NEW 227286
ASSERTION FAILED in ../../Source/JavaScriptCore/heap/CompleteSubspace.cpp 
https://bugs.webkit.org/show_bug.cgi?id=227286
Summary ASSERTION FAILED in ../../Source/JavaScriptCore/heap/CompleteSubspace.cpp
anbu1024.me
Reported 2021-06-23 05:11:03 PDT
version ``` commit 20df2033c26bc4f5e4c78572259f3e46335d307d (HEAD -> main, origin/main, origin/HEAD) Author: Darin Adler <darin@apple.com> Date: Wed Jun 23 01:33:57 2021 +0000 ``` build ``` Tools/Scripts/build-jsc --jsc-only --debug ``` testcase ``` function foo() { let x = new Array(117440512); x['SyntaxError'] = 1.1; var y = foo(); } foo(); ``` error message ``` ASSERTION FAILED: result ../../Source/JavaScriptCore/heap/CompleteSubspace.cpp(116) : void* JSC::CompleteSubspace::allocateSlow(JSC::VM&, size_t, JSC::GCDeferralContext*, JSC::AllocationFailureMode) Aborted (core dumped) ``` backtrace ``` #0 __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007ffff42d1859 in __GI_abort () at abort.c:79 #2 0x00007ffff4a7ef20 in CRASH_WITH_INFO(...) () at WTF/Headers/wtf/Assertions.h:744 #3 0x00007ffff5959714 in JSC::CompleteSubspace::allocateSlow (this=0x7fffb1701750, vm=..., size=0x38000028, deferralContext=0x0, failureMode=JSC::AllocationFailureMode::Assert) at ../../Source/JavaScriptCore/heap/CompleteSubspace.cpp:116 #4 0x00007ffff4afae28 in JSC::CompleteSubspace::allocateNonVirtual (this=0x7fffb1701750, vm=..., size=0x38000028, deferralContext=0x0, failureMode=JSC::AllocationFailureMode::Assert) at ../../Source/JavaScriptCore/heap/CompleteSubspaceInlines.h:40 #5 0x00007ffff545d51c in JSC::Butterfly::createUninitialized (vm=..., preCapacity=0x0, propertyCapacity=0x4, hasIndexingHeader=0x1, indexingPayloadSizeInBytes=0x38000000) at ../../Source/JavaScriptCore/runtime/ButterflyInlines.h:92 #6 0x00007ffff60b2456 in JSC::Butterfly::createOrGrowPropertyStorage (oldButterfly=0x7fe36960f070, vm=..., intendedOwner=0x7fffb0fbfeb0, structure=0x7fffb0ff9c00, oldPropertyCapacity=0x0, newPropertyCapacity=0x4) at ../../Source/JavaScriptCore/runtime/ButterflyInlines.h:141 #7 0x00007ffff60a8396 in JSC::JSObject::allocateMoreOutOfLineStorage (this=0x7fffb0fbfeb0, vm=..., oldSize=0x0, newSize=0x4) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:3586 #8 0x00007ffff546b705 in JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)0> (this=0x7fffb0fbfeb0, vm=..., propertyName=..., value=..., attributes=0x0, slot=...) at ../../Source/JavaScriptCore/runtime/JSObjectInlines.h:367 #9 0x00007ffff545f8f8 in JSC::JSObject::putInlineFast (this=0x7fffb0fbfeb0, globalObject=0x7fffb13f6068, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObjectInlines.h:286 #10 0x00007ffff609ac3f in JSC::JSObject::definePropertyOnReceiver (globalObject=0x7fffb13f6068, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:911 #11 0x00007ffff609a63a in JSC::JSObject::putInlineSlow (this=0x7ffff19b57e8, globalObject=0x7fffb13f6068, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:863 #12 0x00007ffff545f76c in JSC::JSObject::putInlineForJSObject (cell=0x7ffff19b57e8, globalObject=0x7fffb13f6068, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObjectInlines.h:272 #13 0x00007ffff6099cdf in JSC::JSObject::put (cell=0x7ffff19b57e8, globalObject=0x7fffb13f6068, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:760 #14 0x00007ffff5fb3977 in JSC::JSArray::put (cell=0x7ffff19b57e8, globalObject=0x7fffb13f6068, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSArray.cpp:264 #15 0x00007ffff6099ed1 in JSC::JSObject::putInlineSlow (this=0x7fffb0fbfeb0, globalObject=0x7fffb13f6068, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:779 #16 0x00007ffff545f76c in JSC::JSObject::putInlineForJSObject (cell=0x7fffb0fbfeb0, globalObject=0x7fffb13f6068, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObjectInlines.h:272 #17 0x00007ffff6099cdf in JSC::JSObject::put (cell=0x7fffb0fbfeb0, globalObject=0x7fffb13f6068, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:760 #18 0x00007ffff5fb3977 in JSC::JSArray::put (cell=0x7fffb0fbfeb0, globalObject=0x7fffb13f6068, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSArray.cpp:264 #19 0x00007ffff5458a03 in JSC::JSCell::putInline (this=0x7fffb0fbfeb0, globalObject=0x7fffb13f6068, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSCellInlines.h:448 #20 0x00007ffff545a4d7 in JSC::JSValue::putInline (this=0x7fffffffc608, globalObject=0x7fffb13f6068, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:1072 #21 0x00007ffff5c9cf4d in JSC::LLInt::llint_slow_path_put_by_id (callFrame=0x7fffffffc7e0, pc=0x7ffff19f7530) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:918 #22 0x00007ffff4a3f6e2 in llint_op_put_by_id () at /media/Store/Project/js-engines/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:97 #23 0x0000000000000000 in ?? () ```
Attachments
Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2021-06-24 20:47:15 PDT
The test is deliberately allocating a large amount of memory, and then recursing infinitely, with each recurse repeating the same large memory allocation. This is just a simple out of memory exhaustion. Nothing to see here.
Mark Lam
Comment 2 2021-06-24 20:56:05 PDT
Looks like it is possible to convert the memory allocation into a try allocation and fail with an OOME. However, this code path is hot for performance. Changing this to use try allocation may introduce perf regressions. Hence, it may not be worth changing this just for the sake of throwing an OOME for this pathological code that does not manifest in real world usage.
Radar WebKit Bug Importer
Comment 3 2021-06-30 05:11:16 PDT
<rdar://problem/79961556>
Note You need to log in before you can comment on or make changes to this bug.