Bug 285800

Summary: [JSC] Gracefully handle stack overflow error from JS parser in class initializer syntax
Product: WebKit Reporter: rhezashan
Component: JavaScriptCoreAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   

rhezashan
Reported 2025-01-11 03:06:06 PST
The following testcase triggers an assertion failure in debug builds of Webkit built from current HEAD and safari-7620-branch: Tested on both Webkit linux release and Webkit macOS debug. ``` function f0() { const v3 = new BigUint64Array(54); v3.byteLength <<= f0; for (const v4 of v3) { for (let i7 = 0, i8 = 10; i7 < i8; i7++, i8--) { try { f0(v4); } catch (e) {} } } const v21 = new Int8Array(1000); try { v21.values(); } catch (e) {} class C23 { g; static get h() { ~BigUint64Array; for (let v26 = 0; v26 < 32; v26++) { v21["p" + v26] = v26; } return this; } 0; static 429 = 1000; static #d = 1000; 536870887; 536870912 = Int8Array; } const v30 = new Array(65535); function* f31() { let v32 = 10; const o38 = { next() { v32--; const v36 = v32 == 0; const o37 = { "done": v36, "value": v32, }; return o37; }, }; } const v43 = new Int8Array(1000); v43.valueOf = 1793796166; try { v43.values(); } catch (e) {} class C45 { g; static get h() { ~BigUint64Array; for (let v48 = 0; v48 < 32; v48++) { v43["p" + v48] = v48; } return this; } 0; static 429 = 1000; static #d = 1000; 536870887; 536870912 = Int8Array; } const v51 = new C45(); [v51,Date]; const v56 = f31.constructor.apply(null, v30); v56(); v56(); const v61 = new Int8Array(54); v61.valueOf = 1793796166; try { v61.values(); } catch (e) {} } const v66 = new Int8Array(1000); try { v66.values(); } catch (e) {} class C68 { g; static get h() { ~BigUint64Array; for (let v71 = 0; v71 < 32; v71++) { v66["p" + v71] = v71; } return this; } 0; static 429 = 1000; static #d = 1000; 536870887; 536870912 = Int8Array; } new C68(); f0(); const v77 = "p" + 1000; const v80 = new Int8Array(1000); let v81; try { v81 = v80.values(); } catch (e) {} for (let i84 = 0, i85 = 10; i84 < i85; i84++, i85--) { try { v81(v77); } catch (e) {} } ``` run with `./jsc --useConcurrentJIT=false --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 ~/poc.js` Here is a part of the backtrace: ``` jsc(24108,0x1f2bc0240) malloc: nano zone abandoned due to inability to reserve vm space. ASSERTION FAILED: !hasError() /Users/rheza/webkit_safari_branch/Source/JavaScriptCore/parser/Parser.cpp(3376) : typename TreeBuilder::SourceElements JSC::Parser<JSC::Lexer<unsigned char>>::parseClassFieldInitializerSourceElements(TreeBuilder &, const FixedVector<UnlinkedFunctionExecutable::ClassElementDefinition> &) [LexerType = JSC::Lexer<unsigned char>, TreeBuilder = JSC::ASTBuilder] 1 0x11d8e3724 JSC::ASTBuilder::SourceElements JSC::Parser<JSC::Lexer<unsigned char>>::parseClassFieldInitializerSourceElements<JSC::ASTBuilder>(JSC::ASTBuilder&, WTF::FixedVector<JSC::UnlinkedFunctionExecutable::ClassElementDefinition> const&) 2 0x11d8d645c JSC::Parser<JSC::Lexer<unsigned char>>::parseInner(JSC::Identifier const&, JSC::ParsingContext, std::__1::optional<int>, WTF::FixedVector<JSC::UnlinkedFunctionExecutable::ClassElementDefinition> const*, WTF::HashMap<WTF::RefPtr<WTF::UniquedStringImpl, WTF::PackedPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl>>, JSC::PrivateNameEntry, JSC::IdentifierRepHash, WTF::HashTraits<WTF::RefPtr<WTF::UniquedStringImpl, WTF::RawPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl>>>, JSC::PrivateNameEntryHashTraits, WTF::HashTableTraits> const*) 3 0x11ef0314c std::__1::unique_ptr<JSC::FunctionNode, std::__1::default_delete<JSC::FunctionNode>> JSC::Parser<JSC::Lexer<unsigned char>>::parse<JSC::FunctionNode>(JSC::ParserError&, JSC::Identifier const&, JSC::ParsingContext, std::__1::optional<int>, WTF::HashMap<WTF::RefPtr<WTF::UniquedStringImpl, WTF::PackedPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl>>, JSC::PrivateNameEntry, JSC::IdentifierRepHash, WTF::HashTraits<WTF::RefPtr<WTF::UniquedStringImpl, WTF::RawPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl>>>, JSC::PrivateNameEntryHashTraits, WTF::HashTableTraits> const*, WTF::FixedVector<JSC::UnlinkedFunctionExecutable::ClassElementDefinition> const*) 4 0x11ef003a4 std::__1::unique_ptr<JSC::FunctionNode, std::__1::default_delete<JSC::FunctionNode>> JSC::parse<JSC::FunctionNode>(JSC::VM&, JSC::SourceCode const&, JSC::Identifier const&, JSC::ImplementationVisibility, JSC::JSParserBuiltinMode, unsigned char, JSC::JSParserScriptMode, JSC::SourceParseMode, JSC::FunctionMode, JSC::SuperBinding, JSC::ParserError&, JSC::ConstructorKind, JSC::DerivedContextType, JSC::EvalContextType, WTF::HashMap<WTF::RefPtr<WTF::UniquedStringImpl, WTF::PackedPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl>>, JSC::PrivateNameEntry, JSC::IdentifierRepHash, WTF::HashTraits<WTF::RefPtr<WTF::UniquedStringImpl, WTF::RawPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl>>>, JSC::PrivateNameEntryHashTraits, WTF::HashTableTraits> const*, WTF::FixedVector<JSC::UnlinkedFunctionExecutable::ClassElementDefinition> const*, bool) 5 0x11eef7abc JSC::generateUnlinkedFunctionCodeBlock(JSC::VM&, JSC::UnlinkedFunctionExecutable*, JSC::SourceCode const&, JSC::CodeSpecializationKind, WTF::OptionSet<JSC::CodeGenerationMode>, JSC::UnlinkedFunctionKind, JSC::ParserError&, JSC::SourceParseMode) 6 0x11eef6e18 JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor(JSC::VM&, JSC::SourceCode const&, JSC::CodeSpecializationKind, WTF::OptionSet<JSC::CodeGenerationMode>, JSC::ParserError&, JSC::SourceParseMode) 7 0x121d4391c JSC::ScriptExecutable::newCodeBlockFor(JSC::CodeSpecializationKind, JSC::JSFunction*, JSC::JSScope*) 8 0x121d44a24 JSC::ScriptExecutable::prepareForExecutionImpl(JSC::VM&, JSC::JSFunction*, JSC::JSScope*, JSC::CodeSpecializationKind, JSC::CodeBlock*&) 9 0x11fc3adc4 void JSC::ScriptExecutable::prepareForExecution<JSC::FunctionExecutable>(JSC::VM&, JSC::JSFunction*, JSC::JSScope*, JSC::CodeSpecializationKind, JSC::CodeBlock*&) 10 0x120c07560 JSC::linkFor(JSC::VM&, JSC::JSCell*, JSC::CallFrame*, JSC::CallLinkInfo*) 11 0x120c068b8 operationDefaultCall 12 0x132340020 11 ??? 0x0000000132340020 0x0 + 5137236000 13 0x1323825ec 12 ??? 0x00000001323825ec 0x0 + 5137507820 14 0x132388128 13 ??? 0x0000000132388128 0x0 + 5137531176 15 0x132388128 14 ??? 0x0000000132388128 0x0 + 5137531176 16 0x132388128 15 ??? 0x0000000132388128 0x0 + 5137531176 17 0x132388128 16 ??? 0x0000000132388128 0x0 + 5137531176 18 0x132388128 17 ??? 0x0000000132388128 0x0 + 5137531176 19 0x132388128 18 ??? 0x0000000132388128 0x0 + 5137531176 20 0x132388128 19 ??? 0x0000000132388128 0x0 + 5137531176 21 0x132388128 20 ??? 0x0000000132388128 0x0 + 5137531176 22 0x132388128 21 ??? 0x0000000132388128 0x0 + 5137531176 23 0x132388128 22 ??? 0x0000000132388128 0x0 + 5137531176 24 0x132388128 23 ??? 0x0000000132388128 0x0 + 5137531176 25 0x132388128 24 ??? 0x0000000132388128 0x0 + 5137531176 26 0x132388128 25 ??? 0x0000000132388128 0x0 + 5137531176 27 0x132388128 26 ??? 0x0000000132388128 0x0 + 5137531176 28 0x132388128 27 ??? 0x0000000132388128 0x0 + 5137531176 29 0x132388128 28 ??? 0x0000000132388128 0x0 + 5137531176 30 0x132388128 29 ??? 0x0000000132388128 0x0 + 5137531176 31 0x132388128 30 ??? 0x0000000132388128 0x0 + 5137531176 AddressSanitizer:DEADLYSIGNAL ================================================================= ==24108==ERROR: AddressSanitizer: TRAP on unknown address 0x00011d8b318c (pc 0x00011d8b318c bp 0x00016d30c6b0 sp 0x00016d30c650 T0) SCARINESS: 10 (signal) #0 0x11d8b318c in WTFCrashWithInfo(int, char const*, char const*, int) (/Users/rheza/webkit_safari_branch/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x2fbb18c) #1 0x11d8e3754 in JSC::ASTBuilder::SourceElements JSC::Parser<JSC::Lexer<unsigned char>>::parseClassFieldInitializerSourceElements<JSC::ASTBuilder>(JSC::ASTBuilder&, WTF::FixedVector<JSC::UnlinkedFunctionExecutable::ClassElementDefinition> const&) (/Users/rheza/webkit_safari_branch/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x2feb754) #2 0x11d8d6458 in JSC::Parser<JSC::Lexer<unsigned char>>::parseInner(JSC::Identifier const&, JSC::ParsingContext, std::__1::optional<int>, WTF::FixedVector<JSC::UnlinkedFunctionExecutable::ClassElementDefinition> const*, WTF::HashMap<WTF::RefPtr<WTF::UniquedStringImpl, WTF::PackedPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl>>, JSC::PrivateNameEntry, JSC::IdentifierRepHash, WTF::HashTraits<WTF::RefPtr<WTF::UniquedStringImpl, WTF::RawPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl>>>, JSC::PrivateNameEntryHashTraits, WTF::HashTableTraits> const*) (/Users/rheza/webkit_safari_branch/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x2fde458) #3 0x11ef03148 in std::__1::unique_ptr<JSC::FunctionNode, std::__1::default_delete<JSC::FunctionNode>> JSC::Parser<JSC::Lexer<unsigned char>>::parse<JSC::FunctionNode>(JSC::ParserError&, JSC::Identifier const&, JSC::ParsingContext, std::__1::optional<int>, WTF::HashMap<WTF::RefPtr<WTF::UniquedStringImpl, WTF::PackedPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl>>, JSC::PrivateNameEntry, JSC::IdentifierRepHash, WTF::HashTraits<WTF::RefPtr<WTF::UniquedStringImpl, WTF::RawPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl>>>, JSC::PrivateNameEntryHashTraits, WTF::HashTableTraits> const*, WTF::FixedVector<JSC::UnlinkedFunctionExecutable::ClassElementDefinition> const*) (/Users/rheza/webkit_safari_branch/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x460b148) #4 0x11ef003a0 in std::__1::unique_ptr<JSC::FunctionNode, std::__1::default_delete<JSC::FunctionNode>> JSC::parse<JSC::FunctionNode>(JSC::VM&, JSC::SourceCode const&, JSC::Identifier const&, JSC::ImplementationVisibility, JSC::JSParserBuiltinMode, unsigned char, JSC::JSParserScriptMode, JSC::SourceParseMode, JSC::FunctionMode, JSC::SuperBinding, JSC::ParserError&, JSC::ConstructorKind, JSC::DerivedContextType, JSC::EvalContextType, WTF::HashMap<WTF::RefPtr<WTF::UniquedStringImpl, WTF::PackedPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl>>, JSC::PrivateNameEntry, JSC::IdentifierRepHash, WTF::HashTraits<WTF::RefPtr<WTF::UniquedStringImpl, WTF::RawPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl>>>, JSC::PrivateNameEntryHashTraits, WTF::HashTableTraits> const*, WTF::FixedVector<JSC::UnlinkedFunctionExecutable::ClassElementDefinition> const*, bool) (/Users/rheza/webkit_safari_branch/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x46083a0) #5 0x11eef7ab8 in JSC::generateUnlinkedFunctionCodeBlock(JSC::VM&, JSC::UnlinkedFunctionExecutable*, JSC::SourceCode const&, JSC::CodeSpecializationKind, WTF::OptionSet<JSC::CodeGenerationMode>, JSC::UnlinkedFunctionKind, JSC::ParserError&, JSC::SourceParseMode) (/Users/rheza/webkit_safari_branch/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x45ffab8) #6 0x11eef6e14 in JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor(JSC::VM&, JSC::SourceCode const&, JSC::CodeSpecializationKind, WTF::OptionSet<JSC::CodeGenerationMode>, JSC::ParserError&, JSC::SourceParseMode) (/Users/rheza/webkit_safari_branch/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x45fee14) #7 0x121d43918 in JSC::ScriptExecutable::newCodeBlockFor(JSC::CodeSpecializationKind, JSC::JSFunction*, JSC::JSScope*) (/Users/rheza/webkit_safari_branch/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x744b918) #8 0x121d44a20 in JSC::ScriptExecutable::prepareForExecutionImpl(JSC::VM&, JSC::JSFunction*, JSC::JSScope*, JSC::CodeSpecializationKind, JSC::CodeBlock*&) (/Users/rheza/webkit_safari_branch/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x744ca20) #9 0x11fc3adc0 in void JSC::ScriptExecutable::prepareForExecution<JSC::FunctionExecutable>(JSC::VM&, JSC::JSFunction*, JSC::JSScope*, JSC::CodeSpecializationKind, JSC::CodeBlock*&) (/Users/rheza/webkit_safari_branch/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x5342dc0) #10 0x120c0755c in JSC::linkFor(JSC::VM&, JSC::JSCell*, JSC::CallFrame*, JSC::CallLinkInfo*) (/Users/rheza/webkit_safari_branch/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x630f55c) #11 0x120c068b4 in operationDefaultCall (/Users/rheza/webkit_safari_branch/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x630e8b4) #12 0x13234001c (<unknown module>) #13 0x1323825e8 (<unknown module>) ... #254 0x132388124 (<unknown module>) ==24108==Register values: x[0] = 0x0000000000000d30 x[1] = 0x0000000126f6cb80 x[2] = 0x0000000126fb5be0 x[3] = 0x0000000000000c0c x[4] = 0x0000000063000000 x[5] = 0x0000000000000000 x[6] = 0x000000016cfe4000 x[7] = 0x0000000000000001 x[8] = 0x0000000000000c0c x[9] = 0x0000000000000000 x[10] = 0x000000016d7dfff8 x[11] = 0x000000700001ffff x[12] = 0x000000702da818b8 x[13] = 0xffffffffffffffff x[14] = 0x0000000000000000 x[15] = 0x00007fffffffffff x[16] = 0x00000001892db16c x[17] = 0x0000000103388738 x[18] = 0x0000000000000000 x[19] = 0x000062d0000927a8 x[20] = 0x0000632000000800 x[21] = 0x000000016d313350 x[22] = 0x000000016d7df3b8 x[23] = 0x000000016d7df3b8 x[24] = 0x0000000188f5a000 x[25] = 0x00006200000012d0 x[26] = 0x000061f00000a660 x[27] = 0xfffe000000000000 x[28] = 0xfffe000000000002 fp = 0x000000016d30c6b0 lr = 0x000000011d8e3758 sp = 0x000000016d30c650 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: TRAP (/Users/rheza/webkit_safari_branch/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x2fbb18c) in WTFCrashWithInfo(int, char const*, char const*, int) ==24108==ABORTING ``` the safari-7620 took more time to trigger the bug while the HEAD ~20 seconds I'm not sure if this assertion failure has security implications, so I'm filing this as a security issue as a precaution.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2025-01-11 03:06:16 PST
<rdar://problem/142737633>
Yusuke Suzuki
Comment 2 2025-01-14 23:26:01 PST
It is crash bug as we will go to the same error handling path.
Yusuke Suzuki
Comment 3 2025-01-14 23:27:25 PST
Pull request: https://github.com/WebKit/WebKit/pull/39057
EWS
Comment 4 2025-01-15 00:09:07 PST
Committed 288919@main (4298267945e8): <https://commits.webkit.org/288919@main> Reviewed commits have been landed. Closing PR #39057 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.