WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
274052
[JSC] Add JSString::resolveRopeWithoutGC and use it in GC end phase
https://bugs.webkit.org/show_bug.cgi?id=274052
Summary
[JSC] Add JSString::resolveRopeWithoutGC and use it in GC end phase
qbtly
Reported
2024-05-12 04:22:13 PDT
Created
attachment 471376
[details]
original_poc ###### Webkit af7bd70a44bb1e3adae77f36bcc34a47daeeb9a4 ###### Build platform Ubuntu 22.04.3 ###### Build steps ./Tools/Scripts/build-jsc --jsc-only --debug --build-dir=0512 --cmakeargs="-DENABLE_STATIC_JSC=ON" ###### Test case ``` function main() { error = (new Function(`return (function () { arguments.callee.displayName = 'a'.repeat(0x100000) + 'b'; `.repeat(100) + `return new Error();` + ` })();`.repeat(100)))(); main.apply(); } main(); ``` ###### Execution steps ./jsc poc.js ###### Output ASSERTION FAILED: isMarked(cell) ../../../Source/JavaScriptCore/heap/Heap.cpp(615) : void JSC::Heap::reportExtraMemoryAllocatedPossiblyFromAlreadyMarkedCell(const JSC::JSCell *, size_t) Thread 1 "jsc" received signal SIGABRT, Aborted. pwndbg> bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007ffff5aa3859 in __GI_abort () at abort.c:79 #2 0x000000000042777a in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:846 #3 0x00000000013804a0 in JSC::Heap::reportExtraMemoryAllocatedPossiblyFromAlreadyMarkedCell (this=this@entry=0x7fffa90000c8, cell=<optimized out>, cell@entry=0x7fffa94d94a0, size=<optimized out>, size@entry=1048577) at ../../../Source/JavaScriptCore/heap/Heap.cpp:615 #4 0x0000000001380828 in JSC::Heap::reportExtraMemoryAllocatedSlowCase (this=0x7fffa90000c8, deferralContext=0x0, cell=0x7fffa94d94a0, size=1048577) at ../../../Source/JavaScriptCore/heap/Heap.cpp:630 #5 0x0000000001c6a7da in JSC::Heap::reportExtraMemoryAllocated (this=0x7fffa90000c8, cell=0x7fffa94d94a0, size=1048577) at ../../../Source/JavaScriptCore/heap/HeapInlines.h:216 #6 JSC::JSRopeString::resolveRopeWithFunction<JSC::JSRopeString::resolveRope(JSC::JSGlobalObject*) const::$_3>(JSC::JSGlobalObject*, JSC::JSRopeString::resolveRope(JSC::JSGlobalObject*) const::$_3&&) const (this=0x7fffa94d94a0, nullOrGlobalObjectForOOM=<optimized out>, function=...) at ../../../Source/JavaScriptCore/runtime/JSString.cpp:249 #7 JSC::JSRopeString::resolveRope (this=0x7fffa94d94a0, nullOrGlobalObjectForOOM=<optimized out>) at ../../../Source/JavaScriptCore/runtime/JSString.cpp:270 #8 0x0000000001b18fa2 in JSC::JSString::tryGetValue (this=0x7fffa94d94a0, allocationAllowed=true) at ../../../Source/JavaScriptCore/runtime/JSString.h:889 #9 JSC::getCalculatedDisplayName (vm=..., object=object@entry=0x7fffa947b440) at ../../../Source/JavaScriptCore/runtime/JSFunction.cpp:496 #10 0x0000000001eab3ff in JSC::StackFrame::functionName (this=<optimized out>, this@entry=0x7fffa95409b0, vm=...) at ../../../Source/JavaScriptCore/runtime/StackFrame.cpp:125 #11 0x0000000001eab881 in JSC::StackFrame::toString (this=0x7fffa95409b0, vm=...) at ../../../Source/JavaScriptCore/runtime/StackFrame.cpp:154 #12 0x00000000014d3067 in JSC::Interpreter::stackTraceAsString (vm=..., stackTrace=...) at ../../../Source/JavaScriptCore/interpreter/Interpreter.cpp:548 #13 0x00000000019b67ef in JSC::ErrorInstance::computeErrorInfo (this=0x7fffeb0384d8, vm=...) at ../../../Source/JavaScriptCore/runtime/ErrorInstance.cpp:266 #14 0x0000000001383588 in JSC::Heap::finalizeMarkedUnconditionalFinalizers<JSC::ErrorInstance, JSC::IsoSubspace>(JSC::IsoSubspace&, JSC::CollectionScope)::{lambda(JSC::HeapCell*, JSC::HeapCell::Kind)#1}::operator()(JSC::HeapCell*, JSC::HeapCell::Kind) const (this=<optimized out>, cell=0x2, cell@entry=0x7fffa9000000) at ../../../Source/JavaScriptCore/heap/Heap.cpp:712 #15 JSC::Subspace::forEachMarkedCell<JSC::Heap::finalizeMarkedUnconditionalFinalizers<JSC::ErrorInstance, JSC::IsoSubspace>(JSC::IsoSubspace&, JSC::CollectionScope)::{lambda(JSC::HeapCell*, JSC::HeapCell::Kind)#1}>(JSC::Heap::finalizeMarkedUnconditionalFinalizers<JSC::ErrorInstance, JSC::IsoSubspace>(JSC::IsoSubspace&, JSC::CollectionScope)::{lambda(JSC::HeapCell*, JSC::HeapCell::Kind)#1} const&)::{lambda(JSC::PreciseAllocation*)#1}::operator()(JSC::PreciseAllocation*) const (this=<optimized out>, allocation=0x7fffeb038468) at ../../../Source/JavaScriptCore/heap/SubspaceInlines.h:84 #16 JSC::Subspace::forEachPreciseAllocation<JSC::Subspace::forEachMarkedCell<JSC::Heap::finalizeMarkedUnconditionalFinalizers<JSC::ErrorInstance, JSC::IsoSubspace>(JSC::IsoSubspace&, JSC::CollectionScope)::{lambda(JSC::HeapCell*, JSC::HeapCell::Kind)#1}>(JSC::Heap::finalizeMarkedUnconditionalFinalizers<JSC::ErrorInstance, JSC::IsoSubspace>(JSC::IsoSubspace&, JSC::CollectionScope)::{lambda(JSC::HeapCell*, JSC::HeapCell::Kind)#1} const&)::{lambda(JSC::PreciseAllocation*)#1}>(JSC::Subspace::forEachMarkedCell<JSC::Heap::finalizeMarkedUnconditionalFinalizers<JSC::ErrorInstance, JSC::IsoSubspace>(JSC::IsoSubspace&, JSC::CollectionScope)::{lambda(JSC::HeapCell*, JSC::HeapCell::Kind)#1}>(JSC::Heap::finalizeMarkedUnconditionalFinalizers<JSC::ErrorInstance, JSC::IsoSubspace>(JSC::IsoSubspace&, JSC::CollectionScope)::{lambda(JSC::HeapCell*, JSC::HeapCell::Kind)#1} const&)::{lambda(JSC::PreciseAllocation*)#1} const&) (this=<optimized out>, func=...) at ../../../Source/JavaScriptCore/heap/SubspaceInlines.h:66 #17 JSC::Subspace::forEachMarkedCell<JSC::Heap::finalizeMarkedUnconditionalFinalizers<JSC::ErrorInstance, JSC::IsoSubspace>(JSC::IsoSubspace&, JSC::CollectionScope)::{lambda(JSC::HeapCell*, JSC::HeapCell::Kind)#1}>(JSC::Heap::finalizeMarkedUnconditionalFinalizers<JSC::ErrorInstance, JSC::IsoSubspace>(JSC::IsoSubspace&, JSC::CollectionScope)::{lambda(JSC::HeapCell*, JSC::HeapCell::Kind)#1} const&) (this=<optimized out>, func=...) at ../../../Source/JavaScriptCore/heap/SubspaceInlines.h:81 #18 JSC::Heap::finalizeMarkedUnconditionalFinalizers<JSC::ErrorInstance, JSC::IsoSubspace> (this=0x7fffa90000c8, cellSet=..., collectionScope=<optimized out>) at ../../../Source/JavaScriptCore/heap/Heap.cpp:710 #19 JSC::Heap::finalizeUnconditionalFinalizers (this=this@entry=0x7fffa90000c8) at ../../../Source/JavaScriptCore/heap/Heap.cpp:752 #20 0x000000000138e6aa in JSC::Heap::runEndPhase (this=<optimized out>, this@entry=0x7fffa90000c8, conn=JSC::GCConductor::Mutator) at ../../../Source/JavaScriptCore/heap/Heap.cpp:1667 #21 0x000000000138b308 in JSC::Heap::runCurrentPhase (this=this@entry=0x7fffa90000c8, conn=conn@entry=JSC::GCConductor::Mutator, currentThreadState=currentThreadState@entry=0x7fffffffcb00) at ../../../Source/JavaScriptCore/heap/Heap.cpp:1372 #22 0x00000000013d0edd in JSC::Heap::collectInMutatorThread()::$_0::operator()(JSC::CurrentThreadState&) const (this=<optimized out>, state=...) at ../../../Source/JavaScriptCore/heap/Heap.cpp:1993 #23 WTF::ScopedLambdaFunctor<void (JSC::CurrentThreadState&), JSC::Heap::collectInMutatorThread()::$_0>::implFunction(void*, JSC::CurrentThreadState&) (argument=<optimized out>, arguments=...) at WTF/Headers/wtf/ScopedLambda.h:106 #24 0x0000000001418149 in WTF::ScopedLambda<void (JSC::CurrentThreadState&)>::operator()<JSC::CurrentThreadState&>(JSC::CurrentThreadState&) const (this=0x7fffffffcb68, arguments=...) at WTF/Headers/wtf/ScopedLambda.h:58 #25 JSC::callWithCurrentThreadState(WTF::ScopedLambda<void (JSC::CurrentThreadState&)> const&) (lambda=...) at ../../../Source/JavaScriptCore/heap/MachineStackMarker.cpp:227 #26 0x0000000001393977 in JSC::Heap::collectInMutatorThread (this=this@entry=0x7fffa90000c8) at ../../../Source/JavaScriptCore/heap/Heap.cpp:2005 #27 0x0000000001393724 in JSC::Heap::stopIfNecessarySlow (this=this@entry=0x7fffa90000c8, oldState=5) at ../../../Source/JavaScriptCore/heap/Heap.cpp:1974 #28 0x00000000013935be in JSC::Heap::stopIfNecessarySlow (this=0x7fffa90000c8) at ../../../Source/JavaScriptCore/heap/Heap.cpp:1946 #29 0x000000000043646d in JSC::JSString::create (vm=..., value=...) at ../../../Source/JavaScriptCore/runtime/JSString.h:194 #30 0x0000000000ca14a9 in JSC::jsString (vm=..., s=...) at ../../../Source/JavaScriptCore/runtime/JSString.h:927 #31 JSC::jsString (vm=..., s=...) at ../../../Source/JavaScriptCore/runtime/JSString.h:965 #32 0x00000000018a870e in JSC::repeatCharacter<unsigned char> (globalObject=globalObject@entry=0x7fffa941a088, character=97 'a', repeatCount=repeatCount@entry=1048576) at ../../../Source/JavaScriptCore/runtime/JSStringInlines.h:107 #33 0x0000000001ec83c1 in JSC::stringProtoFuncRepeatCharacter (globalObject=0x7fffa941a088, callFrame=0x7fffffffce10) at ../../../Source/JavaScriptCore/runtime/StringPrototype.cpp:867 #34 0x00007fffaac216a6 in ?? () #35 0x00007fffffffcea0 in ?? () #36 0x0000000002533bee in llint_op_call () #37 0x0000000000000000 in ?? ()
Attachments
original_poc
(476 bytes, text/javascript)
2024-05-12 04:22 PDT
,
qbtly
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2024-05-13 10:10:36 PDT
<
rdar://problem/128009982
>
Yusuke Suzuki
Comment 2
2024-06-20 17:16:41 PDT
Yeah, this does not actually become a problem since it just increment external memory count (not actually allocating GC memory). So, handling as a normal crash issue on debug.
Yusuke Suzuki
Comment 3
2024-06-20 17:25:23 PDT
Pull request:
https://github.com/WebKit/WebKit/pull/30028
EWS
Comment 4
2024-06-20 23:32:27 PDT
Committed
280239@main
(68768cee2adf): <
https://commits.webkit.org/280239@main
> Reviewed commits have been landed. Closing PR #30028 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug