WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
287376
[JSC] Make JSC::CompleteSubspace::allocateSlow memory exhaust explicit crash
https://bugs.webkit.org/show_bug.cgi?id=287376
Summary
[JSC] Make JSC::CompleteSubspace::allocateSlow memory exhaust explicit crash
rhezashan
Reported
2025-02-09 16:18:46 PST
commit 323063884259a103168acd51f8bf52bbcef73f27 (HEAD -> main, origin/main, origin/HEAD) Author: Devin Rousso <
hi@devinrousso.com
> Date: Tue Feb 4 17:09:28 2025 -0800 rheza@192 Release % sw_vers ProductName: macOS ProductVersion: 15.3 BuildVersion: 24D60 ================================================================= Build release target with AppleClang + ASAN ./Tools/Scripts/set-webkit-configuration --release --asan rheza@Rhezas-MacBook-Pro Release % ./Tools/Scripts/build-jsc The error stack: rheza@Rheza-MacBook-Pro Debug % ./jsc ./poc.js jsc(23204,0x1f742c840) malloc: nano zone abandoned due to inability to reserve vm space. ASSERTION FAILED: result ./heap/CompleteSubspace.cpp(110) : void *JSC::CompleteSubspace::allocateSlow(VM &, size_t, GCDeferralContext *, AllocationFailureMode) 1 0x12221aad0 JSC::CompleteSubspace::allocateSlow(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) 2 0x123d4af58 JSC::CompleteSubspace::allocate(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) 3 0x121b50a30 JSC::Butterfly::createUninitialized(JSC::VM&, JSC::JSObject*, unsigned long, unsigned long, bool, unsigned long) 4 0x1238affcc JSC::Butterfly::createOrGrowPropertyStorage(JSC::Butterfly*, JSC::VM&, JSC::JSObject*, JSC::Structure*, unsigned long, unsigned long) 5 0x1238afdc0 JSC::JSObject::allocateMoreOutOfLineStorage(JSC::VM&, unsigned long, unsigned long) 6 0x121d3da88 WTF::ASCIILiteral JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)0>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&) 7 0x121d3b594 JSC::JSObject::putInlineFast(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 8 0x1238859f4 JSC::JSObject::definePropertyOnReceiver(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 9 0x12388419c JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 10 0x121d3ace0 JSC::JSObject::putInlineForJSObject(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 11 0x1238776e4 JSC::JSObject::put(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 12 0x1234e19d4 JSC::JSArray::put(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 13 0x123882db0 JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 14 0x121d3ace0 JSC::JSObject::putInlineForJSObject(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 15 0x1238776e4 JSC::JSObject::put(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 16 0x1234e19d4 JSC::JSArray::put(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 17 0x121b5c488 JSC::JSValue::put(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 18 0x122e15430 llint_slow_path_put_by_val 19 0x128e3b314 jsc_llint_putByValOp__llintOpWithMetadata__llintOpWithReturn__llintOp__commonOp__fn__fn__makeReturn__fn__fn__fn__opPutByValSlow_LowLevelInterpreter64_asm_2033 20 0x128e544ac op_call_ignore_result_return_location 21 0x134fe3524 20 ??? 0x0000000134fe3524 0x0 + 5184042276 22 0x128e2995c llint_call_javascript 23 0x1228f120c JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) 24 0x1231e1e98 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 25 0x104a1723c runWithOptions(GlobalObject*, CommandLine&, bool&) 26 0x104927fe8 jscmain(int, char**)::$_1::operator()(JSC::VM&, GlobalObject*, bool&) const 27 0x104870ffc int runJSC<jscmain(int, char**)::$_1>(CommandLine const&, bool, jscmain(int, char**)::$_1 const&) 28 0x104869e68 jscmain(int, char**) 29 0x104868d3c main 30 0x18d73c274 start AddressSanitizer:DEADLYSIGNAL ================================================================= ==23204==ERROR: AddressSanitizer: TRAP on unknown address 0x0001234d64dc (pc 0x0001234d64dc bp 0x00016b59ee30 sp 0x00016b59edd0 T0) SCARINESS: 10 (signal) #0 0x1234d64dc in WTFCrashWithInfo(int, char const*, char const*, int) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x65d24dc) #1 0x12221ab00 in JSC::CompleteSubspace::allocateSlow(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x5316b00) #2 0x123d4af54 in JSC::CompleteSubspace::allocate(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x6e46f54) #3 0x121b50a2c in JSC::Butterfly::createUninitialized(JSC::VM&, JSC::JSObject*, unsigned long, unsigned long, bool, unsigned long) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x4c4ca2c) #4 0x1238affc8 in JSC::Butterfly::createOrGrowPropertyStorage(JSC::Butterfly*, JSC::VM&, JSC::JSObject*, JSC::Structure*, unsigned long, unsigned long) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x69abfc8) #5 0x1238afdbc in JSC::JSObject::allocateMoreOutOfLineStorage(JSC::VM&, unsigned long, unsigned long) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x69abdbc) #6 0x121d3da84 in WTF::ASCIILiteral JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)0>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x4e39a84) #7 0x121d3b590 in JSC::JSObject::putInlineFast(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x4e37590) #8 0x1238859f0 in JSC::JSObject::definePropertyOnReceiver(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x69819f0) #9 0x123884198 in JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x6980198) #10 0x121d3acdc in JSC::JSObject::putInlineForJSObject(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x4e36cdc) #11 0x1238776e0 in JSC::JSObject::put(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x69736e0) #12 0x1234e19d0 in JSC::JSArray::put(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x65dd9d0) #13 0x123882dac in JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x697edac) #14 0x121d3acdc in JSC::JSObject::putInlineForJSObject(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x4e36cdc) #15 0x1238776e0 in JSC::JSObject::put(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x69736e0) #16 0x1234e19d0 in JSC::JSArray::put(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x65dd9d0) #17 0x121b5c484 in JSC::JSValue::put(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x4c58484) #18 0x122e1542c in llint_slow_path_put_by_val (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x5f1142c) #19 0x128e3b310 in jsc_llint_putByValOp__llintOpWithMetadata__llintOpWithReturn__llintOp__commonOp__fn__fn__makeReturn__fn__fn__fn__opPutByValSlow_LowLevelInterpreter64_asm_2033 (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0xbf37310) #20 0x128e544a8 in jsc_llint_commonCallOp__llintOpWithMetadata__llintOpWithReturn__llintOp__commonOp__fn__fn__makeReturn__fn__fn__fn__844_callHelper__dispatch_LowLevelInterpreter64_asm_2536 (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0xbf504a8) #21 0x134fe3520 (<unknown module>) #22 0x128e29958 in llint_call_javascript (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0xbf25958) #23 0x1228f1208 in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x59ed208) #24 0x1231e1e94 in JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x62dde94) #25 0x104a17238 in runWithOptions(GlobalObject*, CommandLine&, bool&) (/Users/rheza/WebKit/WebKitBuild/Debug/jsc:arm64+0x1001bf238) #26 0x104927fe4 in jscmain(int, char**)::$_1::operator()(JSC::VM&, GlobalObject*, bool&) const (/Users/rheza/WebKit/WebKitBuild/Debug/jsc:arm64+0x1000cffe4) #27 0x104870ff8 in int runJSC<jscmain(int, char**)::$_1>(CommandLine const&, bool, jscmain(int, char**)::$_1 const&) (/Users/rheza/WebKit/WebKitBuild/Debug/jsc:arm64+0x100018ff8) #28 0x104869e64 in jscmain(int, char**) (/Users/rheza/WebKit/WebKitBuild/Debug/jsc:arm64+0x100011e64) #29 0x104868d38 in main (/Users/rheza/WebKit/WebKitBuild/Debug/jsc:arm64+0x100010d38) #30 0x18d73c270 (<unknown module>) ==23204==Register values: x[0] = 0x000000000000006e x[1] = 0x0000000129d5dec0 x[2] = 0x0000000129d5df00 x[3] = 0x0000000000000ba2 x[4] = 0x000000702d6d3080 x[5] = 0x0000000000000000 x[6] = 0x000000016adac000 x[7] = 0x0000000000000001 x[8] = 0x0000000000000ba2 x[9] = 0x000000700001ffff x[10] = 0x000000016b5a7ff8 x[11] = 0x000000700001ffff x[12] = 0x000000702d6d3d9c x[13] = 0xffffffffffffffff x[14] = 0x0000000000000000 x[15] = 0x00007fffffffffff x[16] = 0x000000018dab716c x[17] = 0x0000000105348738 x[18] = 0x0000000000000000 x[19] = 0x00000001f7190050 x[20] = 0x00000001f71900a0 x[21] = 0x00000001f7190050 x[22] = 0x000000016b5a7448 x[23] = 0x000000016b5a7448 x[24] = 0x000000018d736000 x[25] = 0x000061b0008a02f0 x[26] = 0x0000615000656880 x[27] = 0xfffe000000000000 x[28] = 0xfffe000000000002 fp = 0x000000016b59ee30 lr = 0x000000012221ab04 sp = 0x000000016b59edd0 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: TRAP (/Users/rheza/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64+0x65d24dc) in WTFCrashWithInfo(int, char const*, char const*, int) ==23204==ABORTING zsh: abort ./jsc ./poc.js ``` poc for (let i1 = 0; i1 < 10; ++i1) { const v7 = []; var arr = v7; let v9 = "abcdefghijklmnop"; var s = v9; for (let i20 = (() => { s[Symbol.match]; return 0; })(); (() => { const v24 = new WebAssembly.Instance(new WebAssembly.Module(new Uint8Array([ 0x00, 0x61, 0x73, 0x6D, 0x01, 0x00, 0x00, 0x00, 0x01, 0x07, 0x01, 0x60, 0x03, 0x7C, 0x7F, 0x7D, 0x00, 0x03, 0x01, 0x00, 0x04, 0x04, 0x01, 0x70, 0x00, 0x0A, 0x05, 0x01, 0x00, 0x0D, 0x03, 0x01, 0x00, 0x00, 0x06, 0x01, 0x00, 0x07, 0x07, 0x01, 0x03, 0x77, 0x74, 0x30, 0x01, 0x00, 0x09, 0x01, 0x00, 0x0A, 0x01, 0x00, ]))); v24.exports; return i20 < 5000; })(); ++i20) { const v33 = ("<" + s) + ">"; s = v33; arr.push(v33); } const v24 = gc(); for (let i39 = 0; (() => { const v40 = () => { function* f27(a42, a43, a44) { [a44,v9,i39]; [a42,v7]; [a42,a44,arr]; return yield i1; } f27(v24, i39, f27); return i39 < 5000; }; return v40(); })(); (() => { const v54 = () => { arr.__proto__; v9 = v24; const v58 = new Int8Array(78); arr[Uint8Array] = i39; v7[v54] = gc; v58[1665890787]; v54[8] = s; try { new Uint8Array(v58, i39, -2147483647); } catch(e63) { } new Uint8Array(257); new Uint8ClampedArray(3330); ++i39; }; v54(); })()) { arr[i39].search("a"); } gc(); } ```
Attachments
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2025-02-09 16:19:03 PST
<
rdar://problem/144494170
>
Yusuke Suzuki
Comment 2
2025-03-06 14:01:57 PST
This is explicit crash with memory exhaust.
Yusuke Suzuki
Comment 3
2025-03-06 14:05:40 PST
Pull request:
https://github.com/WebKit/WebKit/pull/42035
EWS
Comment 4
2025-03-06 16:26:16 PST
Committed
291743@main
(798ff291e8a8): <
https://commits.webkit.org/291743@main
> Reviewed commits have been landed. Closing PR #42035 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug