RESOLVED DUPLICATE of bug 196032 195875
errorDescriptionForValue would trigger another out-of-memory error for rope string 
https://bugs.webkit.org/show_bug.cgi?id=195875
Summary errorDescriptionForValue would trigger another out-of-memory error for rope s...
dwfault
Reported 2019-03-17 22:27:29 PDT
PoC: let o0 = '\ud801'; let o1 = o0.padEnd(0x7fffffff, 'x'); function f() { } print(describe(o0)); //String (rope) (unresolved): (null StringImpl*), StructureID: 29020 print(describe(o1)); //nothing? //debug(o1); //print(); //Out of memory. print(describe(f)); //Object: 0x1212cbc60 with butterfly 0x0 (Structure 0x1212fd9d0:[Function, {}, NonArray, Proto:0x1212d4000, Leaf]), StructureID: 39799 try { o1(f); //---> here. } catch (e) { print(e); } crash: 2019-03-18 13:23:54.286323+0800 jsc[70531:7728936] ASSERTION FAILED: Unexpected exception observed on thread Thread:0x11e5fa000 at: 1 0x1019398e6 JSC::ExceptionScope::unexpectedExceptionMessage() 2 0x100f7b34b JSC::ExceptionScope::assertNoException() 3 0x101938750 JSC::createError(JSC::ExecState*, JSC::JSValue, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred)) 4 0x101938f52 JSC::createNotAFunctionError(JSC::ExecState*, JSC::JSValue) 5 0x1016fb71e JSC::LLInt::handleHostCall(JSC::ExecState*, JSC::JSValue, JSC::CodeSpecializationKind) 6 0x1016fac62 JSC::LLInt::setUpCall(JSC::ExecState*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*) 7 0x1016f38a8 JSC::SlowPathReturnType JSC::LLInt::genericCall<JSC::OpCall>(JSC::ExecState*, JSC::OpCall&&, JSC::CodeSpecializationKind) 8 0x1016f37b2 llint_slow_path_call 9 0x10097c663 llint_entry 10 0x1009692e2 vmEntryToJavaScript 11 0x1015de45e JSC::JITC ASSERTION FAILED: Unexpected exception observed on thread Thread:0x11e5fa000 at: 1 0x1019398e6 JSC::ExceptionScope::unexpectedExceptionMessage() 2 0x100f7b34b JSC::ExceptionScope::assertNoException() 3 0x101938750 JSC::createError(JSC::ExecState*, JSC::JSValue, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred)) 4 0x101938f52 JSC::createNotAFunctionError(JSC::ExecState*, JSC::JSValue) 5 0x1016fb71e JSC::LLInt::handleHostCall(JSC::ExecState*, JSC::JSValue, JSC::CodeSpecializationKind) 6 0x1016fac62 JSC::LLInt::setUpCall(JSC::ExecState*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*) 7 0x1016f38a8 JSC::SlowPathReturnType JSC::LLInt::genericCall<JSC::OpCall>(JSC::ExecState*, JSC::OpCall&&, JSC::CodeSpecializationKind) 8 0x1016f37b2 llint_slow_path_call 9 0x10097c663 llint_entry 10 0x1009692e2 vmEntryToJavaScript 11 0x1015de45e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) 12 0x1015dd9e0 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) 13 0x10190b1e5 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 14 0x10004f56b runWithOptions(GlobalObject*, CommandLine&, bool&) 15 0x1000251ba jscmain(int, char**)::$_6::operator()(JSC::VM&, GlobalObject*, bool&) const 16 0x100006ab4 int runJSC<jscmain(int, char**)::$_6>(CommandLine const&, bool, jscmain(int, char**)::$_6 const&) 17 0x100005197 jscmain(int, char**) 18 0x100004ffe main 19 0x7fff63403ed9 start The exception was thrown from thread Thread:0x11e5fa000 at: 1 0x101bd009f JSC::VM::throwException(JSC::ExecState*, JSC::Exception*) 2 0x101bd0420 JSC::VM::throwException(JSC::ExecState*, JSC::JSValue) 3 0x101bd04e8 JSC::VM::throwException(JSC::ExecState*, JSC::JSObject*) 4 0x101baa6d5 JSC::ThrowScope::throwException(JSC::ExecState*, JSC::JSObject*) 5 0x10099b405 JSC::throwException(JSC::ExecState*, JSC::ThrowScope&, JSC::JSObject*) 6 0x1019395bc JSC::throwOutOfMemoryError(JSC::ExecState*, JSC::ThrowScope&) 7 0x101a7e26b JSC::JSRopeString::outOfMemory(JSC::ExecState*) const 8 0x101a7df37 WTF::String const& JSC::JSRopeString::resolveRopeWithFunction<JSC::JSRopeString::resolveRope(JSC::ExecState*) const::$_3>(JSC::ExecState*, JSC::JSRopeString::resolveRope(JSC::ExecState*) const::$_3&&) const 9 0x101a7db91 JSC::JSRopeString::resolveRope(JSC::ExecState*) const 10 0x100985859 JSC::JSString::value(JSC::ExecState*) const 11 0x1019381b4 JSC::errorDescriptionForValue(JSC::ExecState*, JSC::JSValue) 12 0x1019386ad JSC::createError(JSC::ExecState*, JSC::JSValue, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred)) 13 0x101938f52 JSC::createNotAFunctionError(JSC::ExecState*, JSC::JSValue) 14 0x1016fb71e JSC::LLInt::handleHostCall(JSC::ExecState*, JSC::JSValue, JSC::CodeSpecializationKind) 15 0x1016fac62 JSC::LLInt::setUpCall(JSC::ExecState*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*) 16 0x1016f38a8 JSC::SlowPathReturnType JSC::LLInt::genericCall<JSC::OpCall>(JSC::ExecState*, JSC::OpCall&&, JSC::CodeSpecializationKind) 17 0x1016f37b2 llint_slow_path_call 18 0x10097c663 llint_entry 19 0x1009692e2 vmEntryToJavaScript 20 0x1015de45e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) 21 0x1015dd9e0 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) 22 0x10190b1e5 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 23 0x10004f56b runWithOptions(GlobalObject*, CommandLine&, bool&) 24 0x1000251ba jscmain(int, char**)::$_6::operator()(JSC::VM&, GlobalObject*, bool&) const 25 0x100006ab4 int runJSC<jscmain(int, char**)::$_6>(CommandLine const&, bool, jscmain(int, char**)::$_6 const&) 26 0x100005197 jscmain(int, char**) 27 0x100004ffe main 28 0x7fff63403ed9 start 29 0x5
Attachments
Add attachment proposed patch, testcase, etc.
dwfault
Comment 1 2019-03-17 22:29:20 PDT
Reproducable on WebKit on macOS and Linux. Commit id 7423a6649 March 16 2019.
Radar WebKit Bug Importer
Comment 2 2019-03-18 18:55:44 PDT
<rdar://problem/49003758>
dwfault
Comment 3 2019-03-27 19:49:14 PDT
*** This bug has been marked as a duplicate of bug 196032 ***
Note You need to log in before you can comment on or make changes to this bug.