Bug 209418
| Summary: | memory leaks in JSC::BytecodeGenerator::pushLexicalScopeInternal | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | hearmen |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | ap, ddkilzer, joepeck, ysuzuki |
| Priority: | P2 | ||
| Version: | WebKit Local Build | ||
| Hardware: | PC | ||
| OS: | Linux | ||
hearmen
run jsc with command `/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc' --validateOptions=true --useConcurrentJIT=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --gcAtEnd=true 'poc.js`
find a memory leak.
poc
```
function main() {
const v2 = [13.37];
for (let v6 = 0; v6 <= 128; v6 = v6 + 1.0) {
function v9(v10,v11,v12,v13) {
function v14(v15,v16,v17,v18) {
return v13;
}
const v19 = v2 && v12;
if (v19) {
} else {
const v20 = {get:Symbol,deleteProperty:Symbol,defineProperty:v11,isExtensible:v9,has:v14,getOwnPropertyDescriptor:v14,ownKeys:v9,preventExtensions:v13,setPrototypeOf:Symbol};
for (let v23 = 4.0; v23 < 100; v23 = v23 + 4.0) {
function v24(v25,v26,v27,v28) {
let v29 = v23;
}
}
v20.toString = Symbol;
}
}
const v31 = [754009.531203313,3004183149,754009.531203313,754009.531203313,754009.531203313];
const v32 = -128 >> v31;
const v33 = v31.reduce(v9,v32);
}
}
noDFG(main);
noFTL(main);
main();
```
```
'/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc' --validateOptions=true --useConcurrentJIT=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --gcAtEnd=true '/home/android/Desktop/JSC_Crash/new/crash_1581283836649_4415_deterministic_6.js'
WARNING: ASAN interferes with JSC signal handlers; useWebAssemblyFastMemory will be disabled.
=================================================================
==17051==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 192 byte(s) in 1 object(s) allocated from:
#0 0x7f472896cb90 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90)
#1 0x7f47252f4458 in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae4458)
#2 0x7f47252f1f41 in bmalloc::Cache::tryAllocateSlowCaseNullCache(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae1f41)
#3 0x7f4725164945 in bmalloc::Cache::tryAllocate(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954945)
#4 0x7f4725164ebd in bmalloc::api::tryMalloc(unsigned long, bmalloc::HeapKind) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954ebd)
#5 0x7f4725163bc5 in WTF::tryFastMalloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6953bc5)
#6 0x49356b in WTF::FastMalloc::tryMalloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x49356b)
#7 0x7f4723b787c1 in JSC::IsoAlignedMemoryAllocator::tryAllocateMemory(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x53687c1)
#8 0x7f4723bdd850 in JSC::PreciseAllocation::createForLowerTier(JSC::Heap&, unsigned long, JSC::Subspace*, unsigned char) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x53cd850)
#9 0x7f4723b7b26e in JSC::IsoSubspace::tryAllocateFromLowerTier() (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x536b26e)
#10 0x7f4723b7d975 in JSC::LocalAllocator::allocateSlowCase(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x536d975)
#11 0x4ac180 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}::operator()() const (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4ac180)
#12 0x4c865c in JSC::HeapCell* JSC::FreeList::allocate<JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}>(JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1} const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4c865c)
#13 0x4ac346 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4ac346)
#14 0x4a9123 in JSC::Allocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) const (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4a9123)
#15 0x4abfc5 in JSC::IsoSubspace::allocateNonVirtual(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4abfc5)
#16 0x7f4722955ab9 in void* JSC::tryAllocateCellHelper<JSC::SymbolTable>(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4145ab9)
#17 0x7f4722934474 in void* JSC::allocateCell<JSC::SymbolTable>(JSC::Heap&, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4124474)
#18 0x7f4722922790 in JSC::SymbolTable::create(JSC::VM&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4112790)
#19 0x7f47228a24af in JSC::BytecodeGenerator::pushLexicalScopeInternal(JSC::VariableEnvironment&, JSC::BytecodeGenerator::TDZCheckOptimization, JSC::BytecodeGenerator::NestedScopeType, JSC::RegisterID**, JSC::BytecodeGenerator::TDZRequirement, JSC::BytecodeGenerator::ScopeType, JSC::BytecodeGenerator::ScopeRegisterType) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x40924af)
#20 0x7f47228a2180 in JSC::BytecodeGenerator::pushLexicalScope(JSC::VariableEnvironmentNode*, JSC::BytecodeGenerator::TDZCheckOptimization, JSC::BytecodeGenerator::NestedScopeType, JSC::RegisterID**, bool) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4092180)
#21 0x7f47228febf3 in JSC::BlockNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x40eebf3)
#22 0x7f472292e539 in JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::StatementNode*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x411e539)
#23 0x7f47229014e2 in JSC::ForNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x40f14e2)
#24 0x7f472292e539 in JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::StatementNode*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x411e539)
#25 0x7f47229337b3 in JSC::SourceElements::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x41237b3)
#26 0x7f47228fec33 in JSC::BlockNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x40eec33)
#27 0x7f472292e539 in JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::StatementNode*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x411e539)
#28 0x7f47229337b3 in JSC::SourceElements::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x41237b3)
#29 0x7f4722933b27 in JSC::ScopeNode::emitStatementsBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4123b27)
Direct leak of 192 byte(s) in 1 object(s) allocated from:
#0 0x7f472896cb90 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90)
#1 0x7f47252f4458 in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae4458)
#2 0x7f47252f1f41 in bmalloc::Cache::tryAllocateSlowCaseNullCache(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae1f41)
#3 0x7f4725164945 in bmalloc::Cache::tryAllocate(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954945)
#4 0x7f4725164ebd in bmalloc::api::tryMalloc(unsigned long, bmalloc::HeapKind) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954ebd)
#5 0x7f4725163bc5 in WTF::tryFastMalloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6953bc5)
#6 0x49356b in WTF::FastMalloc::tryMalloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x49356b)
#7 0x7f4723b787c1 in JSC::IsoAlignedMemoryAllocator::tryAllocateMemory(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x53687c1)
#8 0x7f4723bdd850 in JSC::PreciseAllocation::createForLowerTier(JSC::Heap&, unsigned long, JSC::Subspace*, unsigned char) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x53cd850)
#9 0x7f4723b7b26e in JSC::IsoSubspace::tryAllocateFromLowerTier() (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x536b26e)
#10 0x7f4723b7d975 in JSC::LocalAllocator::allocateSlowCase(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x536d975)
#11 0x4ac180 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}::operator()() const (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4ac180)
#12 0x4c865c in JSC::HeapCell* JSC::FreeList::allocate<JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}>(JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1} const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4c865c)
#13 0x4ac346 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4ac346)
#14 0x4a9123 in JSC::Allocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) const (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4a9123)
#15 0x4abfc5 in JSC::IsoSubspace::allocateNonVirtual(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4abfc5)
#16 0x7f4722955ab9 in void* JSC::tryAllocateCellHelper<JSC::SymbolTable>(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4145ab9)
#17 0x7f4722934474 in void* JSC::allocateCell<JSC::SymbolTable>(JSC::Heap&, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4124474)
#18 0x7f4722922790 in JSC::SymbolTable::create(JSC::VM&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4112790)
#19 0x7f47228a24af in JSC::BytecodeGenerator::pushLexicalScopeInternal(JSC::VariableEnvironment&, JSC::BytecodeGenerator::TDZCheckOptimization, JSC::BytecodeGenerator::NestedScopeType, JSC::RegisterID**, JSC::BytecodeGenerator::TDZRequirement, JSC::BytecodeGenerator::ScopeType, JSC::BytecodeGenerator::ScopeRegisterType) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x40924af)
#20 0x7f47228a2180 in JSC::BytecodeGenerator::pushLexicalScope(JSC::VariableEnvironmentNode*, JSC::BytecodeGenerator::TDZCheckOptimization, JSC::BytecodeGenerator::NestedScopeType, JSC::RegisterID**, bool) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4092180)
#21 0x7f47229012cb in JSC::ForNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x40f12cb)
#22 0x7f472292e539 in JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::StatementNode*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x411e539)
#23 0x7f47229337b3 in JSC::SourceElements::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x41237b3)
#24 0x7f47228fec33 in JSC::BlockNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x40eec33)
#25 0x7f472292e539 in JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::StatementNode*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x411e539)
#26 0x7f47229337b3 in JSC::SourceElements::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x41237b3)
#27 0x7f4722933b27 in JSC::ScopeNode::emitStatementsBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4123b27)
#28 0x7f472290d02e in JSC::FunctionNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x40fd02e)
#29 0x7f472288d691 in JSC::BytecodeGenerator::generate() (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x407d691)
Direct leak of 192 byte(s) in 1 object(s) allocated from:
#0 0x7f472896cb90 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90)
#1 0x7f47252f4458 in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae4458)
#2 0x7f47252f1f41 in bmalloc::Cache::tryAllocateSlowCaseNullCache(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae1f41)
#3 0x7f4725164945 in bmalloc::Cache::tryAllocate(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954945)
#4 0x7f4725164ebd in bmalloc::api::tryMalloc(unsigned long, bmalloc::HeapKind) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954ebd)
#5 0x7f4725163bc5 in WTF::tryFastMalloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6953bc5)
#6 0x49356b in WTF::FastMalloc::tryMalloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x49356b)
#7 0x7f4723b787c1 in JSC::IsoAlignedMemoryAllocator::tryAllocateMemory(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x53687c1)
#8 0x7f4723bdd850 in JSC::PreciseAllocation::createForLowerTier(JSC::Heap&, unsigned long, JSC::Subspace*, unsigned char) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x53cd850)
#9 0x7f4723b7b26e in JSC::IsoSubspace::tryAllocateFromLowerTier() (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x536b26e)
#10 0x7f4723b7d975 in JSC::LocalAllocator::allocateSlowCase(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x536d975)
#11 0x4ac180 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}::operator()() const (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4ac180)
#12 0x4c865c in JSC::HeapCell* JSC::FreeList::allocate<JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}>(JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1} const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4c865c)
#13 0x4ac346 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4ac346)
#14 0x4a9123 in JSC::Allocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) const (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4a9123)
#15 0x4abfc5 in JSC::IsoSubspace::allocateNonVirtual(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4abfc5)
#16 0x7f4722955ab9 in void* JSC::tryAllocateCellHelper<JSC::SymbolTable>(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4145ab9)
#17 0x7f4722934474 in void* JSC::allocateCell<JSC::SymbolTable>(JSC::Heap&, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4124474)
#18 0x7f4722922790 in JSC::SymbolTable::create(JSC::VM&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4112790)
#19 0x7f47228a24af in JSC::BytecodeGenerator::pushLexicalScopeInternal(JSC::VariableEnvironment&, JSC::BytecodeGenerator::TDZCheckOptimization, JSC::BytecodeGenerator::NestedScopeType, JSC::RegisterID**, JSC::BytecodeGenerator::TDZRequirement, JSC::BytecodeGenerator::ScopeType, JSC::BytecodeGenerator::ScopeRegisterType) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x40924af)
#20 0x7f47228a2180 in JSC::BytecodeGenerator::pushLexicalScope(JSC::VariableEnvironmentNode*, JSC::BytecodeGenerator::TDZCheckOptimization, JSC::BytecodeGenerator::NestedScopeType, JSC::RegisterID**, bool) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4092180)
#21 0x7f4722894963 in JSC::BytecodeGenerator::BytecodeGenerator(JSC::VM&, JSC::FunctionNode*, JSC::UnlinkedFunctionCodeBlock*, WTF::OptionSet<JSC::CodeGenerationMode>, JSC::VariableEnvironment const*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4084963)
#22 0x7f47228836c3 in std::_MakeUniq<JSC::BytecodeGenerator>::__single_object std::make_unique<JSC::BytecodeGenerator, JSC::VM&, JSC::FunctionNode*&, JSC::UnlinkedFunctionCodeBlock*&, WTF::OptionSet<JSC::CodeGenerationMode>&, JSC::VariableEnvironment const*&>(JSC::VM&, JSC::FunctionNode*&, JSC::UnlinkedFunctionCodeBlock*&, WTF::OptionSet<JSC::CodeGenerationMode>&, JSC::VariableEnvironment const*&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x40736c3)
#23 0x7f472287c38b in decltype(auto) WTF::makeUnique<JSC::BytecodeGenerator, JSC::VM&, JSC::FunctionNode*&, JSC::UnlinkedFunctionCodeBlock*&, WTF::OptionSet<JSC::CodeGenerationMode>&, JSC::VariableEnvironment const*&>(JSC::VM&, JSC::FunctionNode*&, JSC::UnlinkedFunctionCodeBlock*&, WTF::OptionSet<JSC::CodeGenerationMode>&, JSC::VariableEnvironment const*&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x406c38b)
#24 0x7f472287c66f in JSC::ParserError JSC::BytecodeGenerator::generate<JSC::FunctionNode, JSC::UnlinkedFunctionCodeBlock>(JSC::VM&, JSC::FunctionNode*, JSC::SourceCode const&, JSC::UnlinkedFunctionCodeBlock*, WTF::OptionSet<JSC::CodeGenerationMode>, JSC::VariableEnvironment const*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x406c66f)
#25 0x7f4722871e7e in JSC::generateUnlinkedFunctionCodeBlock(JSC::VM&, JSC::UnlinkedFunctionExecutable*, JSC::SourceCode const&, JSC::CodeSpecializationKind, WTF::OptionSet<JSC::CodeGenerationMode>, JSC::UnlinkedFunctionKind, JSC::ParserError&, JSC::SourceParseMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4061e7e)
#26 0x7f4722874857 in JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor(JSC::VM&, JSC::SourceCode const&, JSC::CodeSpecializationKind, WTF::OptionSet<JSC::CodeGenerationMode>, JSC::ParserError&, JSC::SourceParseMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4064857)
#27 0x7f4724971752 in JSC::ScriptExecutable::newCodeBlockFor(JSC::CodeSpecializationKind, JSC::JSFunction*, JSC::JSScope*, JSC::Exception*&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6161752)
#28 0x7f4724972257 in JSC::ScriptExecutable::prepareForExecutionImpl(JSC::VM&, JSC::JSFunction*, JSC::JSScope*, JSC::CodeSpecializationKind, JSC::CodeBlock*&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6162257)
#29 0x7f47231728c2 in JSC::Exception* JSC::ScriptExecutable::prepareForExecution<JSC::FunctionExecutable>(JSC::VM&, JSC::JSFunction*, JSC::JSScope*, JSC::CodeSpecializationKind, JSC::CodeBlock*&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x49628c2)
Direct leak of 160 byte(s) in 1 object(s) allocated from:
#0 0x7f472896cb90 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90)
#1 0x7f47252f4458 in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae4458)
#2 0x7f47252f1f41 in bmalloc::Cache::tryAllocateSlowCaseNullCache(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae1f41)
#3 0x7f4725164945 in bmalloc::Cache::tryAllocate(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954945)
#4 0x7f4725164ebd in bmalloc::api::tryMalloc(unsigned long, bmalloc::HeapKind) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954ebd)
#5 0x7f4725163bc5 in WTF::tryFastMalloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6953bc5)
#6 0x49356b in WTF::FastMalloc::tryMalloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x49356b)
#7 0x7f4723b787c1 in JSC::IsoAlignedMemoryAllocator::tryAllocateMemory(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x53687c1)
#8 0x7f4723bdd850 in JSC::PreciseAllocation::createForLowerTier(JSC::Heap&, unsigned long, JSC::Subspace*, unsigned char) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x53cd850)
#9 0x7f4723b7b26e in JSC::IsoSubspace::tryAllocateFromLowerTier() (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x536b26e)
#10 0x7f4723b7d975 in JSC::LocalAllocator::allocateSlowCase(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x536d975)
#11 0x4ac180 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}::operator()() const (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4ac180)
#12 0x4c865c in JSC::HeapCell* JSC::FreeList::allocate<JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}>(JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1} const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4c865c)
#13 0x4ac346 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4ac346)
#14 0x4a9123 in JSC::Allocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) const (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4a9123)
#15 0x4abfc5 in JSC::IsoSubspace::allocateNonVirtual(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4abfc5)
#16 0x7f472493b29d in void* JSC::tryAllocateCellHelper<JSC::PropertyTable>(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x612b29d)
#17 0x7f472493908f in void* JSC::allocateCell<JSC::PropertyTable>(JSC::Heap&, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x612908f)
#18 0x7f4724915932 in JSC::PropertyTable::create(JSC::VM&, unsigned int) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6105932)
#19 0x7f47249c77cf in JSC::Structure::materializePropertyTable(JSC::VM&, bool) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x61b77cf)
#20 0x7f47249ca48c in JSC::Structure::takePropertyTableOrCloneIfPinned(JSC::VM&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x61ba48c)
#21 0x7f47249c8bfb in JSC::Structure::addNewPropertyTransition(JSC::VM&, JSC::Structure*, JSC::PropertyName, unsigned int, int&, JSC::PutPropertySlot::Context, JSC::DeferredStructureTransitionWatchpointFire*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x61b8bfb)
#22 0x4c5d7c in bool JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)1>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4c5d7c)
#23 0x4a7816 in JSC::JSObject::putDirect(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4a7816)
#24 0x7f4724638722 in JSC::JSFunction::finishCreation(JSC::VM&, JSC::NativeExecutable*, int, WTF::String const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5e28722)
#25 0x7f4724637ced in JSC::JSFunction::create(JSC::VM&, JSC::JSGlobalObject*, int, WTF::String const&, JSC::NativeFunction, JSC::Intrinsic, JSC::NativeFunction, JSC::DOMJIT::Signature const*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5e27ced)
#26 0x7f47246817e3 in JSC::JSGlobalObject::init(JSC::VM&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5e717e3)
#27 0x7f47246962fb in JSC::JSGlobalObject::finishCreation(JSC::VM&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5e862fb)
#28 0x4b6d42 in GlobalObject::finishCreation(JSC::VM&, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4b6d42)
#29 0x4b6045 in GlobalObject::create(JSC::VM&, JSC::Structure*, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4b6045)
Direct leak of 160 byte(s) in 1 object(s) allocated from:
#0 0x7f472896cb90 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90)
#1 0x7f47252f4458 in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae4458)
#2 0x7f47252f1f41 in bmalloc::Cache::tryAllocateSlowCaseNullCache(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae1f41)
#3 0x7f4725164945 in bmalloc::Cache::tryAllocate(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954945)
#4 0x7f4725164ebd in bmalloc::api::tryMalloc(unsigned long, bmalloc::HeapKind) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954ebd)
#5 0x7f4725163bc5 in WTF::tryFastMalloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6953bc5)
#6 0x49356b in WTF::FastMalloc::tryMalloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x49356b)
#7 0x7f4723b787c1 in JSC::IsoAlignedMemoryAllocator::tryAllocateMemory(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x53687c1)
#8 0x7f4723bdd850 in JSC::PreciseAllocation::createForLowerTier(JSC::Heap&, unsigned long, JSC::Subspace*, unsigned char) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x53cd850)
#9 0x7f4723b7b26e in JSC::IsoSubspace::tryAllocateFromLowerTier() (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x536b26e)
#10 0x7f4723b7d975 in JSC::LocalAllocator::allocateSlowCase(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x536d975)
#11 0x4ac180 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}::operator()() const (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4ac180)
#12 0x4c865c in JSC::HeapCell* JSC::FreeList::allocate<JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}>(JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1} const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4c865c)
#13 0x4ac346 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4ac346)
#14 0x4a9123 in JSC::Allocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) const (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4a9123)
#15 0x4abfc5 in JSC::IsoSubspace::allocateNonVirtual(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4abfc5)
#16 0x7f472493b29d in void* JSC::tryAllocateCellHelper<JSC::PropertyTable>(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x612b29d)
#17 0x7f472493908f in void* JSC::allocateCell<JSC::PropertyTable>(JSC::Heap&, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x612908f)
#18 0x7f4724915932 in JSC::PropertyTable::create(JSC::VM&, unsigned int) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6105932)
#19 0x7f47249c77cf in JSC::Structure::materializePropertyTable(JSC::VM&, bool) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x61b77cf)
#20 0x7f47249ca48c in JSC::Structure::takePropertyTableOrCloneIfPinned(JSC::VM&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x61ba48c)
#21 0x7f47249c8bfb in JSC::Structure::addNewPropertyTransition(JSC::VM&, JSC::Structure*, JSC::PropertyName, unsigned int, int&, JSC::PutPropertySlot::Context, JSC::DeferredStructureTransitionWatchpointFire*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x61b8bfb)
#22 0x4c5d7c in bool JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)1>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4c5d7c)
#23 0x4a7816 in JSC::JSObject::putDirect(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4a7816)
#24 0x7f4724638631 in JSC::JSFunction::finishCreation(JSC::VM&, JSC::NativeExecutable*, int, WTF::String const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5e28631)
#25 0x7f4724637ced in JSC::JSFunction::create(JSC::VM&, JSC::JSGlobalObject*, int, WTF::String const&, JSC::NativeFunction, JSC::Intrinsic, JSC::NativeFunction, JSC::DOMJIT::Signature const*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5e27ced)
#26 0x7f47245642a6 in JSC::FunctionPrototype::addFunctionProperties(JSC::VM&, JSC::JSGlobalObject*, JSC::JSFunction**, JSC::JSFunction**, JSC::JSFunction**) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5d542a6)
#27 0x7f4724680b04 in JSC::JSGlobalObject::init(JSC::VM&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5e70b04)
#28 0x7f47246962fb in JSC::JSGlobalObject::finishCreation(JSC::VM&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5e862fb)
#29 0x4b6d42 in GlobalObject::finishCreation(JSC::VM&, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4b6d42)
Direct leak of 92 byte(s) in 4 object(s) allocated from:
#0 0x7f472896cb90 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90)
#1 0x7f47252f4458 in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae4458)
#2 0x7f47252f204b in bmalloc::Cache::allocateSlowCaseNullCache(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae204b)
#3 0x7f4725164a05 in bmalloc::Cache::allocate(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954a05)
#4 0x7f4725164edf in bmalloc::api::malloc(unsigned long, bmalloc::HeapKind) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954edf)
#5 0x7f4725163468 in WTF::fastMalloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6953468)
#6 0x493487 in WTF::FastMalloc::malloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x493487)
#7 0x7f4725286a63 in WTF::Ref<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> > WTF::StringImpl::createUninitializedInternalNonEmpty<unsigned char>(unsigned int, unsigned char*&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6a76a63)
#8 0x7f472528686a in WTF::Ref<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> > WTF::StringImpl::createInternal<unsigned char>(unsigned char const*, unsigned int) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6a7686a)
#9 0x7f4725274d6e in WTF::StringImpl::create(unsigned char const*, unsigned int) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6a64d6e)
#10 0x7f472525cb13 in WTF::LCharBufferTranslator::translate(WTF::Packed<WTF::StringImpl*>&, WTF::HashTranslatorCharBuffer<unsigned char> const&, unsigned int) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6a4cb13)
#11 0x7f4725265aef in void WTF::HashSetTranslatorAdapter<WTF::LCharBufferTranslator>::translate<WTF::Packed<WTF::StringImpl*>, WTF::HashTranslatorCharBuffer<unsigned char> >(WTF::Packed<WTF::StringImpl*>&, WTF::HashTranslatorCharBuffer<unsigned char> const&, WTF::HashTranslatorCharBuffer<unsigned char> const&, unsigned int) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6a55aef)
#12 0x7f47252632ee in WTF::HashTableAddResult<WTF::HashTableIterator<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > > > WTF::HashTable<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >::addPassingHashCode<WTF::HashSetTranslatorAdapter<WTF::LCharBufferTranslator>, WTF::HashTranslatorCharBuffer<unsigned char> const&, WTF::HashTranslatorCharBuffer<unsigned char> const&>(WTF::HashTranslatorCharBuffer<unsigned char> const&, WTF::HashTranslatorCharBuffer<unsigned char> const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6a532ee)
#13 0x7f47252602b0 in WTF::HashTableAddResult<WTF::HashTableIterator<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > > > WTF::HashSet<WTF::Packed<WTF::StringImpl*>, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >::add<WTF::LCharBufferTranslator, WTF::HashTranslatorCharBuffer<unsigned char> >(WTF::HashTranslatorCharBuffer<unsigned char> const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6a502b0)
#14 0x7f4725259dfb in WTF::Ref<WTF::AtomStringImpl, WTF::DumbPtrTraits<WTF::AtomStringImpl> > WTF::addToStringTable<WTF::HashTranslatorCharBuffer<unsigned char>, WTF::LCharBufferTranslator>(WTF::AtomStringTableLocker&, WTF::HashSet<WTF::Packed<WTF::StringImpl*>, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >&, WTF::HashTranslatorCharBuffer<unsigned char> const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6a49dfb)
#15 0x7f472525886f in WTF::Ref<WTF::AtomStringImpl, WTF::DumbPtrTraits<WTF::AtomStringImpl> > WTF::addToStringTable<WTF::HashTranslatorCharBuffer<unsigned char>, WTF::LCharBufferTranslator>(WTF::HashTranslatorCharBuffer<unsigned char> const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6a4886f)
#16 0x7f4725255b0e in WTF::AtomStringImpl::add(unsigned char const*, unsigned int) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6a45b0e)
#17 0x7f4721f9569e in WTF::Ref<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> > JSC::Identifier::add<unsigned char>(JSC::VM&, unsigned char const*, int) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x378569e)
#18 0x7f4721f94920 in JSC::Identifier::Identifier(JSC::VM&, unsigned char const*, int) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x3784920)
#19 0x7f4721f951af in JSC::Identifier::fromString(JSC::VM&, unsigned char const*, int) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x37851af)
#20 0x7f47229522a1 in JSC::Identifier const& JSC::IdentifierArena::makeIdentifier<unsigned char>(JSC::VM&, unsigned char const*, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x41422a1)
#21 0x7f47240f55da in JSC::Lexer<unsigned char>::makeIdentifier(unsigned char const*, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x58e55da)
#22 0x7f47241475b9 in JSC::JSTokenType JSC::Lexer<unsigned char>::parseIdentifier<true>(JSC::JSTokenData*, WTF::OptionSet<JSC::LexerFlags>, bool) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x59375b9)
#23 0x7f47240f05ac in JSC::Lexer<unsigned char>::lexWithoutClearingLineTerminator(JSC::JSToken*, WTF::OptionSet<JSC::LexerFlags>, bool) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x58e05ac)
#24 0x7f47240ec262 in JSC::Lexer<unsigned char>::lex(JSC::JSToken*, WTF::OptionSet<JSC::LexerFlags>, bool) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x58dc262)
#25 0x7f47241265a5 in JSC::Parser<JSC::Lexer<unsigned char> >::next(WTF::OptionSet<JSC::LexerFlags>) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x59165a5)
#26 0x7f472421104d in JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseVariableDeclarationList<JSC::ASTBuilder>(JSC::ASTBuilder&, int&, JSC::ASTBuilder::DestructuringPattern&, JSC::ASTBuilder::Expression&, JSC::JSTextPosition&, JSC::JSTextPosition&, JSC::JSTextPosition&, JSC::Parser<JSC::Lexer<unsigned char> >::VarDeclarationListContext, JSC::DeclarationType, JSC::Parser<JSC::Lexer<unsigned char> >::ExportType, bool&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5a0104d)
#27 0x7f47241c9fa3 in JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseVariableDeclaration<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::DeclarationType, JSC::Parser<JSC::Lexer<unsigned char> >::ExportType) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x59b9fa3)
#28 0x7f47241984f6 in JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseStatementListItem<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::Identifier const*&, unsigned int*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x59884f6)
#29 0x7f472415b97d in JSC::ASTBuilder::SourceElements JSC::Parser<JSC::Lexer<unsigned char> >::parseSourceElements<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::SourceElementsMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x594b97d)
SUMMARY: AddressSanitizer: 988 byte(s) leaked in 9 allocation(s).
```
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Alexey Proskuryakov
Do you know if LeakSanitizer works reliably for WebKit? I am not familiar with this tool.
JavaScriptCore does a lot of pointer manipulation that confuses leak detectors.
Yusuke Suzuki
(In reply to Alexey Proskuryakov from comment #1)
> Do you know if LeakSanitizer works reliably for WebKit? I am not familiar
> with this tool.
>
> JavaScriptCore does a lot of pointer manipulation that confuses leak
> detectors.
Yeah, I don't think LeakSanitizer works for WebKit. We need an interface from LeakSanitizer to tell the pointers.
This issue is the same to bug 209420, and this is false-positive reports from LeakSanitizer.
*** This bug has been marked as a duplicate of bug 209420 ***