WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED INVALID
209420
LeaksSanitizer detects false-positive memory leaks in JIT code
https://bugs.webkit.org/show_bug.cgi?id=209420
Summary
LeaksSanitizer detects false-positive memory leaks in JIT code
hearmen
Reported
2020-03-23 05:12:28 PDT
run jsc with `/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc' --validateOptions=true --useConcurrentJIT=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --gcAtEnd=true 'poc.js` will detect a memory leak poc ```js function main() { const v1 = createGlobalObject(); for (let v5 = 0; v5 < 7; v5++) { with (v1) { const v8 = [1337]; const v12 = v8.constructor; const v13 = Reflect.construct(v12,Object,Promise); const v15 = [1337,1337,1337,1337,-9007199254740991]; function v17(v18,v19) { const v21 = [1337,-1000.0]; function v22(v23,v24,v25,v26) { 'use strict' const v29 = [13.37,13.37]; const v30 = v29.__proto__; v30.constructor = Array; } const v32 = new Int32Array(v21); const v33 = v32.find(v22); } const v34 = v15.filter(v17); } } } noDFG(main); noFTL(main); main(); ``` ``` '/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc' --validateOptions=true --useConcurrentJIT=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --gcAtEnd=true '/home/android/Desktop/JSC_Crash/new/crash_1583101047969_823_deterministic_6.js' WARNING: ASAN interferes with JSC signal handlers; useWebAssemblyFastMemory will be disabled. ================================================================= ==17233==ERROR: LeakSanitizer: detected memory leaks Direct leak of 288 byte(s) in 2 object(s) allocated from: #0 0x7fbe340f5b90 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90) #1 0x7fbe30a7d458 in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae4458) #2 0x7fbe30a7af41 in bmalloc::Cache::tryAllocateSlowCaseNullCache(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae1f41) #3 0x7fbe308ed945 in bmalloc::Cache::tryAllocate(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954945) #4 0x7fbe308edebd in bmalloc::api::tryMalloc(unsigned long, bmalloc::HeapKind) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954ebd) #5 0x7fbe308ecbc5 in WTF::tryFastMalloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6953bc5) #6 0x49356b in WTF::FastMalloc::tryMalloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x49356b) #7 0x7fbe2f3017c1 in JSC::IsoAlignedMemoryAllocator::tryAllocateMemory(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x53687c1) #8 0x7fbe2f366850 in JSC::PreciseAllocation::createForLowerTier(JSC::Heap&, unsigned long, JSC::Subspace*, unsigned char) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x53cd850) #9 0x7fbe2f30426e in JSC::IsoSubspace::tryAllocateFromLowerTier() (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x536b26e) #10 0x7fbe2f306975 in JSC::LocalAllocator::allocateSlowCase(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x536d975) #11 0x4ac180 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}::operator()() const (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4ac180) #12 0x4c865c in JSC::HeapCell* JSC::FreeList::allocate<JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}>(JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1} const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4c865c) #13 0x4ac346 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4ac346) #14 0x4a9123 in JSC::Allocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) const (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4a9123) #15 0x4abfc5 in JSC::IsoSubspace::allocateNonVirtual(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4abfc5) #16 0x7fbe2d712837 in void* JSC::tryAllocateCellHelper<JSC::JSGenericTypedArrayView<JSC::Int32Adaptor> >(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x3779837) #17 0x7fbe2d70c33f in void* JSC::allocateCell<JSC::JSGenericTypedArrayView<JSC::Int32Adaptor> >(JSC::Heap&, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x377333f) #18 0x7fbe2e919ae1 in JSC::JSGenericTypedArrayView<JSC::Int32Adaptor>::createUninitialized(JSC::JSGlobalObject*, JSC::Structure*, unsigned int) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4980ae1) #19 0x7fbe2e8f30e3 in JSC::JSObject* JSC::constructGenericTypedArrayViewWithArguments<JSC::JSGenericTypedArrayView<JSC::Int32Adaptor> >(JSC::JSGlobalObject*, JSC::Structure*, long, unsigned int, WTF::Optional<unsigned int>) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x495a0e3) #20 0x7fbe2feb8722 in long JSC::constructGenericTypedArrayView<JSC::JSGenericTypedArrayView<JSC::Int32Adaptor> >(JSC::JSGlobalObject*, JSC::CallFrame*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5f1f722) #21 0x7fbde3fff0c6 (<unknown module>) #22 0x7fbde4001031 (<unknown module>) #23 0x7fbde400281c (<unknown module>) #24 0x7fbe2f803675 (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x586a675) #25 0x7fbe2f803675 (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x586a675) #26 0x7fbe2f7e8dbe (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x584fdbe) #27 0x7fbe2f5cc944 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5633944) #28 0x7fbe2f5b5d7a in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x561cd7a) #29 0x7fbe2fc6a1d7 in JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5cd11d7) Direct leak of 288 byte(s) in 2 object(s) allocated from: #0 0x7fbe340f5b90 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90) #1 0x7fbe30a7d458 in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae4458) #2 0x7fbe30a7af41 in bmalloc::Cache::tryAllocateSlowCaseNullCache(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae1f41) #3 0x7fbe308ed945 in bmalloc::Cache::tryAllocate(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954945) #4 0x7fbe308edebd in bmalloc::api::tryMalloc(unsigned long, bmalloc::HeapKind) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954ebd) #5 0x7fbe308ecbc5 in WTF::tryFastMalloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6953bc5) #6 0x49356b in WTF::FastMalloc::tryMalloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x49356b) #7 0x7fbe2f3017c1 in JSC::IsoAlignedMemoryAllocator::tryAllocateMemory(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x53687c1) #8 0x7fbe2f366850 in JSC::PreciseAllocation::createForLowerTier(JSC::Heap&, unsigned long, JSC::Subspace*, unsigned char) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x53cd850) #9 0x7fbe2f30426e in JSC::IsoSubspace::tryAllocateFromLowerTier() (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x536b26e) #10 0x7fbe2f306975 in JSC::LocalAllocator::allocateSlowCase(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x536d975) #11 0x4ac180 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}::operator()() const (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4ac180) #12 0x4c865c in JSC::HeapCell* JSC::FreeList::allocate<JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}>(JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1} const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4c865c) #13 0x4ac346 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4ac346) #14 0x4a9123 in JSC::Allocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) const (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4a9123) #15 0x4abfc5 in JSC::IsoSubspace::allocateNonVirtual(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4abfc5) #16 0x7fbe2d712837 in void* JSC::tryAllocateCellHelper<JSC::JSGenericTypedArrayView<JSC::Int32Adaptor> >(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x3779837) #17 0x7fbe2d70c33f in void* JSC::allocateCell<JSC::JSGenericTypedArrayView<JSC::Int32Adaptor> >(JSC::Heap&, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x377333f) #18 0x7fbe2e919ae1 in JSC::JSGenericTypedArrayView<JSC::Int32Adaptor>::createUninitialized(JSC::JSGlobalObject*, JSC::Structure*, unsigned int) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4980ae1) #19 0x7fbe2e8f30e3 in JSC::JSObject* JSC::constructGenericTypedArrayViewWithArguments<JSC::JSGenericTypedArrayView<JSC::Int32Adaptor> >(JSC::JSGlobalObject*, JSC::Structure*, long, unsigned int, WTF::Optional<unsigned int>) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x495a0e3) #20 0x7fbe2feb8722 in long JSC::constructGenericTypedArrayView<JSC::JSGenericTypedArrayView<JSC::Int32Adaptor> >(JSC::JSGlobalObject*, JSC::CallFrame*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5f1f722) #21 0x7fbde3fff0c6 (<unknown module>) #22 0x7fbde4001031 (<unknown module>) #23 0x7fbde4002136 (<unknown module>) #24 0x7fbe2f803675 (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x586a675) #25 0x7fbe2f803675 (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x586a675) #26 0x7fbe2f7e8dbe (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x584fdbe) #27 0x7fbe2f5cc944 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5633944) #28 0x7fbe2f5b5d7a in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x561cd7a) #29 0x7fbe2fc6a1d7 in JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5cd11d7) Direct leak of 192 byte(s) in 1 object(s) allocated from: #0 0x7fbe340f5b90 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90) #1 0x7fbe30a7d458 in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae4458) #2 0x7fbe30a7af41 in bmalloc::Cache::tryAllocateSlowCaseNullCache(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae1f41) #3 0x7fbe308ed945 in bmalloc::Cache::tryAllocate(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954945) #4 0x7fbe308edebd in bmalloc::api::tryMalloc(unsigned long, bmalloc::HeapKind) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954ebd) #5 0x7fbe308ecbc5 in WTF::tryFastMalloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6953bc5) #6 0x49356b in WTF::FastMalloc::tryMalloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x49356b) #7 0x7fbe2f3017c1 in JSC::IsoAlignedMemoryAllocator::tryAllocateMemory(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x53687c1) #8 0x7fbe2f366850 in JSC::PreciseAllocation::createForLowerTier(JSC::Heap&, unsigned long, JSC::Subspace*, unsigned char) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x53cd850) #9 0x7fbe2f30426e in JSC::IsoSubspace::tryAllocateFromLowerTier() (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x536b26e) #10 0x7fbe2f306975 in JSC::LocalAllocator::allocateSlowCase(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x536d975) #11 0x4ac180 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}::operator()() const (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4ac180) #12 0x4c865c in JSC::HeapCell* JSC::FreeList::allocate<JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}>(JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1} const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4c865c) #13 0x4ac346 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4ac346) #14 0x4a9123 in JSC::Allocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) const (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4a9123) #15 0x4abfc5 in JSC::IsoSubspace::allocateNonVirtual(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4abfc5) #16 0x7fbe2e0deab9 in void* JSC::tryAllocateCellHelper<JSC::SymbolTable>(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4145ab9) #17 0x7fbe2e0bd474 in void* JSC::allocateCell<JSC::SymbolTable>(JSC::Heap&, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4124474) #18 0x7fbe2e0ab790 in JSC::SymbolTable::create(JSC::VM&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4112790) #19 0x7fbe2e02b4af in JSC::BytecodeGenerator::pushLexicalScopeInternal(JSC::VariableEnvironment&, JSC::BytecodeGenerator::TDZCheckOptimization, JSC::BytecodeGenerator::NestedScopeType, JSC::RegisterID**, JSC::BytecodeGenerator::TDZRequirement, JSC::BytecodeGenerator::ScopeType, JSC::BytecodeGenerator::ScopeRegisterType) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x40924af) #20 0x7fbe2e02b180 in JSC::BytecodeGenerator::pushLexicalScope(JSC::VariableEnvironmentNode*, JSC::BytecodeGenerator::TDZCheckOptimization, JSC::BytecodeGenerator::NestedScopeType, JSC::RegisterID**, bool) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4092180) #21 0x7fbe2e08a2cb in JSC::ForNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x40f12cb) #22 0x7fbe2e0b7539 in JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::StatementNode*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x411e539) #23 0x7fbe2e0bc7b3 in JSC::SourceElements::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x41237b3) #24 0x7fbe2e087c33 in JSC::BlockNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x40eec33) #25 0x7fbe2e0b7539 in JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::StatementNode*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x411e539) #26 0x7fbe2e0bc7b3 in JSC::SourceElements::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x41237b3) #27 0x7fbe2e0bcb27 in JSC::ScopeNode::emitStatementsBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4123b27) #28 0x7fbe2e09602e in JSC::FunctionNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x40fd02e) #29 0x7fbe2e016691 in JSC::BytecodeGenerator::generate() (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x407d691) Direct leak of 192 byte(s) in 1 object(s) allocated from: #0 0x7fbe340f5b90 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90) #1 0x7fbe30a7d458 in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae4458) #2 0x7fbe30a7af41 in bmalloc::Cache::tryAllocateSlowCaseNullCache(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae1f41) #3 0x7fbe308ed945 in bmalloc::Cache::tryAllocate(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954945) #4 0x7fbe308edebd in bmalloc::api::tryMalloc(unsigned long, bmalloc::HeapKind) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954ebd) #5 0x7fbe308ecbc5 in WTF::tryFastMalloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6953bc5) #6 0x49356b in WTF::FastMalloc::tryMalloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x49356b) #7 0x7fbe2f3017c1 in JSC::IsoAlignedMemoryAllocator::tryAllocateMemory(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x53687c1) #8 0x7fbe2f366850 in JSC::PreciseAllocation::createForLowerTier(JSC::Heap&, unsigned long, JSC::Subspace*, unsigned char) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x53cd850) #9 0x7fbe2f30426e in JSC::IsoSubspace::tryAllocateFromLowerTier() (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x536b26e) #10 0x7fbe2f306975 in JSC::LocalAllocator::allocateSlowCase(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x536d975) #11 0x4ac180 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}::operator()() const (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4ac180) #12 0x4c865c in JSC::HeapCell* JSC::FreeList::allocate<JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}>(JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1} const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4c865c) #13 0x4ac346 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4ac346) #14 0x4a9123 in JSC::Allocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) const (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4a9123) #15 0x4abfc5 in JSC::IsoSubspace::allocateNonVirtual(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4abfc5) #16 0x7fbe2e0deab9 in void* JSC::tryAllocateCellHelper<JSC::SymbolTable>(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4145ab9) #17 0x7fbe2e0bd474 in void* JSC::allocateCell<JSC::SymbolTable>(JSC::Heap&, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4124474) #18 0x7fbe2e0ab790 in JSC::SymbolTable::create(JSC::VM&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4112790) #19 0x7fbe2e02b4af in JSC::BytecodeGenerator::pushLexicalScopeInternal(JSC::VariableEnvironment&, JSC::BytecodeGenerator::TDZCheckOptimization, JSC::BytecodeGenerator::NestedScopeType, JSC::RegisterID**, JSC::BytecodeGenerator::TDZRequirement, JSC::BytecodeGenerator::ScopeType, JSC::BytecodeGenerator::ScopeRegisterType) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x40924af) #20 0x7fbe2e02b180 in JSC::BytecodeGenerator::pushLexicalScope(JSC::VariableEnvironmentNode*, JSC::BytecodeGenerator::TDZCheckOptimization, JSC::BytecodeGenerator::NestedScopeType, JSC::RegisterID**, bool) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4092180) #21 0x7fbe2e087bf3 in JSC::BlockNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x40eebf3) #22 0x7fbe2e0b7539 in JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::StatementNode*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x411e539) #23 0x7fbe2e091077 in JSC::WithNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x40f8077) #24 0x7fbe2e0b7539 in JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::StatementNode*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x411e539) #25 0x7fbe2e0bc7b3 in JSC::SourceElements::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x41237b3) #26 0x7fbe2e087c33 in JSC::BlockNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x40eec33) #27 0x7fbe2e0b7539 in JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::StatementNode*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x411e539) #28 0x7fbe2e08a4e2 in JSC::ForNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x40f14e2) #29 0x7fbe2e0b7539 in JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::StatementNode*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x411e539) Direct leak of 160 byte(s) in 1 object(s) allocated from: #0 0x7fbe340f5b90 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90) #1 0x7fbe30a7d458 in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae4458) #2 0x7fbe30a7af41 in bmalloc::Cache::tryAllocateSlowCaseNullCache(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae1f41) #3 0x7fbe308ed945 in bmalloc::Cache::tryAllocate(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954945) #4 0x7fbe308edebd in bmalloc::api::tryMalloc(unsigned long, bmalloc::HeapKind) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954ebd) #5 0x7fbe308ecbc5 in WTF::tryFastMalloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6953bc5) #6 0x49356b in WTF::FastMalloc::tryMalloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x49356b) #7 0x7fbe2f3017c1 in JSC::IsoAlignedMemoryAllocator::tryAllocateMemory(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x53687c1) #8 0x7fbe2f366850 in JSC::PreciseAllocation::createForLowerTier(JSC::Heap&, unsigned long, JSC::Subspace*, unsigned char) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x53cd850) #9 0x7fbe2f30426e in JSC::IsoSubspace::tryAllocateFromLowerTier() (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x536b26e) #10 0x7fbe2f306975 in JSC::LocalAllocator::allocateSlowCase(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x536d975) #11 0x4ac180 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}::operator()() const (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4ac180) #12 0x4c865c in JSC::HeapCell* JSC::FreeList::allocate<JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}>(JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1} const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4c865c) #13 0x4ac346 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4ac346) #14 0x4a9123 in JSC::Allocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) const (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4a9123) #15 0x4abfc5 in JSC::IsoSubspace::allocateNonVirtual(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4abfc5) #16 0x7fbe300c429d in void* JSC::tryAllocateCellHelper<JSC::PropertyTable>(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x612b29d) #17 0x7fbe300c208f in void* JSC::allocateCell<JSC::PropertyTable>(JSC::Heap&, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x612908f) #18 0x7fbe3009e932 in JSC::PropertyTable::create(JSC::VM&, unsigned int) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6105932) #19 0x7fbe301507cf in JSC::Structure::materializePropertyTable(JSC::VM&, bool) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x61b77cf) #20 0x7fbe3015348c in JSC::Structure::takePropertyTableOrCloneIfPinned(JSC::VM&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x61ba48c) #21 0x7fbe30151bfb in JSC::Structure::addNewPropertyTransition(JSC::VM&, JSC::Structure*, JSC::PropertyName, unsigned int, int&, JSC::PutPropertySlot::Context, JSC::DeferredStructureTransitionWatchpointFire*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x61b8bfb) #22 0x4c5d7c in bool JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)1>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4c5d7c) #23 0x4a7816 in JSC::JSObject::putDirect(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4a7816) #24 0x7fbe2fdc1631 in JSC::JSFunction::finishCreation(JSC::VM&, JSC::NativeExecutable*, int, WTF::String const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5e28631) #25 0x7fbe2fdc0ced in JSC::JSFunction::create(JSC::VM&, JSC::JSGlobalObject*, int, WTF::String const&, JSC::NativeFunction, JSC::Intrinsic, JSC::NativeFunction, JSC::DOMJIT::Signature const*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5e27ced) #26 0x7fbe2fced2a6 in JSC::FunctionPrototype::addFunctionProperties(JSC::VM&, JSC::JSGlobalObject*, JSC::JSFunction**, JSC::JSFunction**, JSC::JSFunction**) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5d542a6) #27 0x7fbe2fe09b04 in JSC::JSGlobalObject::init(JSC::VM&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5e70b04) #28 0x7fbe2fe1f2fb in JSC::JSGlobalObject::finishCreation(JSC::VM&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5e862fb) #29 0x4b6d42 in GlobalObject::finishCreation(JSC::VM&, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4b6d42) Direct leak of 160 byte(s) in 1 object(s) allocated from: #0 0x7fbe340f5b90 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90) #1 0x7fbe30a7d458 in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae4458) #2 0x7fbe30a7af41 in bmalloc::Cache::tryAllocateSlowCaseNullCache(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae1f41) #3 0x7fbe308ed945 in bmalloc::Cache::tryAllocate(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954945) #4 0x7fbe308edebd in bmalloc::api::tryMalloc(unsigned long, bmalloc::HeapKind) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954ebd) #5 0x7fbe308ecbc5 in WTF::tryFastMalloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6953bc5) #6 0x49356b in WTF::FastMalloc::tryMalloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x49356b) #7 0x7fbe2f3017c1 in JSC::IsoAlignedMemoryAllocator::tryAllocateMemory(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x53687c1) #8 0x7fbe2f366850 in JSC::PreciseAllocation::createForLowerTier(JSC::Heap&, unsigned long, JSC::Subspace*, unsigned char) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x53cd850) #9 0x7fbe2f30426e in JSC::IsoSubspace::tryAllocateFromLowerTier() (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x536b26e) #10 0x7fbe2f306975 in JSC::LocalAllocator::allocateSlowCase(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x536d975) #11 0x4ac180 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}::operator()() const (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4ac180) #12 0x4c865c in JSC::HeapCell* JSC::FreeList::allocate<JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}>(JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1} const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4c865c) #13 0x4ac346 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4ac346) #14 0x4a9123 in JSC::Allocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) const (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4a9123) #15 0x4abfc5 in JSC::IsoSubspace::allocateNonVirtual(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4abfc5) #16 0x7fbe300c429d in void* JSC::tryAllocateCellHelper<JSC::PropertyTable>(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x612b29d) #17 0x7fbe300c208f in void* JSC::allocateCell<JSC::PropertyTable>(JSC::Heap&, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x612908f) #18 0x7fbe3009e932 in JSC::PropertyTable::create(JSC::VM&, unsigned int) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6105932) #19 0x7fbe301507cf in JSC::Structure::materializePropertyTable(JSC::VM&, bool) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x61b77cf) #20 0x7fbe3015348c in JSC::Structure::takePropertyTableOrCloneIfPinned(JSC::VM&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x61ba48c) #21 0x7fbe30151bfb in JSC::Structure::addNewPropertyTransition(JSC::VM&, JSC::Structure*, JSC::PropertyName, unsigned int, int&, JSC::PutPropertySlot::Context, JSC::DeferredStructureTransitionWatchpointFire*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x61b8bfb) #22 0x4c5d7c in bool JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)1>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4c5d7c) #23 0x4a7816 in JSC::JSObject::putDirect(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4a7816) #24 0x7fbe2fdc1722 in JSC::JSFunction::finishCreation(JSC::VM&, JSC::NativeExecutable*, int, WTF::String const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5e28722) #25 0x7fbe2fdc0ced in JSC::JSFunction::create(JSC::VM&, JSC::JSGlobalObject*, int, WTF::String const&, JSC::NativeFunction, JSC::Intrinsic, JSC::NativeFunction, JSC::DOMJIT::Signature const*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5e27ced) #26 0x7fbe2fe0a7e3 in JSC::JSGlobalObject::init(JSC::VM&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5e717e3) #27 0x7fbe2fe1f2fb in JSC::JSGlobalObject::finishCreation(JSC::VM&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5e862fb) #28 0x4b6d42 in GlobalObject::finishCreation(JSC::VM&, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4b6d42) #29 0x4b6045 in GlobalObject::create(JSC::VM&, JSC::Structure*, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4b6045) Direct leak of 160 byte(s) in 7 object(s) allocated from: #0 0x7fbe340f5b90 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90) #1 0x7fbe30a7d458 in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae4458) #2 0x7fbe30a7b04b in bmalloc::Cache::allocateSlowCaseNullCache(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae204b) #3 0x7fbe308eda05 in bmalloc::Cache::allocate(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954a05) #4 0x7fbe308ededf in bmalloc::api::malloc(unsigned long, bmalloc::HeapKind) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954edf) #5 0x7fbe308ec468 in WTF::fastMalloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6953468) #6 0x493487 in WTF::FastMalloc::malloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x493487) #7 0x7fbe30a0fa63 in WTF::Ref<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> > WTF::StringImpl::createUninitializedInternalNonEmpty<unsigned char>(unsigned int, unsigned char*&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6a76a63) #8 0x7fbe30a0f86a in WTF::Ref<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> > WTF::StringImpl::createInternal<unsigned char>(unsigned char const*, unsigned int) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6a7686a) #9 0x7fbe309fdd6e in WTF::StringImpl::create(unsigned char const*, unsigned int) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6a64d6e) #10 0x7fbe309e5b13 in WTF::LCharBufferTranslator::translate(WTF::Packed<WTF::StringImpl*>&, WTF::HashTranslatorCharBuffer<unsigned char> const&, unsigned int) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6a4cb13) #11 0x7fbe309eeaef in void WTF::HashSetTranslatorAdapter<WTF::LCharBufferTranslator>::translate<WTF::Packed<WTF::StringImpl*>, WTF::HashTranslatorCharBuffer<unsigned char> >(WTF::Packed<WTF::StringImpl*>&, WTF::HashTranslatorCharBuffer<unsigned char> const&, WTF::HashTranslatorCharBuffer<unsigned char> const&, unsigned int) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6a55aef) #12 0x7fbe309ec2ee in WTF::HashTableAddResult<WTF::HashTableIterator<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > > > WTF::HashTable<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >::addPassingHashCode<WTF::HashSetTranslatorAdapter<WTF::LCharBufferTranslator>, WTF::HashTranslatorCharBuffer<unsigned char> const&, WTF::HashTranslatorCharBuffer<unsigned char> const&>(WTF::HashTranslatorCharBuffer<unsigned char> const&, WTF::HashTranslatorCharBuffer<unsigned char> const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6a532ee) #13 0x7fbe309e92b0 in WTF::HashTableAddResult<WTF::HashTableIterator<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > > > WTF::HashSet<WTF::Packed<WTF::StringImpl*>, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >::add<WTF::LCharBufferTranslator, WTF::HashTranslatorCharBuffer<unsigned char> >(WTF::HashTranslatorCharBuffer<unsigned char> const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6a502b0) #14 0x7fbe309e2dfb in WTF::Ref<WTF::AtomStringImpl, WTF::DumbPtrTraits<WTF::AtomStringImpl> > WTF::addToStringTable<WTF::HashTranslatorCharBuffer<unsigned char>, WTF::LCharBufferTranslator>(WTF::AtomStringTableLocker&, WTF::HashSet<WTF::Packed<WTF::StringImpl*>, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >&, WTF::HashTranslatorCharBuffer<unsigned char> const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6a49dfb) #15 0x7fbe309e186f in WTF::Ref<WTF::AtomStringImpl, WTF::DumbPtrTraits<WTF::AtomStringImpl> > WTF::addToStringTable<WTF::HashTranslatorCharBuffer<unsigned char>, WTF::LCharBufferTranslator>(WTF::HashTranslatorCharBuffer<unsigned char> const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6a4886f) #16 0x7fbe309deb0e in WTF::AtomStringImpl::add(unsigned char const*, unsigned int) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6a45b0e) #17 0x7fbe2d71e69e in WTF::Ref<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> > JSC::Identifier::add<unsigned char>(JSC::VM&, unsigned char const*, int) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x378569e) #18 0x7fbe2d71d920 in JSC::Identifier::Identifier(JSC::VM&, unsigned char const*, int) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x3784920) #19 0x7fbe2d71e1af in JSC::Identifier::fromString(JSC::VM&, unsigned char const*, int) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x37851af) #20 0x7fbe2e0db2a1 in JSC::Identifier const& JSC::IdentifierArena::makeIdentifier<unsigned char>(JSC::VM&, unsigned char const*, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x41422a1) #21 0x7fbe2f87e5da in JSC::Lexer<unsigned char>::makeIdentifier(unsigned char const*, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x58e55da) #22 0x7fbe2f8d05b9 in JSC::JSTokenType JSC::Lexer<unsigned char>::parseIdentifier<true>(JSC::JSTokenData*, WTF::OptionSet<JSC::LexerFlags>, bool) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x59375b9) #23 0x7fbe2f8795ac in JSC::Lexer<unsigned char>::lexWithoutClearingLineTerminator(JSC::JSToken*, WTF::OptionSet<JSC::LexerFlags>, bool) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x58e05ac) #24 0x7fbe2f875262 in JSC::Lexer<unsigned char>::lex(JSC::JSToken*, WTF::OptionSet<JSC::LexerFlags>, bool) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x58dc262) #25 0x7fbe2f8af5a5 in JSC::Parser<JSC::Lexer<unsigned char> >::next(WTF::OptionSet<JSC::LexerFlags>) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x59165a5) #26 0x7fbe2f99a04d in JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseVariableDeclarationList<JSC::ASTBuilder>(JSC::ASTBuilder&, int&, JSC::ASTBuilder::DestructuringPattern&, JSC::ASTBuilder::Expression&, JSC::JSTextPosition&, JSC::JSTextPosition&, JSC::JSTextPosition&, JSC::Parser<JSC::Lexer<unsigned char> >::VarDeclarationListContext, JSC::DeclarationType, JSC::Parser<JSC::Lexer<unsigned char> >::ExportType, bool&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5a0104d) #27 0x7fbe2f952fa3 in JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseVariableDeclaration<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::DeclarationType, JSC::Parser<JSC::Lexer<unsigned char> >::ExportType) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x59b9fa3) #28 0x7fbe2f9214f6 in JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseStatementListItem<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::Identifier const*&, unsigned int*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x59884f6) #29 0x7fbe2f8e497d in JSC::ASTBuilder::SourceElements JSC::Parser<JSC::Lexer<unsigned char> >::parseSourceElements<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::SourceElementsMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x594b97d) Direct leak of 144 byte(s) in 1 object(s) allocated from: #0 0x7fbe340f5b90 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90) #1 0x7fbe30a7d458 in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae4458) #2 0x7fbe30a7af41 in bmalloc::Cache::tryAllocateSlowCaseNullCache(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae1f41) #3 0x7fbe308ed945 in bmalloc::Cache::tryAllocate(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954945) #4 0x7fbe308edebd in bmalloc::api::tryMalloc(unsigned long, bmalloc::HeapKind) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954ebd) #5 0x7fbe308ecbc5 in WTF::tryFastMalloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6953bc5) #6 0x49356b in WTF::FastMalloc::tryMalloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x49356b) #7 0x7fbe2f3017c1 in JSC::IsoAlignedMemoryAllocator::tryAllocateMemory(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x53687c1) #8 0x7fbe2f366850 in JSC::PreciseAllocation::createForLowerTier(JSC::Heap&, unsigned long, JSC::Subspace*, unsigned char) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x53cd850) #9 0x7fbe2f30426e in JSC::IsoSubspace::tryAllocateFromLowerTier() (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x536b26e) #10 0x7fbe2f306975 in JSC::LocalAllocator::allocateSlowCase(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x536d975) #11 0x4ac180 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}::operator()() const (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4ac180) #12 0x4c865c in JSC::HeapCell* JSC::FreeList::allocate<JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}>(JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1} const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4c865c) #13 0x4ac346 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4ac346) #14 0x4a9123 in JSC::Allocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) const (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4a9123) #15 0x4abfc5 in JSC::IsoSubspace::allocateNonVirtual(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4abfc5) #16 0x7fbe2d712837 in void* JSC::tryAllocateCellHelper<JSC::JSGenericTypedArrayView<JSC::Int32Adaptor> >(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x3779837) #17 0x7fbe2d70c33f in void* JSC::allocateCell<JSC::JSGenericTypedArrayView<JSC::Int32Adaptor> >(JSC::Heap&, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x377333f) #18 0x7fbe2e919ae1 in JSC::JSGenericTypedArrayView<JSC::Int32Adaptor>::createUninitialized(JSC::JSGlobalObject*, JSC::Structure*, unsigned int) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4980ae1) #19 0x7fbe2e8f30e3 in JSC::JSObject* JSC::constructGenericTypedArrayViewWithArguments<JSC::JSGenericTypedArrayView<JSC::Int32Adaptor> >(JSC::JSGlobalObject*, JSC::Structure*, long, unsigned int, WTF::Optional<unsigned int>) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x495a0e3) #20 0x7fbe2feb8722 in long JSC::constructGenericTypedArrayView<JSC::JSGenericTypedArrayView<JSC::Int32Adaptor> >(JSC::JSGlobalObject*, JSC::CallFrame*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5f1f722) #21 0x7fbde3fff0c6 (<unknown module>) #22 0x7fbde4001271 (<unknown module>) #23 0x7fbe2f8035de (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x586a5de) #24 0x7fbe2f803675 (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x586a675) #25 0x7fbe2f803675 (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x586a675) #26 0x7fbe2f7e8dbe (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x584fdbe) #27 0x7fbe2f5cc944 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5633944) #28 0x7fbe2f5b5d7a in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x561cd7a) #29 0x7fbe2fc6a1d7 in JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5cd11d7) Direct leak of 144 byte(s) in 1 object(s) allocated from: #0 0x7fbe340f5b90 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90) #1 0x7fbe30a7d458 in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae4458) #2 0x7fbe30a7af41 in bmalloc::Cache::tryAllocateSlowCaseNullCache(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae1f41) #3 0x7fbe308ed945 in bmalloc::Cache::tryAllocate(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954945) #4 0x7fbe308edebd in bmalloc::api::tryMalloc(unsigned long, bmalloc::HeapKind) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954ebd) #5 0x7fbe308ecbc5 in WTF::tryFastMalloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6953bc5) #6 0x49356b in WTF::FastMalloc::tryMalloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x49356b) #7 0x7fbe2f3017c1 in JSC::IsoAlignedMemoryAllocator::tryAllocateMemory(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x53687c1) #8 0x7fbe2f366850 in JSC::PreciseAllocation::createForLowerTier(JSC::Heap&, unsigned long, JSC::Subspace*, unsigned char) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x53cd850) #9 0x7fbe2f30426e in JSC::IsoSubspace::tryAllocateFromLowerTier() (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x536b26e) #10 0x7fbe2f306975 in JSC::LocalAllocator::allocateSlowCase(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x536d975) #11 0x4ac180 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}::operator()() const (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4ac180) #12 0x4c865c in JSC::HeapCell* JSC::FreeList::allocate<JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}>(JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1} const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4c865c) #13 0x4ac346 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4ac346) #14 0x4a9123 in JSC::Allocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) const (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4a9123) #15 0x4abfc5 in JSC::IsoSubspace::allocateNonVirtual(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4abfc5) #16 0x7fbe2d712837 in void* JSC::tryAllocateCellHelper<JSC::JSGenericTypedArrayView<JSC::Int32Adaptor> >(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x3779837) #17 0x7fbe2d70c33f in void* JSC::allocateCell<JSC::JSGenericTypedArrayView<JSC::Int32Adaptor> >(JSC::Heap&, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x377333f) #18 0x7fbe2e919ae1 in JSC::JSGenericTypedArrayView<JSC::Int32Adaptor>::createUninitialized(JSC::JSGlobalObject*, JSC::Structure*, unsigned int) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4980ae1) #19 0x7fbe2e8f30e3 in JSC::JSObject* JSC::constructGenericTypedArrayViewWithArguments<JSC::JSGenericTypedArrayView<JSC::Int32Adaptor> >(JSC::JSGlobalObject*, JSC::Structure*, long, unsigned int, WTF::Optional<unsigned int>) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x495a0e3) #20 0x7fbe2feb8722 in long JSC::constructGenericTypedArrayView<JSC::JSGenericTypedArrayView<JSC::Int32Adaptor> >(JSC::JSGlobalObject*, JSC::CallFrame*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5f1f722) #21 0x7fbde3fff0c6 (<unknown module>) #22 0x7fbde4001031 (<unknown module>) #23 0x7fbe2f8035de (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x586a5de) #24 0x7fbe2f803675 (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x586a675) #25 0x7fbe2f803675 (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x586a675) #26 0x7fbe2f7e8dbe (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x584fdbe) #27 0x7fbe2f5cc944 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5633944) #28 0x7fbe2f5b5d7a in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x561cd7a) #29 0x7fbe2fc6a1d7 in JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5cd11d7) Direct leak of 144 byte(s) in 1 object(s) allocated from: #0 0x7fbe340f5b90 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90) #1 0x7fbe30a7d458 in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae4458) #2 0x7fbe30a7af41 in bmalloc::Cache::tryAllocateSlowCaseNullCache(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6ae1f41) #3 0x7fbe308ed945 in bmalloc::Cache::tryAllocate(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954945) #4 0x7fbe308edebd in bmalloc::api::tryMalloc(unsigned long, bmalloc::HeapKind) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6954ebd) #5 0x7fbe308ecbc5 in WTF::tryFastMalloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x6953bc5) #6 0x49356b in WTF::FastMalloc::tryMalloc(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x49356b) #7 0x7fbe2f3017c1 in JSC::IsoAlignedMemoryAllocator::tryAllocateMemory(unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x53687c1) #8 0x7fbe2f366850 in JSC::PreciseAllocation::createForLowerTier(JSC::Heap&, unsigned long, JSC::Subspace*, unsigned char) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x53cd850) #9 0x7fbe2f30426e in JSC::IsoSubspace::tryAllocateFromLowerTier() (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x536b26e) #10 0x7fbe2f306975 in JSC::LocalAllocator::allocateSlowCase(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x536d975) #11 0x4ac180 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}::operator()() const (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4ac180) #12 0x4c865c in JSC::HeapCell* JSC::FreeList::allocate<JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1}>(JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::{lambda()#1} const&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4c865c) #13 0x4ac346 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4ac346) #14 0x4a9123 in JSC::Allocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) const (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4a9123) #15 0x4abfc5 in JSC::IsoSubspace::allocateNonVirtual(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/DebugASAN/bin/jsc+0x4abfc5) #16 0x7fbe2d712837 in void* JSC::tryAllocateCellHelper<JSC::JSGenericTypedArrayView<JSC::Int32Adaptor> >(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x3779837) #17 0x7fbe2d70c33f in void* JSC::allocateCell<JSC::JSGenericTypedArrayView<JSC::Int32Adaptor> >(JSC::Heap&, unsigned long) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x377333f) #18 0x7fbe2e919ae1 in JSC::JSGenericTypedArrayView<JSC::Int32Adaptor>::createUninitialized(JSC::JSGlobalObject*, JSC::Structure*, unsigned int) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x4980ae1) #19 0x7fbe2e8f30e3 in JSC::JSObject* JSC::constructGenericTypedArrayViewWithArguments<JSC::JSGenericTypedArrayView<JSC::Int32Adaptor> >(JSC::JSGlobalObject*, JSC::Structure*, long, unsigned int, WTF::Optional<unsigned int>) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x495a0e3) #20 0x7fbe2feb8722 in long JSC::constructGenericTypedArrayView<JSC::JSGenericTypedArrayView<JSC::Int32Adaptor> >(JSC::JSGlobalObject*, JSC::CallFrame*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5f1f722) #21 0x7fbde3fff0c6 (<unknown module>) #22 0x7fbde4001271 (<unknown module>) #23 0x7fbe2f803675 (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x586a675) #24 0x7fbe2f803675 (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x586a675) #25 0x7fbe2f803675 (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x586a675) #26 0x7fbe2f7e8dbe (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x584fdbe) #27 0x7fbe2f5cc944 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5633944) #28 0x7fbe2f5b5d7a in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x561cd7a) #29 0x7fbe2fc6a1d7 in JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (/home/android/Desktop/fuzzilli/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1+0x5cd11d7) SUMMARY: AddressSanitizer: 1872 byte(s) leaked in 18 allocation(s). ```
Attachments
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2020-03-23 05:12:41 PDT
<
rdar://problem/60770217
>
Yusuke Suzuki
Comment 2
2020-03-24 14:42:36 PDT
This is not leaking memory. LowerTier cells are chained by VM via PackedRawSentinelNode manner and they will be destroyed when the VM is destroyed. This poc is not destroying VM.
Darin Adler
Comment 3
2020-03-24 14:51:44 PDT
Can we do something to un-confuse Address Sanitizer?
Yusuke Suzuki
Comment 4
2020-03-24 15:01:34 PDT
(In reply to Darin Adler from
comment #3
)
> Can we do something to un-confuse Address Sanitizer?
I think the easiest way is putting `--destroy-vm` to JSC shell cli to ensure that VM gets destroyed. Currently, JSC shell is mimicking the behavior of WebProcess's main thread (not destroying VM).
Yusuke Suzuki
Comment 5
2020-03-24 15:04:08 PDT
(In reply to Yusuke Suzuki from
comment #4
)
> (In reply to Darin Adler from
comment #3
) > > Can we do something to un-confuse Address Sanitizer? > > I think the easiest way is putting `--destroy-vm` to JSC shell cli to ensure > that VM gets destroyed. Currently, JSC shell is mimicking the behavior of > WebProcess's main thread (not destroying VM).
However, even in that case, we cannot avoid leak sanitizer's false-positive cases. In JSC, we have packed-pointers to improve memory usage in various places. And leak sanitizer cannot chase these pointers and report false-positive leaks. Currently, leak-sanitizer does not have an interface to allow chasing this, so we do not have any solid way to remove false-positive leaks in this case.
Yusuke Suzuki
Comment 6
2020-03-24 15:08:37 PDT
(In reply to Yusuke Suzuki from
comment #5
)
> (In reply to Yusuke Suzuki from
comment #4
) > > (In reply to Darin Adler from
comment #3
) > > > Can we do something to un-confuse Address Sanitizer? > > > > I think the easiest way is putting `--destroy-vm` to JSC shell cli to ensure > > that VM gets destroyed. Currently, JSC shell is mimicking the behavior of > > WebProcess's main thread (not destroying VM). > > However, even in that case, we cannot avoid leak sanitizer's false-positive > cases. > In JSC, we have packed-pointers to improve memory usage in various places. > And leak sanitizer cannot chase these pointers and report false-positive > leaks. > Currently, leak-sanitizer does not have an interface to allow chasing this, > so we do not have any solid way to remove false-positive leaks in this case.
This case is one of that. Leak sanitizer cannot chase PackedRawSentinelNode's pointer links.
Yusuke Suzuki
Comment 7
2020-03-24 19:41:23 PDT
***
Bug 209418
has been marked as a duplicate of this bug. ***
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug