Bug 196306
| Summary: | [WebKit/JavaScriptCore] Assertion failed at Source/JavaScriptCore/runtime/JSArray.h:276 | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Suyoung Lee <sevendays37> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED INVALID | ||
| Severity: | Normal | CC: | ap, fpizlo |
| Priority: | P2 | ||
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Suyoung Lee
The debug build of JavaScriptCore failed assertion at Source/JavaScriptCore/runtime/JSArray.h:276.
PoC:
var var_0 = [];
for (var var_1 = 0; var_1 < 100000; ++var_1)
var_0.push(new Array(var_1));
Commit: 6369975
OS: Ubuntu 18.04.1 LTS
Arch: x86_64
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Alexey Proskuryakov
This test hits out of memory, so the process is intentionally terminated.