222399 – Assertion Failed when creating a huge array

NEW 222399

Assertion Failed when creating a huge array

https://bugs.webkit.org/show_bug.cgi?id=222399

Summary Assertion Failed when creating a huge array

sunlili

Reported 2021-02-24 19:26:50 PST

Hello, an assertion fail will be triggered in the latest jsc (debug, static) when executing following testcase: var arr = []; for (let i = 0; i < 100000; i++) { arr[i] = new Array(i); } The output is: ASSERTION FAILED: result ../../Source/JavaScriptCore/runtime/JSArray.h(282) : static JSC::JSArray *JSC::JSArray::create(JSC::VM &, JSC::Structure *, unsigned int) Aborted (core dumped) It seems to be an OOM bug. ISec Lab. 2021.2.25

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2021-03-03 19:27:16 PST

<rdar://problem/75016802>

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Local Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2021-02-24 19:26 PST

Modified

2021-03-03 19:27 PST History

CC List

4 users Show

URL

Keywords InRadar

Depends on

Blocks