RESOLVED DUPLICATE of bug 183894 181934
WebKitGTK/JavaScriptCore segfault with CrashOnOverflow 
https://bugs.webkit.org/show_bug.cgi?id=181934
Summary WebKitGTK/JavaScriptCore segfault with CrashOnOverflow
Suyoung Lee
Reported 2018-01-22 07:55:24 PST
Crashes on the latest version of WebKitGTK/JavaScriptCore (both on debug/release build). Here is the input code. function foo(v1, v2) { throw JSON.stringify(v1) + JSON.stringify(v2); } function func_0() { try { foo(func_0(func_0), 1); } catch (func_0) { return func_0; } } func_0(); It seems that this code causes integer overflow at StringBuilderJSON.cpp:85 85 maximumCapacityRequired += 2 + stringLength * 6; (gdb) r Starting program: /data/WebKit/WebKitBuild/Debug/bin/jsc test.js [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [New Thread 0x7ffff0cef700 (LWP 15461)] [New Thread 0x7fffaf6ff700 (LWP 15462)] [New Thread 0x7fffaeefe700 (LWP 15463)] [New Thread 0x7fffad9ff700 (LWP 15464)] [New Thread 0x7fffad1fe700 (LWP 15465)] [New Thread 0x7fffac9fd700 (LWP 15466)] [New Thread 0x7fffa7fff700 (LWP 15467)] [New Thread 0x7fffa77fe700 (LWP 15468)] [New Thread 0x7fffa6ffd700 (LWP 15469)] [New Thread 0x7fffa67fc700 (LWP 15470)] 1 0x7ffff6d6a123 WTFCrash 2 0x46764e WTF::CrashOnOverflow::hasOverflowed() const 3 0x467645 WTF::CrashOnOverflow::crash() 4 0x7ffff5f5ba90 JSC::CompleteSubspace* JSC::JSCell::subspaceFor<JSC::JSSet>(JSC::VM&) 5 0x7ffff6dc29fc 6 0x7ffff6dc250f 7 0x7ffff6dc21d5 WTF::StringBuilder::appendQuotedJSONString(WTF::String const&) 8 0x7ffff6a3e4b8 JSC::Stringifier::appendStringifiedValue(WTF::StringBuilder&, JSC::JSValue, JSC::Stringifier::Holder const&, JSC::PropertyNameForFunctionCall const&) 9 0x7ffff6a3ddf9 JSC::Stringifier::stringify(JSC::JSValue) 10 0x7ffff6a40c1e JSC::JSONProtoFuncStringify(JSC::ExecState*) 11 0x7fffb02ff178 Thread 1 "jsc" received signal SIGSEGV, Segmentation fault. 0x00007ffff6d6a128 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:272 272 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff6d6a128 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:272 #1 0x000000000046764e in WTF::CrashOnOverflow::crash () at ../../Source/WTF/wtf/CheckedArithmetic.h:85 #2 0x0000000000467645 in WTF::CrashOnOverflow::overflowed () at ../../Source/WTF/wtf/CheckedArithmetic.h:78 #3 0x00007ffff5f5ba90 in WTF::Checked<unsigned int, WTF::CrashOnOverflow>::Checked (this=0x7fffffc1e310) at ../../Source/WTF/wtf/CheckedArithmetic.h:462 #4 0x00007ffff6dc29fc in WTF::operator*<unsigned int, int, WTF::CrashOnOverflow> (lhs=..., rhs=...) at ../../Source/WTF/wtf/CheckedArithmetic.h:745 #5 0x00007ffff6dc250f in WTF::operator*<unsigned int, int, WTF::CrashOnOverflow> (lhs=..., rhs=6) at ../../Source/WTF/wtf/CheckedArithmetic.h:761 #6 0x00007ffff6dc21d5 in WTF::StringBuilder::appendQuotedJSONString (this=0x7fffffc1e5b0, string=...) at ../../Source/WTF/wtf/text/StringBuilderJSON.cpp:85 #7 0x00007ffff6a3e4b8 in JSC::Stringifier::appendStringifiedValue (this=0x7fffffc1e6c0, builder=..., value=..., holder=..., propertyName=...) at ../../Source/JavaScriptCore/runtime/JSONObject.cpp:360 #8 0x00007ffff6a3ddf9 in JSC::Stringifier::stringify (this=0x7fffffc1e6c0, value=...) at ../../Source/JavaScriptCore/runtime/JSONObject.cpp:275 #9 0x00007ffff6a40c1e in JSC::JSONProtoFuncStringify (exec=0x7fffffc1e9f0) at ../../Source/JavaScriptCore/runtime/JSONObject.cpp:841 #10 0x00007fffb02ff178 in ?? () #11 0x00007fffffc1ea70 in ?? () #12 0x00007ffff67b5a47 in llint_entry () at ../../Source/JavaScriptCore/runtime/Butterfly.h:52 Backtrace stopped: frame did not save the PC
Attachments
Add attachment proposed patch, testcase, etc.
Robin Morisset
Comment 1 2018-03-30 07:48:40 PDT
*** This bug has been marked as a duplicate of bug 183894 ***
Note You need to log in before you can comment on or make changes to this bug.