Bug 287376

Summary:	[JSC] Make JSC::CompleteSubspace::allocateSlow memory exhaust explicit crash
Product:	WebKit	Reporter:	rhezashan
Component:	JavaScriptCore	Assignee:	Yusuke Suzuki <ysuzuki>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	bfulgham, webkit-bug-importer, ysuzuki
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

rhezashan

Reported 2025-02-09 16:18:46 PST

commit 323063884259a103168acd51f8bf52bbcef73f27 (HEAD -> main, origin/main, origin/HEAD) Author: Devin Rousso <hi@devinrousso.com> Date: Tue Feb 4 17:09:28 2025 -0800 rheza@192 Release % sw_vers ProductName: macOS ProductVersion: 15.3 BuildVersion: 24D60 ================================================================= Build release target with AppleClang + ASAN ./Tools/Scripts/set-webkit-configuration --release --asan rheza@Rhezas-MacBook-Pro Release % ./Tools/Scripts/build-jsc The error stack: rheza@Rheza-MacBook-Pro Debug % ./jsc ./poc.js jsc(23204,0x1f742c840) malloc: nano zone abandoned due to inability to reserve vm space. ASSERTION FAILED: result ./heap/CompleteSubspace.cpp(110) : void *JSC::CompleteSubspace::allocateSlow(VM &, size_t, GCDeferralContext *, AllocationFailureMode) 1 0x12221aad0 JSC::CompleteSubspace::allocateSlow(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) 2 0x123d4af58 JSC::CompleteSubspace::allocate(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) 3 0x121b50a30 JSC::Butterfly::createUninitialized(JSC::VM&, JSC::JSObject*, unsigned long, unsigned long, bool, unsigned long) 4 0x1238affcc JSC::Butterfly::createOrGrowPropertyStorage(JSC::Butterfly*, JSC::VM&, JSC::JSObject*, JSC::Structure*, unsigned long, unsigned long) 5 0x1238afdc0 JSC::JSObject::allocateMoreOutOfLineStorage(JSC::VM&, unsigned long, unsigned long) 6 0x121d3da88 WTF::ASCIILiteral JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)0>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&) 7 0x121d3b594 JSC::JSObject::putInlineFast(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 8 0x1238859f4 JSC::JSObject::definePropertyOnReceiver(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 9 0x12388419c JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 10 0x121d3ace0 JSC::JSObject::putInlineForJSObject(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 11 0x1238776e4 JSC::JSObject::put(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 12 0x1234e19d4 JSC::JSArray::put(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 13 0x123882db0 JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 14 0x121d3ace0 JSC::JSObject::putInlineForJSObject(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 15 0x1238776e4 JSC::JSObject::put(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 16 0x1234e19d4 JSC::JSArray::put(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 17 0x121b5c488 JSC::JSValue::put(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 18 0x122e15430 llint_slow_path_put_by_val 19 0x128e3b314 jsc_llint_putByValOp__llintOpWithMetadata__llintOpWithReturn__llintOp__commonOp__fn__fn__makeReturn__fn__fn__fn__opPutByValSlow_LowLevelInterpreter64_asm_2033 20 0x128e544ac op_call_ignore_result_return_location 21 0x134fe3524 20 ??? 0x0000000134fe3524 0x0 + 5184042276 22 0x128e2995c llint_call_javascript 23 0x1228f120c JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) 24 0x1231e1e98 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 25 0x104a1723c runWithOptions(GlobalObject*, CommandLine&, bool&) 26 0x104927fe8 jscmain(int, char**)::$_1::operator()(JSC::VM&, GlobalObject*, bool&) const 27 0x104870ffc int runJSC<jscmain(int, char**)::$_1>(CommandLine const&, bool, jscmain(int, char**)::$_1 const&) 28 0x104869e68 jscmain(int, char**) 29 0x104868d3c main 30 0x18d73c274 start AddressSanitizer:DEADLYSIGNAL ================================================================= ==23204==ERROR: AddressSanitizer: TRAP on unknown address 0x0001234d64dc (pc 0x0001234d64dc bp 0x00016b59ee30 sp 0x00016b59edd0 T0) SCARINESS: 10 (signal) #0 0x1234d64dc in WTFCrashWithInfo(int, char const*, char const*, int) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x65d24dc) #1 0x12221ab00 in JSC::CompleteSubspace::allocateSlow(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x5316b00) #2 0x123d4af54 in JSC::CompleteSubspace::allocate(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x6e46f54) #3 0x121b50a2c in JSC::Butterfly::createUninitialized(JSC::VM&, JSC::JSObject*, unsigned long, unsigned long, bool, unsigned long) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x4c4ca2c) #4 0x1238affc8 in JSC::Butterfly::createOrGrowPropertyStorage(JSC::Butterfly*, JSC::VM&, JSC::JSObject*, JSC::Structure*, unsigned long, unsigned long) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x69abfc8) #5 0x1238afdbc in JSC::JSObject::allocateMoreOutOfLineStorage(JSC::VM&, unsigned long, unsigned long) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x69abdbc) #6 0x121d3da84 in WTF::ASCIILiteral JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)0>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x4e39a84) #7 0x121d3b590 in JSC::JSObject::putInlineFast(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x4e37590) #8 0x1238859f0 in JSC::JSObject::definePropertyOnReceiver(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x69819f0) #9 0x123884198 in JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x6980198) #10 0x121d3acdc in JSC::JSObject::putInlineForJSObject(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x4e36cdc) #11 0x1238776e0 in JSC::JSObject::put(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x69736e0) #12 0x1234e19d0 in JSC::JSArray::put(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x65dd9d0) #13 0x123882dac in JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x697edac) #14 0x121d3acdc in JSC::JSObject::putInlineForJSObject(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x4e36cdc) #15 0x1238776e0 in JSC::JSObject::put(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x69736e0) #16 0x1234e19d0 in JSC::JSArray::put(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x65dd9d0) #17 0x121b5c484 in JSC::JSValue::put(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x4c58484) #18 0x122e1542c in llint_slow_path_put_by_val (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x5f1142c) #19 0x128e3b310 in jsc_llint_putByValOp__llintOpWithMetadata__llintOpWithReturn__llintOp__commonOp__fn__fn__makeReturn__fn__fn__fn__opPutByValSlow_LowLevelInterpreter64_asm_2033 (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0xbf37310) #20 0x128e544a8 in jsc_llint_commonCallOp__llintOpWithMetadata__llintOpWithReturn__llintOp__commonOp__fn__fn__makeReturn__fn__fn__fn__844_callHelper__dispatch_LowLevelInterpreter64_asm_2536 (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0xbf504a8) #21 0x134fe3520 (<unknown module>) #22 0x128e29958 in llint_call_javascript (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0xbf25958) #23 0x1228f1208 in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x59ed208) #24 0x1231e1e94 in JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x62dde94) #25 0x104a17238 in runWithOptions(GlobalObject*, CommandLine&, bool&) (/Users/rheza/WebKit/WebKitBuild/Debug/jsc:arm64+0x1001bf238) #26 0x104927fe4 in jscmain(int, char**)::$_1::operator()(JSC::VM&, GlobalObject*, bool&) const (/Users/rheza/WebKit/WebKitBuild/Debug/jsc:arm64+0x1000cffe4) #27 0x104870ff8 in int runJSC<jscmain(int, char**)::$_1>(CommandLine const&, bool, jscmain(int, char**)::$_1 const&) (/Users/rheza/WebKit/WebKitBuild/Debug/jsc:arm64+0x100018ff8) #28 0x104869e64 in jscmain(int, char**) (/Users/rheza/WebKit/WebKitBuild/Debug/jsc:arm64+0x100011e64) #29 0x104868d38 in main (/Users/rheza/WebKit/WebKitBuild/Debug/jsc:arm64+0x100010d38) #30 0x18d73c270 (<unknown module>) ==23204==Register values: x[0] = 0x000000000000006e x[1] = 0x0000000129d5dec0 x[2] = 0x0000000129d5df00 x[3] = 0x0000000000000ba2 x[4] = 0x000000702d6d3080 x[5] = 0x0000000000000000 x[6] = 0x000000016adac000 x[7] = 0x0000000000000001 x[8] = 0x0000000000000ba2 x[9] = 0x000000700001ffff x[10] = 0x000000016b5a7ff8 x[11] = 0x000000700001ffff x[12] = 0x000000702d6d3d9c x[13] = 0xffffffffffffffff x[14] = 0x0000000000000000 x[15] = 0x00007fffffffffff x[16] = 0x000000018dab716c x[17] = 0x0000000105348738 x[18] = 0x0000000000000000 x[19] = 0x00000001f7190050 x[20] = 0x00000001f71900a0 x[21] = 0x00000001f7190050 x[22] = 0x000000016b5a7448 x[23] = 0x000000016b5a7448 x[24] = 0x000000018d736000 x[25] = 0x000061b0008a02f0 x[26] = 0x0000615000656880 x[27] = 0xfffe000000000000 x[28] = 0xfffe000000000002 fp = 0x000000016b59ee30 lr = 0x000000012221ab04 sp = 0x000000016b59edd0 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: TRAP (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x65d24dc) in WTFCrashWithInfo(int, char const*, char const*, int) ==23204==ABORTING zsh: abort ./jsc ./poc.js ``` poc for (let i1 = 0; i1 < 10; ++i1) { const v7 = []; var arr = v7; let v9 = "abcdefghijklmnop"; var s = v9; for (let i20 = (() => { s[Symbol.match]; return 0; })(); (() => { const v24 = new WebAssembly.Instance(new WebAssembly.Module(new Uint8Array([ 0x00, 0x61, 0x73, 0x6D, 0x01, 0x00, 0x00, 0x00, 0x01, 0x07, 0x01, 0x60, 0x03, 0x7C, 0x7F, 0x7D, 0x00, 0x03, 0x01, 0x00, 0x04, 0x04, 0x01, 0x70, 0x00, 0x0A, 0x05, 0x01, 0x00, 0x0D, 0x03, 0x01, 0x00, 0x00, 0x06, 0x01, 0x00, 0x07, 0x07, 0x01, 0x03, 0x77, 0x74, 0x30, 0x01, 0x00, 0x09, 0x01, 0x00, 0x0A, 0x01, 0x00, ]))); v24.exports; return i20 < 5000; })(); ++i20) { const v33 = ("<" + s) + ">"; s = v33; arr.push(v33); } const v24 = gc(); for (let i39 = 0; (() => { const v40 = () => { function* f27(a42, a43, a44) { [a44,v9,i39]; [a42,v7]; [a42,a44,arr]; return yield i1; } f27(v24, i39, f27); return i39 < 5000; }; return v40(); })(); (() => { const v54 = () => { arr.__proto__; v9 = v24; const v58 = new Int8Array(78); arr[Uint8Array] = i39; v7[v54] = gc; v58[1665890787]; v54[8] = s; try { new Uint8Array(v58, i39, -2147483647); } catch(e63) { } new Uint8Array(257); new Uint8ClampedArray(3330); ++i39; }; v54(); })()) { arr[i39].search("a"); } gc(); } ```

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2025-02-09 16:19:03 PST

<rdar://problem/144494170>

Yusuke Suzuki

Comment 2 2025-03-06 14:01:57 PST

This is explicit crash with memory exhaust.

Yusuke Suzuki

Comment 3 2025-03-06 14:05:40 PST

Pull request: https://github.com/WebKit/WebKit/pull/42035

EWS

Comment 4 2025-03-06 16:26:16 PST

Committed 291743@main (798ff291e8a8): <https://commits.webkit.org/291743@main> Reviewed commits have been landed. Closing PR #42035 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.