap/Heap.cpp:1974 #28 0x00000000013935be in JSC::Heap::stopIfNecessarySlow (this=0x7fffa90000c8) at ../../../Source/JavaScriptCore/heap/Heap.cpp:1946 #29 0x000000000043646d in JSC::JSString::create (vm=..., value=...) at ../../../Source/JavaScriptCore/runtime/JSString.h:194 #30 0x0000000000ca14a9 in JSC::jsString (vm=..., s=...) at ../../../Source/JavaScriptCore/runtime/JSString.h:927 #31 JSC::jsString (vm=..., s=...) at ../../../Source/JavaScriptCore/runtime/JSString.h:965 #32 0x00000000018a870e in JSC::repeatCharacter<unsigned char> (globalObject=globalObject@entry=0x7fffa941a088, character=97 'a', repeatCount=repeatCount@entry=1048576) at ../../../Source/JavaScriptCore/runtime/JSStringInlines.h:107 #33 0x0000000001ec83c1 in JSC::stringProtoFuncRepeatCharacter (globalObject=0x7fffa941a088, callFrame=0x7fffffffce10) at ../../../Source/JavaScriptCore/runtime/StringPrototype.cpp:867 #34 0x00007fffaac216a6 in ?? () #35 0x00007fffffffcea0 in ?? () #36 0x0000000002533bee in llint_op_call () #37 0x0000000000000000 in ?? () 2034975 1 webkit-bug-importer 2024-05-13 10:10:36 -0700 <rdar://problem/128009982> 2042349 2 ysuzuki 2024-06-20 17:16:41 -0700 Yeah, this does not actually become a problem since it just increment external memory count (not actually allocating GC memory). So, handling as a normal crash issue on debug. 2042350 3 ysuzuki 2024-06-20 17:25:23 -0700 Pull request: https://github.com/WebKit/WebKit/pull/30028 2042385 4 ews-feeder 2024-06-20 23:32:27 -0700 Committed 280239@main (68768cee2adf): <https://commits.webkit.org/280239@main> Reviewed commits have been landed. Closing PR #30028 and removing active labels. 471376 2024-05-12 04:22:13 -0700 2024-05-12 04:22:13 -0700 original_poc original_poc.js text/javascript 476 qbtly201 Y29uc3QgTlVNX05FU1RFRF9GVU5DVElPTlMgPSAxMDA7CgpmdW5jdGlvbiBtYWluKCkgewogICAg Y29uc3QgZXJyb3IgPSAobmV3IEZ1bmN0aW9uKGByZXR1cm4gKGZ1bmN0aW9uICgpIHsgYXJndW1l bnRzLmNhbGxlZS5kaXNwbGF5TmFtZSA9ICdhJy5yZXBlYXQoMHgxMDAwMDApICsgJ2InOyBgLnJl cGVhdChOVU1fTkVTVEVEX0ZVTkNUSU9OUykgKyBgcmV0dXJuIG5ldyBFcnJvcigpO2AgKyBgIH0p KCk7YC5yZXBlYXQoTlVNX05FU1RFRF9GVU5DVElPTlMpKSkoKTsKbGV0IHpkeTAgPSBtYWluLmFw cGx5KG1haW4sIFtbXSwgWzYzLCB7J2wnOiAnR3c2OUsnLCAndic6IC05MDA3MTk5MjU0NzQwOTkw LCAndCc6ICdJbycsICdiJzogJ0RYOEUnfSwgLTAuMCwgLTIwLjk3MDc4NTM5NDU3NzgwMywgLTE4 LCAnY05MNW4nLCAtMl0sICdhT05rMEVYJywgLTgyLCAndHZtTWQ1ZGNiTSddKTsKCgogICAgZXJy b3Iuc3RhY2s7Cn0KCm1haW4oKTs=