WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED WONTFIX
275555
SIGSEGV in JSC in pas_versioned_field_try_write_watched
https://bugs.webkit.org/show_bug.cgi?id=275555
Summary
SIGSEGV in JSC in pas_versioned_field_try_write_watched
qbtly
Reported
2024-06-16 20:14:46 PDT
###### Webkit bdeb299b2cfd06e6f513ef7b4da4658268ff2a16 ###### Build platform Ubuntu 22.04.3 ###### Build steps ./Tools/Scripts/build-jsc --jsc-only --debug --build-dir=0617 --cmakeargs="-DENABLE_STATIC_JSC=ON" ###### Test case ```sh for (let i = 0; i < 100000; i++) { const str = new String('a'); str[0].padEnd(i, 'P'); } ``` ###### Execution steps ./jsc poc.js ###### Output Thread 1 "jsc" received signal SIGSEGV, Segmentation fault. 0x0000555558cf94fa in pas_versioned_field_try_write_watched (expected_value=..., new_value=<optimized out>, field=<optimized out>) at /JSC/Source/bmalloc/libpas/src/libpas/pas_versioned_field.c:74 74 if (new_value > expected_value.value) (gdb) bt #0 0x0000555558cf94fa in pas_versioned_field_try_write_watched (expected_value=..., new_value=<optimized out>, field=<optimized out>) at /JSC/Source/bmalloc/libpas/src/libpas/pas_versioned_field.c:74 #1 pas_versioned_field_maximize_watched (field=field@entry=0x7fffed911240, expected_value=..., new_value=new_value@entry=1) at /JSC/Source/bmalloc/libpas/src/libpas/pas_versioned_field.c:75 #2 0x0000555558c80e70 in pas_bitfit_directory_get_first_free_view (directory=0x7fffed911230, start_index=<optimized out>, size=28672, page_config=page_config@entry=0x555558d4ade8 <bmalloc_heap_config+824>) at /JSC/Source/bmalloc/libpas/src/libpas/pas_bitfit_directory.c:141 #3 0x0000555558c84839 in pas_bitfit_size_class_get_first_free_view (size_class=0x7fffeed2c890, page_config=0x555558d4ade8 <bmalloc_heap_config+824>) at /JSC/Source/bmalloc/libpas/src/libpas/pas_bitfit_size_class.c:97 #4 0x0000555558c6b5bf in pas_bitfit_allocator_try_allocate (allocator=0x7fffa91006d8, local_allocator=0x7fffa91006a0, size=20480, alignment=1, config=..., allocation_mode=<optimized out>) at /JSC/Source/bmalloc/libpas/src/libpas/pas_bitfit_allocator_inlines.h:97 #5 bmalloc_marge_bitfit_page_config_specialized_allocator_try_allocate (allocator=0x7fffa91006d8, local_allocator=0x7fffa91006a0, size=<optimized out>, alignment=1, allocation_mode=<optimized out>) at /JSC/Source/bmalloc/libpas/src/libpas/bmalloc_heap_config.c:43 #6 pas_local_allocator_try_allocate_out_of_line_cases (allocator=0x7fffa91006a0, size=<optimized out>, alignment=1, allocation_mode=<optimized out>, config=...) at /JSC/Source/bmalloc/libpas/src/libpas/pas_local_allocator_inlines.h:1672 #7 pas_local_allocator_try_allocate_slow_impl (config=..., allocator=<optimized out>, size=<optimized out>, alignment=<optimized out>, allocation_mode=<optimized out>, counts=<optimized out>) at /JSC/Source/bmalloc/libpas/src/libpas/pas_local_allocator_inlines.h:1703 #8 pas_local_allocator_try_allocate_slow (config=..., allocator=<optimized out>, size=<optimized out>, alignment=<optimized out>, allocation_mode=<optimized out>, counts=<optimized out>, result_filter=<optimized out>) at /JSC/Source/bmalloc/libpas/src/libpas/pas_local_allocator_inlines.h:1750 #9 bmalloc_heap_config_specialized_local_allocator_try_allocate_slow (allocator=0x7fffa91006a0, size=<optimized out>, alignment=1, allocation_mode=<optimized out>, counts=<optimized out>, result_filter=0x555558c50890 <pas_allocation_result_identity(pas_allocation_result)>) at /JSC/Source/bmalloc/libpas/src/libpas/bmalloc_heap_config.c:43 #10 0x0000555558c4fb54 in pas_local_allocator_try_allocate (size=18625, alignment=1, allocation_mode=pas_compact_allocation_mode, config=..., allocator=<optimized out>, counts=<optimized out>, result_filter=<optimized out>) at /JSC/Source/bmalloc/libpas/src/libpas/pas_local_allocator_inlines.h:1856 #11 pas_try_allocate_common_impl_fast (config=..., size=18625, alignment=1, allocation_mode=pas_compact_allocation_mode, allocator_counts=<optimized out>, result_filter=<optimized out>, allocator=<optimized out>) at /JSC/Source/bmalloc/libpas/src/libpas/pas_try_allocate_common.h:89 #12 bmalloc_try_allocate_impl_impl_fast (size=18625, alignment=1, allocation_mode=pas_compact_allocation_mode, allocator=<optimized out>) at /JSC/Source/bmalloc/libpas/src/libpas/bmalloc_heap_inlines.h:47 #13 pas_try_allocate_intrinsic_impl_casual_case (alignment=1, config=..., designation_mode=pas_intrinsic_heap_is_designated, heap=<optimized out>, size=<optimized out>, allocation_mode=<optimized out>, intrinsic_support=<optimized out>, try_allocate_common_fast=<optimized out>, try_allocate_common_slow=<optimized out>) at /JSC/Source/bmalloc/libpas/src/libpas/pas_try_allocate_intrinsic.h:168 #14 bmalloc_try_allocate_impl_casual_case (size=18625, alignment=1, allocation_mode=pas_compact_allocation_mode) at /JSC/Source/bmalloc/libpas/src/libpas/bmalloc_heap_inlines.h:47 #15 0x0000555558c4f7c1 in bmalloc_try_allocate_casual (size=58685488, allocation_mode=pas_compact_allocation_mode) at /JSC/Source/bmalloc/libpas/src/libpas/bmalloc_heap.c:59 #16 0x0000555558b7e42a in bmalloc_try_allocate_inline (size=18625, allocation_mode=pas_compact_allocation_mode) at /JSC/0617/JSCOnly/Debug/bmalloc/Headers/bmalloc/bmalloc_heap_inlines.h:98 #17 bmalloc::api::tryMalloc (size=18625, mode=bmalloc::CompactAllocationMode::Compact, kind=bmalloc::HeapKind::Primary) at /JSC/0617/JSCOnly/Debug/bmalloc/Headers/bmalloc/bmalloc.h:62 #18 WTF::tryFastCompactMalloc (size=size@entry=18625) at /JSC/Source/WTF/wtf/FastMalloc.cpp:793 #19 0x0000555557be64c6 in WTF::FastCompactMalloc::tryMalloc (size=0) at /JSC/0617/JSCOnly/Debug/WTF/Headers/wtf/FastMalloc.h:280 #20 WTF::StringImpl::tryCreateUninitialized<unsigned char> (length=18605, output=<optimized out>) at /JSC/0617/JSCOnly/Debug/WTF/Headers/wtf/text/StringImpl.h:1058 #21 JSC::repeatCharacter<unsigned char> (globalObject=0x7fffaa41a088, character=80 'P', repeatCount=18605) at /JSC/Source/JavaScriptCore/runtime/JSStringInlines.h:99 #22 0x0000555558312643 in JSC::stringProtoFuncRepeatCharacter (globalObject=0x7fffaa41a088, callFrame=<optimized out>) at /JSC/Source/JavaScriptCore/runtime/StringPrototype.cpp:866 #23 0x00007fffab142898 in ?? () #24 0x00007fffffffdbd0 in ?? () #25 0x00007fffab1428bf in ?? () #26 0x0000000000000000 in ?? ()
Attachments
Add attachment
proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1
2024-06-17 13:06:00 PDT
I wasn't able to reproduce this on, including with a recent debug build (
280041@main
).
Alexey Proskuryakov
Comment 2
2024-06-17 13:06:14 PDT
wasn't able to reproduce this on *macOS*
qbtly
Comment 3
2024-06-17 19:16:39 PDT
Output when building with ASAN: Direct leak of 24 byte(s) in 1 object(s) allocated from: #0 0x7f54fd1be91f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69 #1 0x55fdecfa9594 in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) /JSC/Source/bmalloc/bmalloc/DebugHeap.cpp:118 #2 0x55fdecfa9e2b in pas_debug_heap_malloc /JSC/Source/bmalloc/bmalloc/DebugHeap.cpp:223 #3 0x55fdecfcbd2a in pas_debug_heap_allocate /JSC/Source/bmalloc/libpas/src/libpas/pas_debug_heap.h:106 #4 0x55fdecfcc67f in pas_try_allocate_intrinsic_impl_casual_case /JSC/Source/bmalloc/libpas/src/libpas/pas_try_allocate_intrinsic.h:105 #5 0x55fdecfcce63 in bmalloc_allocate_impl_casual_case /JSC/Source/bmalloc/libpas/src/libpas/bmalloc_heap_inlines.h:69 #6 0x55fdecfcd34e in bmalloc_allocate_casual /JSC/Source/bmalloc/libpas/src/libpas/bmalloc_heap.c:64 #7 0x55fdece3cef5 in bmalloc_allocate_inline /JSC/asan/JSCOnly/Debug/bmalloc/Headers/bmalloc/bmalloc_heap_inlines.h:120 #8 0x55fdece401e3 in bmalloc::api::malloc(unsigned long, bmalloc::CompactAllocationMode, bmalloc::HeapKind) /JSC/asan/JSCOnly/Debug/bmalloc/Headers/bmalloc/bmalloc.h:75 #9 0x55fdece401e3 in WTF::fastCompactMalloc(unsigned long) /JSC/Source/WTF/wtf/FastMalloc.cpp:709 #10 0x55fdecf38eea in WTF::StringImpl::operator new(unsigned long) /JSC/Source/WTF/wtf/text/StringImpl.h:186 #11 0x55fdecf4c33b in WTF::StringImpl::createWithoutCopyingNonEmpty(std::span<unsigned char const, 18446744073709551615ul>) /JSC/Source/WTF/wtf/text/StringImpl.cpp:169 #12 0x55fde7e4524d in WTF::StringImpl::createWithoutCopying(std::span<unsigned char const, 18446744073709551615ul>) /JSC/asan/JSCOnly/Debug/WTF/Headers/wtf/text/StringImpl.h:270 #13 0x55fdecf36cda in WTF::BufferFromStaticDataTranslator<unsigned char>::translate(WTF::Packed<WTF::StringImpl*>&, WTF::HashTranslatorCharBuffer<unsigned char> const&, unsigned int) /JSC/Source/WTF/wtf/text/AtomStringImpl.cpp:280 #14 0x55fdecf35231 in void WTF::HashSetTranslatorAdapter<WTF::BufferFromStaticDataTranslator<unsigned char> >::translate<WTF::Packed<WTF::StringImpl*>, WTF::HashTranslatorCharBuffer<unsigned char> >(WTF::Packed<WTF::StringImpl*>&, WTF::HashTranslatorCharBuffer<unsigned char> const&, WTF::HashTranslatorCharBuffer<unsigned char> const&, unsigned int) /JSC/Source/WTF/wtf/HashSet.h:216 #15 0x55fdecf32472 in WTF::HashTableAddResult<WTF::HashTableIterator<WTF::HashTable<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::DefaultHash<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >, WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::DefaultHash<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > > > WTF::HashTable<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::DefaultHash<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >::addPassingHashCode<WTF::HashSetTranslatorAdapter<WTF::BufferFromStaticDataTranslator<unsigned char> >, WTF::HashTranslatorCharBuffer<unsigned char> const&, WTF::HashTranslatorCharBuffer<unsigned char> const&>(WTF::HashTranslatorCharBuffer<unsigned char> const&, WTF::HashTranslatorCharBuffer<unsigned char> const&) /JSC/Source/WTF/wtf/HashTable.h:979 #16 0x55fdecf2f6df in WTF::HashTableAddResult<WTF::HashTableIterator<WTF::HashTable<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::DefaultHash<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >, WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::DefaultHash<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > > > WTF::HashSet<WTF::Packed<WTF::StringImpl*>, WTF::DefaultHash<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTableTraits>::add<WTF::BufferFromStaticDataTranslator<unsigned char>, WTF::HashTranslatorCharBuffer<unsigned char> >(WTF::HashTranslatorCharBuffer<unsigned char> const&) /JSC/Source/WTF/wtf/HashSet.h:333 #17 0x55fdecf2dd9c in addToStringTable<WTF::HashTranslatorCharBuffer<unsigned char>, WTF::BufferFromStaticDataTranslator<unsigned char> > /JSC/Source/WTF/wtf/text/AtomStringImpl.cpp:75 #18 0x55fdecf2d746 in addToStringTable<WTF::HashTranslatorCharBuffer<unsigned char>, WTF::BufferFromStaticDataTranslator<unsigned char> > /JSC/Source/WTF/wtf/text/AtomStringImpl.cpp:88 #19 0x55fdecf2ab86 in WTF::AtomStringImpl::addLiteral(std::span<unsigned char const, 18446744073709551615ul>) /JSC/Source/WTF/wtf/text/AtomStringImpl.cpp:316 #20 0x55fde7e47508 in WTF::AtomStringImpl::add(WTF::ASCIILiteral) /JSC/asan/JSCOnly/Debug/WTF/Headers/wtf/text/AtomStringImpl.h:111 #21 0x55fde7e7ba43 in JSC::Identifier::add(JSC::VM&, WTF::ASCIILiteral) /JSC/Source/JavaScriptCore/runtime/Identifier.h:222 #22 0x55fde7e7b4f1 in JSC::Identifier::Identifier(JSC::VM&, WTF::ASCIILiteral) /JSC/Source/JavaScriptCore/runtime/Identifier.h:162 #23 0x55fde7e90ae6 in JSC::Identifier::fromString(JSC::VM&, WTF::ASCIILiteral) /JSC/Source/JavaScriptCore/runtime/IdentifierInlines.h:85 #24 0x55fdebd51128 in JSC::StringPrototype::finishCreation(JSC::VM&, JSC::JSGlobalObject*) /JSC/Source/JavaScriptCore/runtime/StringPrototype.cpp:144 #25 0x55fdebd537d0 in JSC::StringPrototype::create(JSC::VM&, JSC::JSGlobalObject*, JSC::Structure*) /JSC/Source/JavaScriptCore/runtime/StringPrototype.cpp:182 #26 0x55fdeb7aba40 in JSC::JSGlobalObject::init(JSC::VM&) /JSC/Source/JavaScriptCore/runtime/JSGlobalObject.cpp:1132 #27 0x55fdeb7c80d7 in JSC::JSGlobalObject::finishCreation(JSC::VM&) /JSC/Source/JavaScriptCore/runtime/JSGlobalObject.cpp:3268 #28 0x55fde7ea3432 in GlobalObject::finishCreation(JSC::VM&, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&) /JSC/Source/JavaScriptCore/jsc.cpp:624 #29 0x55fde7ea171f in GlobalObject::create(JSC::VM&, JSC::Structure*, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&) /JSC/Source/JavaScriptCore/jsc.cpp:550 #30 0x55fde7f264e3 in runJSC<jscmain(int, char**)::<lambda(JSC::VM&, GlobalObject*, bool&)> > /JSC/Source/JavaScriptCore/jsc.cpp:4204 SUMMARY: AddressSanitizer: 771 byte(s) leaked in 31 allocation(s).
Yusuke Suzuki
Comment 4
2024-06-17 19:23:17 PDT
(In reply to qbtly from
comment #3
)
> Output when building with ASAN: > Direct leak of 24 byte(s) in 1 object(s) allocated from: > #0 0x7f54fd1be91f in __interceptor_malloc > ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69 > #1 0x55fdecfa9594 in bmalloc::DebugHeap::malloc(unsigned long, > bmalloc::FailureAction) /JSC/Source/bmalloc/bmalloc/DebugHeap.cpp:118 > #2 0x55fdecfa9e2b in pas_debug_heap_malloc > /JSC/Source/bmalloc/bmalloc/DebugHeap.cpp:223 > #3 0x55fdecfcbd2a in pas_debug_heap_allocate > /JSC/Source/bmalloc/libpas/src/libpas/pas_debug_heap.h:106 > #4 0x55fdecfcc67f in pas_try_allocate_intrinsic_impl_casual_case > /JSC/Source/bmalloc/libpas/src/libpas/pas_try_allocate_intrinsic.h:105 > #5 0x55fdecfcce63 in bmalloc_allocate_impl_casual_case > /JSC/Source/bmalloc/libpas/src/libpas/bmalloc_heap_inlines.h:69 > #6 0x55fdecfcd34e in bmalloc_allocate_casual > /JSC/Source/bmalloc/libpas/src/libpas/bmalloc_heap.c:64 > #7 0x55fdece3cef5 in bmalloc_allocate_inline > /JSC/asan/JSCOnly/Debug/bmalloc/Headers/bmalloc/bmalloc_heap_inlines.h:120 > #8 0x55fdece401e3 in bmalloc::api::malloc(unsigned long, > bmalloc::CompactAllocationMode, bmalloc::HeapKind) > /JSC/asan/JSCOnly/Debug/bmalloc/Headers/bmalloc/bmalloc.h:75 > #9 0x55fdece401e3 in WTF::fastCompactMalloc(unsigned long) > /JSC/Source/WTF/wtf/FastMalloc.cpp:709 > #10 0x55fdecf38eea in WTF::StringImpl::operator new(unsigned long) > /JSC/Source/WTF/wtf/text/StringImpl.h:186 > #11 0x55fdecf4c33b in > WTF::StringImpl::createWithoutCopyingNonEmpty(std::span<unsigned char const, > 18446744073709551615ul>) /JSC/Source/WTF/wtf/text/StringImpl.cpp:169 > #12 0x55fde7e4524d in > WTF::StringImpl::createWithoutCopying(std::span<unsigned char const, > 18446744073709551615ul>) > /JSC/asan/JSCOnly/Debug/WTF/Headers/wtf/text/StringImpl.h:270 > #13 0x55fdecf36cda in WTF::BufferFromStaticDataTranslator<unsigned > char>::translate(WTF::Packed<WTF::StringImpl*>&, > WTF::HashTranslatorCharBuffer<unsigned char> const&, unsigned int) > /JSC/Source/WTF/wtf/text/AtomStringImpl.cpp:280 > #14 0x55fdecf35231 in void > WTF::HashSetTranslatorAdapter<WTF::BufferFromStaticDataTranslator<unsigned > char> >::translate<WTF::Packed<WTF::StringImpl*>, > WTF::HashTranslatorCharBuffer<unsigned char> > >(WTF::Packed<WTF::StringImpl*>&, WTF::HashTranslatorCharBuffer<unsigned > char> const&, WTF::HashTranslatorCharBuffer<unsigned char> const&, unsigned > int) /JSC/Source/WTF/wtf/HashSet.h:216 > #15 0x55fdecf32472 in > WTF::HashTableAddResult<WTF::HashTableIterator<WTF::HashTable<WTF:: > Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, > WTF::IdentityExtractor, WTF::DefaultHash<WTF::Packed<WTF::StringImpl*> >, > WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, > WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >, > WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, > WTF::IdentityExtractor, WTF::DefaultHash<WTF::Packed<WTF::StringImpl*> >, > WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, > WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > > > > WTF::HashTable<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, > WTF::IdentityExtractor, WTF::DefaultHash<WTF::Packed<WTF::StringImpl*> >, > WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, > WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > > >::addPassingHashCode<WTF::HashSetTranslatorAdapter<WTF:: > BufferFromStaticDataTranslator<unsigned char> >, > WTF::HashTranslatorCharBuffer<unsigned char> const&, > WTF::HashTranslatorCharBuffer<unsigned char> > const&>(WTF::HashTranslatorCharBuffer<unsigned char> const&, > WTF::HashTranslatorCharBuffer<unsigned char> const&) > /JSC/Source/WTF/wtf/HashTable.h:979 > #16 0x55fdecf2f6df in > WTF::HashTableAddResult<WTF::HashTableIterator<WTF::HashTable<WTF:: > Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, > WTF::IdentityExtractor, WTF::DefaultHash<WTF::Packed<WTF::StringImpl*> >, > WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, > WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >, > WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, > WTF::IdentityExtractor, WTF::DefaultHash<WTF::Packed<WTF::StringImpl*> >, > WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, > WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > > > > WTF::HashSet<WTF::Packed<WTF::StringImpl*>, > WTF::DefaultHash<WTF::Packed<WTF::StringImpl*> >, > WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, > WTF::HashTableTraits>::add<WTF::BufferFromStaticDataTranslator<unsigned > char>, WTF::HashTranslatorCharBuffer<unsigned char> > >(WTF::HashTranslatorCharBuffer<unsigned char> const&) > /JSC/Source/WTF/wtf/HashSet.h:333 > #17 0x55fdecf2dd9c in > addToStringTable<WTF::HashTranslatorCharBuffer<unsigned char>, > WTF::BufferFromStaticDataTranslator<unsigned char> > > /JSC/Source/WTF/wtf/text/AtomStringImpl.cpp:75 > #18 0x55fdecf2d746 in > addToStringTable<WTF::HashTranslatorCharBuffer<unsigned char>, > WTF::BufferFromStaticDataTranslator<unsigned char> > > /JSC/Source/WTF/wtf/text/AtomStringImpl.cpp:88 > #19 0x55fdecf2ab86 in WTF::AtomStringImpl::addLiteral(std::span<unsigned > char const, 18446744073709551615ul>) > /JSC/Source/WTF/wtf/text/AtomStringImpl.cpp:316 > #20 0x55fde7e47508 in WTF::AtomStringImpl::add(WTF::ASCIILiteral) > /JSC/asan/JSCOnly/Debug/WTF/Headers/wtf/text/AtomStringImpl.h:111 > #21 0x55fde7e7ba43 in JSC::Identifier::add(JSC::VM&, WTF::ASCIILiteral) > /JSC/Source/JavaScriptCore/runtime/Identifier.h:222 > #22 0x55fde7e7b4f1 in JSC::Identifier::Identifier(JSC::VM&, > WTF::ASCIILiteral) /JSC/Source/JavaScriptCore/runtime/Identifier.h:162 > #23 0x55fde7e90ae6 in JSC::Identifier::fromString(JSC::VM&, > WTF::ASCIILiteral) /JSC/Source/JavaScriptCore/runtime/IdentifierInlines.h:85 > #24 0x55fdebd51128 in JSC::StringPrototype::finishCreation(JSC::VM&, > JSC::JSGlobalObject*) > /JSC/Source/JavaScriptCore/runtime/StringPrototype.cpp:144 > #25 0x55fdebd537d0 in JSC::StringPrototype::create(JSC::VM&, > JSC::JSGlobalObject*, JSC::Structure*) > /JSC/Source/JavaScriptCore/runtime/StringPrototype.cpp:182 > #26 0x55fdeb7aba40 in JSC::JSGlobalObject::init(JSC::VM&) > /JSC/Source/JavaScriptCore/runtime/JSGlobalObject.cpp:1132 > #27 0x55fdeb7c80d7 in JSC::JSGlobalObject::finishCreation(JSC::VM&) > /JSC/Source/JavaScriptCore/runtime/JSGlobalObject.cpp:3268 > #28 0x55fde7ea3432 in GlobalObject::finishCreation(JSC::VM&, > WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> > const&) /JSC/Source/JavaScriptCore/jsc.cpp:624 > #29 0x55fde7ea171f in GlobalObject::create(JSC::VM&, JSC::Structure*, > WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> > const&) /JSC/Source/JavaScriptCore/jsc.cpp:550 > #30 0x55fde7f264e3 in runJSC<jscmain(int, char**)::<lambda(JSC::VM&, > GlobalObject*, bool&)> > /JSC/Source/JavaScriptCore/jsc.cpp:4204 > > SUMMARY: AddressSanitizer: 771 byte(s) leaked in 31 allocation(s).
This is different from the original issue, and this is false-positive since this cannot trace PackedPtr correctly.
qbtly
Comment 5
2024-06-17 20:08:41 PDT
The original issue seems to be that I compiled JSC using afl-clang-fast, and using other compilers will not cause this issue.
Radar WebKit Bug Importer
Comment 6
2024-06-23 20:15:14 PDT
<
rdar://problem/130388067
>
Yusuke Suzuki
Comment 7
2024-06-24 20:34:48 PDT
***
Bug 274712
has been marked as a duplicate of this bug. ***
Mark Lam
Comment 8
2024-07-17 12:47:28 PDT
afl-clang-fast is not currently supported. As a result, it is producing false positives. There is currently no plan to support it.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug