NEW257312
Memory crash error. jsc shell execution of a specific js statement causes an abnormal memory crash. 
https://bugs.webkit.org/show_bug.cgi?id=257312
Summary Memory crash error. jsc shell execution of a specific js statement causes an ...
tim steven
Reported 2023-05-25 00:49:32 PDT
jsc lacks a memory request check and interrupt mechanism for specific statements, leading to attackers who can design js statements to trigger jsc shell crashes and program deadlocks. The trigger code is as follows: for (let v0 = 0; v0 < 100; v0++) { const v1 = ` const v3 = new Uint8ClampedArray(); v3.__proto__; const o6 = { "maxByteLength": 12515763, }; function f7(a8, a9) { with (v1) { } const v10 = \` 115120.85238135792; v10.replace(v0, EvalError); \`; const v16 = eval(v10).toLocaleLowerCase(); try { eval(v16); } catch(e18) { } return v1; } const v19 = \` function f20(a21, a22) { class C23 { constructor(a25, a26, a27, a28) { } getInt32(a30, ...a31) { } } return v19; } v19.replace(v0, v19); \`; const v35 = eval(v19).toLocaleLowerCase(); try { eval(v35); } catch(e37) { } v1.replace(v0, v1); `; const v41 = eval(v1).toLocaleLowerCase(); try { const v42 = eval(v41); Reflect.deleteProperty(Object.freeze(v0), v0); Object.freeze(v42); } catch(e49) { } for (let v50 = 0; v50 < 100; v50++) { } try { const v53 = new ArrayBuffer(10567071); const v55 = new Float64Array(v53, 10567071); } catch(e56) { } } shell ARGS: Debug/bin/jsc --validateOptions=true --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --reprl
Attachments
Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2023-05-25 16:53:48 PDT
I tried running this with a macOS ASan build, and just got "undefined", no crash or timeout.
Radar WebKit Bug Importer
Comment 2 2023-05-25 18:23:01 PDT
<rdar://problem/109862942>
Mark Lam
Comment 3 2023-05-25 18:26:14 PDT
hi 824870754, can you indicate: 1. which commit of WebKit you built your jsc with that reproduced this issue? 2. how did you build it? 3. what platform is it targeting / running on? 4. what CPU?
tim steven
Comment 4 2023-05-26 06:07:43 PDT
(In reply to Mark Lam from comment #3) > hi 824870754, can you indicate: > 1. which commit of WebKit you built your jsc with that reproduced this issue? > 2. how did you build it? > 3. what platform is it targeting / running on? > 4. what CPU? hi Lam, Sorry for not giving enough information before. 1. the commit of webkit is https://github.com/WebKit/WebKit/tree/webkitgtk-2.39.3/Source/JavaScriptCore 2. ./Tools/Scripts/build-jsc --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang' -DCMAKE_CXX_COMPILER='/usr/bin/clang++' -DCMAKE_CXX_FLAGS='-fsanitize-coverage=trace-pc-guard -O3 -lrt 3. A linux server, We built and executed some tests. 4. Intel(R) Xeon(R) Gold 6226R CPU
tim steven
Comment 5 2023-05-26 06:13:53 PDT
(In reply to Alexey Proskuryakov from comment #1) > I tried running this with a macOS ASan build, and just got "undefined", no > crash or timeout. Sorry for your failure to reproduce my crashes, I'll give as much information as I can. 1. the commit of webkit is https://github.com/WebKit/WebKit/tree/webkitgtk-2.39.3/Source/JavaScriptCore 2. we build jsc with that: ./Tools/Scripts/build-jsc --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang' -DCMAKE_CXX_COMPILER='/usr/bin/clang++' -DCMAKE_CXX_FLAGS='-fsanitize-coverage=trace-pc-guard -O3 -lrt 3. our paltform: A linux server, We built and executed some tests. 4. our cpu: Intel(R) Xeon(R) Gold 6226R CPU and When we let jsc execute the above code under this configuration, the following crash error occurs: [COV] no shared memory bitmap available, skipping [COV] edge counters initialized. Shared memory: (null) with 800697 edges "write(REPRL_CWFD, helo, 4) == 4" failed
Mark Lam
Comment 6 2023-05-26 06:25:47 PDT
By commit of WebKit, I meant the git hash of the WebKit repo. Instead of testing with a gtk release, please checkout the latest code from the WebKit repo and test against that. See https://webkit.org/contributing-code/ for details on accessing the repo. Also, my understanding is that https://github.com/WebKit/WebKit/tree/webkitgtk-2.39.3 is very old code.
tim steven
Comment 7 2023-05-26 06:33:43 PDT
(In reply to Mark Lam from comment #6) > By commit of WebKit, I meant the git hash of the WebKit repo. Instead of > testing with a gtk release, please checkout the latest code from the WebKit > repo and test against that. See https://webkit.org/contributing-code/ for > details on accessing the repo. > > Also, my understanding is that > https://github.com/WebKit/WebKit/tree/webkitgtk-2.39.3 is very old code. thank you. we will checkout the latest webkit repo.
Note You need to log in before you can comment on or make changes to this bug.