196306 – [WebKit/JavaScriptCore] Assertion failed at Source/JavaScriptCore/runtime/JSArray.h:276

Bug 196306 - [WebKit/JavaScriptCore] Assertion failed at Source/JavaScriptCore/runtime/JSArray.h:276

Summary: [WebKit/JavaScriptCore] Assertion failed at Source/JavaScriptCore/runtime/JSA...

Status:	RESOLVED INVALID

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-03-27 11:11 PDT by Suyoung Lee
Modified:	2019-03-28 11:08 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Suyoung Lee 2019-03-27 11:11:58 PDT

The debug build of JavaScriptCore failed assertion at Source/JavaScriptCore/runtime/JSArray.h:276.

PoC:
var var_0 = [];
for (var var_1 = 0; var_1 < 100000; ++var_1)
    var_0.push(new Array(var_1));

Commit: 6369975
OS: Ubuntu 18.04.1 LTS
Arch: x86_64

Comment 1 Alexey Proskuryakov 2019-03-28 11:08:45 PDT

This test hits out of memory, so the process is intentionally terminated.