NEW 233029
crash in JSC::JSStringJoiner::append8Bit 
https://bugs.webkit.org/show_bug.cgi?id=233029
Summary crash in JSC::JSStringJoiner::append8Bit
zhunkibatu
Reported 2021-11-11 22:35:51 PST
Created attachment 444048 [details] the minimal poc the following poc can crash jsc. ##################################################################### function test() { let maxSize = 0x10000; var memory = new WebAssembly.Memory({ initial: 0x100 }); memory.grow(maxSize - 0x100); var result = String(new Uint8Array(memory.buffer)); } test(); ###################################################################### #0 WTF::Vector<WTF::StringViewWithUnderlyingString, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::uncheckedAppend<WTF::StringViewWithUnderlyingString> (value=..., this=0x7fffffffc5d8) at WTF/Headers/wtf/Vector.h:1391 #1 WTF::Vector<WTF::StringViewWithUnderlyingString, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::uncheckedAppend (value=..., this=0x7fffffffc5d8) at WTF/Headers/wtf/Vector.h:782 #2 JSC::JSStringJoiner::append8Bit (string=..., this=0x7fffffffc5c0) at ../../Source/JavaScriptCore/runtime/JSStringJoiner.h:91 #3 JSC::JSStringJoiner::appendNumber (value=<optimized out>, vm=..., this=0x7fffffffc5c0) at ../../Source/JavaScriptCore/runtime/JSStringJoiner.h:165 #4 JSC::JSStringJoiner::appendWithoutSideEffects (value=..., globalObject=<optimized out>, this=0x7fffffffc5c0) at ../../Source/JavaScriptCore/runtime/JSStringJoiner.h:121 #5 JSC::JSStringJoiner::append (value=..., globalObject=<optimized out>, this=0x7fffffffc5c0) at ../../Source/JavaScriptCore/runtime/JSStringJoiner.h:154 #6 JSC::genericTypedArrayViewProtoFuncJoin<JSC::JSGenericTypedArrayView<JSC::Uint8Adaptor> >(JSC::VM&, JSC::JSGlobalObject*, JSC::CallFrame*)::{lambda(WTF::StringView)#1}::operator()(WTF::StringView) const (this=this@entry=0x7fffffffc690, separator=...) at ../../Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h:291 #7 0x00007ffff67456ab in JSC::genericTypedArrayViewProtoFuncJoin<JSC::JSGenericTypedArrayView<JSC::Uint8Adaptor> > (callFrame=0x7fffffffc6f0, globalObject=<optimized out>, vm=...) at WTF/Headers/wtf/text/StringView.h:340 #8 JSC::typedArrayViewProtoFuncJoin (globalObject=<optimized out>, callFrame=0x7fffffffc6f0) at ../../Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp:301 #9 0x00007ffff21b78b9 in vmEntryToNative () at ../../Source/JavaScriptCore/llint/LowLevelInterpreter.cpp:536 #10 0x00007ffff514b9e0 in JSC::Interpreter::executeCall (this=<optimized out>, lexicalGlobalObject=lexicalGlobalObject@entry=0x7fffae9f9068, function=<optimized out>, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/runtime/NativeFunction.h:92 #11 0x00007ffff5da2e0a in JSC::call (globalObject=globalObject@entry=0x7fffae9f9068, functionObject=..., functionObject@entry=..., callData=..., thisValue=..., thisValue@entry=..., args=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1385 #12 0x00007ffff5d104c6 in JSC::arrayProtoFuncToString (globalObject=0x7fffae9f9068, callFrame=<optimized out>) at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:462 #13 0x00007ffff21b78b9 in vmEntryToNative () at ../../Source/JavaScriptCore/llint/LowLevelInterpreter.cpp:536 #14 0x00007ffff514b9e0 in JSC::Interpreter::executeCall (this=<optimized out>, lexicalGlobalObject=lexicalGlobalObject@entry=0x7fffae9f9068, function=<optimized out>, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/runtime/NativeFunction.h:92 #15 0x00007ffff5da2e0a in JSC::call (globalObject=globalObject@entry=0x7fffae9f9068, functionObject=..., functionObject@entry=..., callData=..., thisValue=..., thisValue@entry=..., args=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1385 #16 0x00007ffff6617216 in JSC::callToPrimitiveFunction<(JSC::CachedSpecialPropertyKey)1> ( hint=JSC::PreferString, propertyName=..., object=<optimized out>, globalObject=<optimized out>) at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:462 #17 JSC::JSObject::ordinaryToPrimitive (this=<optimized out>, globalObject=<optimized out>, hint=<optimized out>) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:2326 #18 0x00007ffff662d27e in JSC::JSObject::toPrimitive (this=0x7fffef1c0c48, globalObject=globalObject@entry=0x7fffae9f9068, preferredType=preferredType@entry=JSC::PreferString) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:2360 #19 0x00007ffff632c174 in JSC::JSValue::toStringSlowCase (this=this@entry=0x7fffffffcf98, --Type <RET> for more, q to quit, c to continue without paging-- globalObject=0x7fffae9f9068, returnEmptyStringOnError=returnEmptyStringOnError@entry=true) at ../../Source/JavaScriptCore/runtime/JSObject.h:1385 #20 0x00007ffff6be94de in JSC::JSValue::toString (globalObject=<optimized out>, this=<optimized out>) at ../../Source/JavaScriptCore/runtime/JSString.h:1060 #21 JSC::stringConstructor (argument=..., globalObject=<optimized out>) at ../../Source/JavaScriptCore/runtime/StringConstructor.cpp:158 #22 JSC::callStringConstructor (callFrame=<optimized out>, globalObject=<optimized out>) at ../../Source/JavaScriptCore/runtime/StringConstructor.cpp:166 #23 JSC::callStringConstructor (globalObject=<optimized out>, callFrame=<optimized out>) at ../../Source/JavaScriptCore/runtime/StringConstructor.cpp:161 #24 0x00007fffaf0ff027 in ?? () #25 0x00007fffffffd070 in ?? () #26 0x00007ffff21d443c in js_trampoline_op_call () at ../../Source/JavaScriptCore/llint/LowLevelInterpreter.cpp:536 #27 0x0000000000000000 in ?? ()
Attachments
the minimal poc (198 bytes, text/javascript)
2021-11-11 22:35 PST, zhunkibatu 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2021-11-12 16:18:41 PST
I cannot reproduce this in jsc CLI with a recent-ish build. Perhaps already fixed?
Radar WebKit Bug Importer
Comment 2 2021-11-18 22:36:20 PST
<rdar://problem/85587371>
zhunkibatu
Comment 3 2021-11-19 00:46:36 PST
I still can produce in latest build.
Note You need to log in before you can comment on or make changes to this bug.