285800 – [JSC] Gracefully handle stack overflow error from JS parser in class initializer syntax

RESOLVED FIXED285800

[JSC] Gracefully handle stack overflow error from JS parser in class initializer syntax

https://bugs.webkit.org/show_bug.cgi?id=285800

Summary [JSC] Gracefully handle stack overflow error from JS parser in class initiali...

rhezashan

Reported 2025-01-11 03:06:06 PST

The following testcase triggers an assertion failure in debug builds of Webkit built from current HEAD and safari-7620-branch: Tested on both Webkit linux release and Webkit macOS debug. ``` function f0() { const v3 = new BigUint64Array(54); v3.byteLength <<= f0; for (const v4 of v3) { for (let i7 = 0, i8 = 10; i7 < i8; i7++, i8--) { try { f0(v4); } catch (e) {} } } const v21 = new Int8Array(1000); try { v21.values(); } catch (e) {} class C23 { g; static get h() { ~BigUint64Array; for (let v26 = 0; v26 < 32; v26++) { v21["p" + v26] = v26; } return this; } 0; static 429 = 1000; static #d = 1000; 536870887; 536870912 = Int8Array; } const v30 = new Array(65535); function* f31() { let v32 = 10; const o38 = { next() { v32--; const v36 = v32 == 0; const o37 = { "done": v36, "value": v32, }; return o37; }, }; } const v43 = new Int8Array(1000); v43.valueOf = 1793796166; try { v43.values(); } catch (e) {} class C45 { g; static get h() { ~BigUint64Array; for (let v48 = 0; v48 < 32; v48++) { v43["p" + v48] = v48; } return this; } 0; static 429 = 1000; static #d = 1000; 536870887; 536870912 = Int8Array; } const v51 = new C45(); [v51,Date]; const v56 = f31.constructor.apply(null, v30); v56(); v56(); const v61 = new Int8Array(54); v61.valueOf = 1793796166; try { v61.values(); } catch (e) {} } const v66 = new Int8Array(1000); try { v66.values(); } catch (e) {} class C68 { g; static get h() { ~BigUint64Array; for (let v71 = 0; v71 < 32; v71++) { v66["p" + v71] = v71; } return this; } 0; static 429 = 1000; static #d = 1000; 536870887; 536870912 = Int8Array; } new C68(); f0(); const v77 = "p" + 1000; const v80 = new Int8Array(1000); let v81; try { v81 = v80.values(); } catch (e) {} for (let i84 = 0, i85 = 10; i84 < i85; i84++, i85--) { try { v81(v77); } catch (e) {} } ``` run with `./jsc --useConcurrentJIT=false --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 ~/poc.js` Here is a part of the backtrace: ``` jsc(24108,0x1f2bc0240) malloc: nano zone abandoned due to inability to reserve vm space. ASSERTION FAILED: !hasError() /Users/rheza/webkit_safari_branch/Source/JavaScriptCore/parser/Parser.cpp(3376) : typename TreeBuilder::SourceElements JSC::Parser<JSC::Lexer<unsigned char>>::parseClassFieldInitializerSourceElements(TreeBuilder &, const FixedVector<UnlinkedFunctionExecutable::ClassElementDefinition> &) [LexerType = JSC::Lexer<unsigned char>, TreeBuilder = JSC::ASTBuilder] 1 0x11d8e3724 JSC::ASTBuilder::SourceElements JSC::Parser<JSC::Lexer<unsigned char>>::parseClassFieldInitializerSourceElements<JSC::ASTBuilder>(JSC::ASTBuilder&, WTF::FixedVector<JSC::UnlinkedFunctionExecutable::ClassElementDefinition> const&) 2 0x11d8d645c JSC::Parser<JSC::Lexer<unsigned char>>::parseInner(JSC::Identifier const&, JSC::ParsingContext, std::__1::optional<int>, WTF::FixedVector<JSC::UnlinkedFunctionExecutable::ClassElementDefinition> const*, WTF::HashMap<WTF::RefPtr<WTF::UniquedStringImpl, WTF::PackedPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl>>, JSC::PrivateNameEntry, JSC::IdentifierRepHash, WTF::HashTraits<WTF::RefPtr<WTF::UniquedStringImpl, WTF::RawPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl>>>, JSC::PrivateNameEntryHashTraits, WTF::HashTableTraits> const*) 3 0x11ef0314c std::__1::unique_ptr<JSC::FunctionNode, std::__1::default_delete<JSC::FunctionNode>> JSC::Parser<JSC::Lexer<unsigned char>>::parse<JSC::FunctionNode>(JSC::ParserError&, JSC::Identifier const&, JSC::ParsingContext, std::__1::optional<int>, WTF::HashMap<WTF::RefPtr<WTF::UniquedStringImpl, WTF::PackedPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl>>, JSC::PrivateNameEntry, JSC::IdentifierRepHash, WTF::HashTraits<WTF::RefPtr<WTF::UniquedStringImpl, WTF::RawPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl>>>, JSC::PrivateNameEntryHashTraits, WTF::HashTableTraits> const*, WTF::FixedVector<JSC::UnlinkedFunctionExecutable::ClassElementDefinition> const*) 4 0x11ef003a4 std::__1::unique_ptr<JSC::FunctionNode, std::__1::default_delete<JSC::FunctionNode>> JSC::parse<JSC::FunctionNode>(JSC::VM&, JSC::SourceCode const&, JSC::Identifier const&, JSC::ImplementationVisibility, JSC::JSParserBuiltinMode, unsigned char, JSC::JSParserScriptMode, JSC::SourceParseMode, JSC::FunctionMode, JSC::SuperBinding, JSC::ParserError&, JSC::ConstructorKind, JSC::DerivedContextType, JSC::EvalContextType, WTF::HashMap<WTF::RefPtr<WTF::UniquedStringImpl, WTF::PackedPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl>>, JSC::PrivateNameEntry, JSC::IdentifierRepHash, WTF::HashTraits<WTF::RefPtr<WTF::UniquedStringImpl, WTF::RawPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl>>>, JSC::PrivateNameEntryHashTraits, WTF::HashTableTraits> const*, WTF::FixedVector<JSC::UnlinkedFunctionExecutable::ClassElementDefinition> const*, bool) 5 0x11eef7abc JSC::generateUnlinkedFunctionCodeBlock(JSC::VM&, JSC::UnlinkedFunctionExecutable*, JSC::SourceCode const&, JSC::CodeSpecializationKind, WTF::OptionSet<JSC::CodeGenerationMode>, JSC::UnlinkedFunctionKind, JSC::ParserError&, JSC::SourceParseMode) 6 0x11eef6e18 JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor(JSC::VM&, JSC::SourceCode const&, JSC::CodeSpecializationKind, WTF::OptionSet<JSC::CodeGenerationMode>, JSC::ParserError&, JSC::SourceParseMode) 7 0x121d4391c JSC::ScriptExecutable::newCodeBlockFor(JSC::CodeSpecializationKind, JSC::JSFunction*, JSC::JSScope*) 8 0x121d44a24 JSC::ScriptExecutable::prepareForExecutionImpl(JSC::VM&, JSC::JSFunction*, JSC::JSScope*, JSC::CodeSpecializationKind, JSC::CodeBlock*&) 9 0x11fc3adc4 void JSC::ScriptExecutable::prepareForExecution<JSC::FunctionExecutable>(JSC::VM&, JSC::JSFunction*, JSC::JSScope*, JSC::CodeSpecializationKind, JSC::CodeBlock*&) 10 0x120c07560 JSC::linkFor(JSC::VM&, JSC::JSCell*, JSC::CallFrame*, JSC::CallLinkInfo*) 11 0x120c068b8 operationDefaultCall 12 0x132340020 11 ??? 0x0000000132340020 0x0 + 5137236000 13 0x1323825ec 12 ??? 0x00000001323825ec 0x0 + 5137507820 14 0x132388128 13 ??? 0x0000000132388128 0x0 + 5137531176 15 0x132388128 14 ??? 0x0000000132388128 0x0 + 5137531176 16 0x132388128 15 ??? 0x0000000132388128 0x0 + 5137531176 17 0x132388128 16 ??? 0x0000000132388128 0x0 + 5137531176 18 0x132388128 17 ??? 0x0000000132388128 0x0 + 5137531176 19 0x132388128 18 ??? 0x0000000132388128 0x0 + 5137531176 20 0x132388128 19 ??? 0x0000000132388128 0x0 + 5137531176 21 0x132388128 20 ??? 0x0000000132388128 0x0 + 5137531176 22 0x132388128 21 ??? 0x0000000132388128 0x0 + 5137531176 23 0x132388128 22 ??? 0x0000000132388128 0x0 + 5137531176 24 0x132388128 23 ??? 0x0000000132388128 0x0 + 5137531176 25 0x132388128 24 ??? 0x0000000132388128 0x0 + 5137531176 26 0x132388128 25 ??? 0x0000000132388128 0x0 + 5137531176 27 0x132388128 26 ??? 0x0000000132388128 0x0 + 5137531176 28 0x132388128 27 ??? 0x0000000132388128 0x0 + 5137531176 29 0x132388128 28 ??? 0x0000000132388128 0x0 + 5137531176 30 0x132388128 29 ??? 0x0000000132388128 0x0 + 5137531176 31 0x132388128 30 ??? 0x0000000132388128 0x0 + 5137531176 AddressSanitizer:DEADLYSIGNAL ================================================================= ==24108==ERROR: AddressSanitizer: TRAP on unknown address 0x00011d8b318c (pc 0x00011d8b318c bp 0x00016d30c6b0 sp 0x00016d30c650 T0) SCARINESS: 10 (signal) #0 0x11d8b318c in WTFCrashWithInfo(int, char const*, char const*, int) (/Users/rheza/webkit_safari_branch/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x2fbb18c) #1 0x11d8e3754 in JSC::ASTBuilder::SourceElements JSC::Parser<JSC::Lexer<unsigned char>>::parseClassFieldInitializerSourceElements<JSC::ASTBuilder>(JSC::ASTBuilder&, WTF::FixedVector<JSC::UnlinkedFunctionExecutable::ClassElementDefinition> const&) (/Users/rheza/webkit_safari_branch/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x2feb754) #2 0x11d8d6458 in JSC::Parser<JSC::Lexer<unsigned char>>::parseInner(JSC::Identifier const&, JSC::ParsingContext, std::__1::optional<int>, WTF::FixedVector<JSC::UnlinkedFunctionExecutable::ClassElementDefinition> const*, WTF::HashMap<WTF::RefPtr<WTF::UniquedStringImpl, WTF::PackedPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl>>, JSC::PrivateNameEntry, JSC::IdentifierRepHash, WTF::HashTraits<WTF::RefPtr<WTF::UniquedStringImpl, WTF::RawPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl>>>, JSC::PrivateNameEntryHashTraits, WTF::HashTableTraits> const*) (/Users/rheza/webkit_safari_branch/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x2fde458) #3 0x11ef03148 in std::__1::unique_ptr<JSC::FunctionNode, std::__1::default_delete<JSC::FunctionNode>> JSC::Parser<JSC::Lexer<unsigned char>>::parse<JSC::FunctionNode>(JSC::ParserError&, JSC::Identifier const&, JSC::ParsingContext, std::__1::optional<int>, WTF::HashMap<WTF::RefPtr<WTF::UniquedStringImpl, WTF::PackedPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl>>, JSC::PrivateNameEntry, JSC::IdentifierRepHash, WTF::HashTraits<WTF::RefPtr<WTF::UniquedStringImpl, WTF::RawPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl>>>, JSC::PrivateNameEntryHashTraits, WTF::HashTableTraits> const*, WTF::FixedVector<JSC::UnlinkedFunctionExecutable::ClassElementDefinition> const*) (/Users/rheza/webkit_safari_branch/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x460b148) #4 0x11ef003a0 in std::__1::unique_ptr<JSC::FunctionNode, std::__1::default_delete<JSC::FunctionNode>> JSC::parse<JSC::FunctionNode>(JSC::VM&, JSC::SourceCode const&, JSC::Identifier const&, JSC::ImplementationVisibility, JSC::JSParserBuiltinMode, unsigned char, JSC::JSParserScriptMode, JSC::SourceParseMode, JSC::FunctionMode, JSC::SuperBinding, JSC::ParserError&, JSC::ConstructorKind, JSC::DerivedContextType, JSC::EvalContextType, WTF::HashMap<WTF::RefPtr<WTF::UniquedStringImpl, WTF::PackedPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl>>, JSC::PrivateNameEntry, JSC::IdentifierRepHash, WTF::HashTraits<WTF::RefPtr<WTF::UniquedStringImpl, WTF::RawPtrTraits<WTF::UniquedStringImpl>, WTF::DefaultRefDerefTraits<WTF::UniquedStringImpl>>>, JSC::PrivateNameEntryHashTraits, WTF::HashTableTraits> const*, WTF::FixedVector<JSC::UnlinkedFunctionExecutable::ClassElementDefinition> const*, bool) (/Users/rheza/webkit_safari_branch/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x46083a0) #5 0x11eef7ab8 in JSC::generateUnlinkedFunctionCodeBlock(JSC::VM&, JSC::UnlinkedFunctionExecutable*, JSC::SourceCode const&, JSC::CodeSpecializationKind, WTF::OptionSet<JSC::CodeGenerationMode>, JSC::UnlinkedFunctionKind, JSC::ParserError&, JSC::SourceParseMode) (/Users/rheza/webkit_safari_branch/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x45ffab8) #6 0x11eef6e14 in JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor(JSC::VM&, JSC::SourceCode const&, JSC::CodeSpecializationKind, WTF::OptionSet<JSC::CodeGenerationMode>, JSC::ParserError&, JSC::SourceParseMode) (/Users/rheza/webkit_safari_branch/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x45fee14) #7 0x121d43918 in JSC::ScriptExecutable::newCodeBlockFor(JSC::CodeSpecializationKind, JSC::JSFunction*, JSC::JSScope*) (/Users/rheza/webkit_safari_branch/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x744b918) #8 0x121d44a20 in JSC::ScriptExecutable::prepareForExecutionImpl(JSC::VM&, JSC::JSFunction*, JSC::JSScope*, JSC::CodeSpecializationKind, JSC::CodeBlock*&) (/Users/rheza/webkit_safari_branch/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x744ca20) #9 0x11fc3adc0 in void JSC::ScriptExecutable::prepareForExecution<JSC::FunctionExecutable>(JSC::VM&, JSC::JSFunction*, JSC::JSScope*, JSC::CodeSpecializationKind, JSC::CodeBlock*&) (/Users/rheza/webkit_safari_branch/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x5342dc0) #10 0x120c0755c in JSC::linkFor(JSC::VM&, JSC::JSCell*, JSC::CallFrame*, JSC::CallLinkInfo*) (/Users/rheza/webkit_safari_branch/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x630f55c) #11 0x120c068b4 in operationDefaultCall (/Users/rheza/webkit_safari_branch/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x630e8b4) #12 0x13234001c (<unknown module>) #13 0x1323825e8 (<unknown module>) ... #254 0x132388124 (<unknown module>) ==24108==Register values: x[0] = 0x0000000000000d30 x[1] = 0x0000000126f6cb80 x[2] = 0x0000000126fb5be0 x[3] = 0x0000000000000c0c x[4] = 0x0000000063000000 x[5] = 0x0000000000000000 x[6] = 0x000000016cfe4000 x[7] = 0x0000000000000001 x[8] = 0x0000000000000c0c x[9] = 0x0000000000000000 x[10] = 0x000000016d7dfff8 x[11] = 0x000000700001ffff x[12] = 0x000000702da818b8 x[13] = 0xffffffffffffffff x[14] = 0x0000000000000000 x[15] = 0x00007fffffffffff x[16] = 0x00000001892db16c x[17] = 0x0000000103388738 x[18] = 0x0000000000000000 x[19] = 0x000062d0000927a8 x[20] = 0x0000632000000800 x[21] = 0x000000016d313350 x[22] = 0x000000016d7df3b8 x[23] = 0x000000016d7df3b8 x[24] = 0x0000000188f5a000 x[25] = 0x00006200000012d0 x[26] = 0x000061f00000a660 x[27] = 0xfffe000000000000 x[28] = 0xfffe000000000002 fp = 0x000000016d30c6b0 lr = 0x000000011d8e3758 sp = 0x000000016d30c650 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: TRAP (/Users/rheza/webkit_safari_branch/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x2fbb18c) in WTFCrashWithInfo(int, char const*, char const*, int) ==24108==ABORTING ``` the safari-7620 took more time to trigger the bug while the HEAD ~20 seconds I'm not sure if this assertion failure has security implications, so I'm filing this as a security issue as a precaution.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2025-01-11 03:06:16 PST

<rdar://problem/142737633>

Yusuke Suzuki

Comment 2 2025-01-14 23:26:01 PST

It is crash bug as we will go to the same error handling path.

Yusuke Suzuki

Comment 3 2025-01-14 23:27:25 PST

Pull request: https://github.com/WebKit/WebKit/pull/39057

EWS

Comment 4 2025-01-15 00:09:07 PST

Committed 288919@main (4298267945e8): <https://commits.webkit.org/288919@main> Reviewed commits have been landed. Closing PR #39057 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Local Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Yusuke Suzuki

Reported

2025-01-11 03:06 PST

Modified

2025-01-15 00:09 PST History

CC List

3 users Show

URL

Keywords InRadar

Depends on

Blocks