[Webkit-unassigned] [Bug 171426] New: JavaScriptCore Set add Method outbound Read bug

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Apr 28 04:20:30 PDT 2017


https://bugs.webkit.org/show_bug.cgi?id=171426

            Bug ID: 171426
           Summary: JavaScriptCore Set add Method outbound Read bug
           Product: WebKit
           Version: WebKit Local Build
          Hardware: PC
                OS: Windows 7
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: 672639236 at qq.com

Created attachment 308517

  --> https://bugs.webkit.org/attachment.cgi?id=308517&action=review

poc file to reproduce the bug

Hi,I find a bug in webkit.the environment in which I reproduce the bug is:windows 7+webkit debug build (4/27/2017).the Crash info is as follows:
(4f8.720): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=07440068 ebx=0017eed8 ecx=06751320 edx=1defbe85 esi=00036ce0 edi=06094f80
eip=6abafa2f esp=0017ee70 ebp=0017eec8 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
*** WARNING: Unable to verify checksum for D:\webkit\WebKitBuild\Release\bin32\JavaScriptCore.dll
JavaScriptCore!JSC::setProtoFuncDelete+0x1bf:
6abafa2f 8b04b0          mov     eax,dword ptr [eax+esi*4] ds:002b:0751b3e8=????????
0:000> kn
 # ChildEBP RetAddr  
00 0017eec8 031a58fd JavaScriptCore!JSC::setProtoFuncDelete+0x1bf [d:\webkit\source\javascriptcore\runtime\setprototype.cpp @ 121]
WARNING: Frame IP not in any known module. Following frames may be wrong.
01 0017eed8 6ac2dc98 0x31a58fd
02 0017ef38 6ac2dc98 JavaScriptCore!llint_entry+0x4ac4 [D:\WebKit\WebKitBuild\Release\DerivedSources\JavaScriptCore\LowLevelInterpreterWin.asm @ 7939]
03 0017efd8 6ac2dc98 JavaScriptCore!llint_entry+0x4ac4 [D:\WebKit\WebKitBuild\Release\DerivedSources\JavaScriptCore\LowLevelInterpreterWin.asm @ 7939]
04 0017f028 6ac2903d JavaScriptCore!llint_entry+0x4ac4 [D:\WebKit\WebKitBuild\Release\DerivedSources\JavaScriptCore\LowLevelInterpreterWin.asm @ 7939]
05 0017f080 6a9987d2 JavaScriptCore!vmEntryToJavaScript+0x10d [D:\WebKit\WebKitBuild\Release\DerivedSources\JavaScriptCore\LowLevelInterpreterWin.asm @ 114]
06 0017f0ac 6a97a94c JavaScriptCore!JSC::JITCode::execute+0x52 [d:\webkit\source\javascriptcore\jit\jitcode.cpp @ 81]
07 0017f138 6aaa94bf JavaScriptCore!JSC::Interpreter::executeCall+0x18c [d:\webkit\source\javascriptcore\interpreter\interpreter.cpp @ 955]
08 0017f178 6aaa9629 JavaScriptCore!JSC::call+0x4f [d:\webkit\source\javascriptcore\runtime\calldata.cpp @ 47]
*** WARNING: Unable to verify checksum for D:\webkit\WebKitBuild\Release\bin32\WebKit.dll
09 0017f1e0 6ce405f2 JavaScriptCore!JSC::profiledCall+0x59 [d:\webkit\source\javascriptcore\runtime\calldata.cpp @ 65]
0a 0017f234 6ce191eb WebKit!WebCore::JSMainThreadExecState::profiledCall+0x62 [d:\webkit\source\webcore\bindings\js\jsmainthreadexecstate.h @ 71]
0b 0017f340 6ca4fa9e WebKit!WebCore::JSEventListener::handleEvent+0x3eb [d:\webkit\source\webcore\bindings\js\jseventlistener.cpp @ 154]
0c 0017f378 6ca4f902 WebKit!WebCore::EventTarget::fireEventListeners+0xfe [d:\webkit\source\webcore\dom\eventtarget.cpp @ 266]
0d 0017f3ac 6cc14e05 WebKit!WebCore::EventTarget::fireEventListeners+0xe2 [d:\webkit\source\webcore\dom\eventtarget.cpp @ 209]
0e 0017f3d4 6cc14f0d WebKit!WebCore::DOMWindow::dispatchEvent+0x105 [d:\webkit\source\webcore\page\domwindow.cpp @ 1995]
0f 0017f3fc 6ca60c68 WebKit!WebCore::DOMWindow::dispatchLoadEvent+0xbd [d:\webkit\source\webcore\page\domwindow.cpp @ 1953]
10 0017f420 6cc06953 WebKit!WebCore::Document::implicitClose+0x178 [d:\webkit\source\webcore\dom\document.cpp @ 2646]
11 0017f430 6cc06871 WebKit!WebCore::FrameLoader::checkCompleted+0xa3 [d:\webkit\source\webcore\loader\frameloader.cpp @ 841]
12 0017f43c 6ca6797a WebKit!WebCore::FrameLoader::finishedParsing+0x61 [d:\webkit\source\webcore\loader\frameloader.cpp @ 758]
13 0017f454 6d037a17 WebKit!WebCore::Document::finishedParsing+0x15a [d:\webkit\source\webcore\dom\document.cpp @ 5008]
14 0017f45c 6d00fa13 WebKit!WebCore::HTMLDocumentParser::prepareToStopParsing+0x87 [d:\webkit\source\webcore\html\parser\htmldocumentparser.cpp @ 136]
15 0017f46c 6cae697a WebKit!WebCore::DocumentWriter::end+0x33 [d:\webkit\source\webcore\loader\documentwriter.cpp @ 277]
16 0017f564 6cae6b26 WebKit!WebCore::DocumentLoader::finishedLoading+0x13a [d:\webkit\source\webcore\loader\documentloader.cpp @ 418]
17 0017f56c 6cf8797d WebKit!WebCore::DocumentLoader::notifyFinished+0x26 [d:\webkit\source\webcore\loader\documentloader.cpp @ 367]
18 0017f590 6cf8633c WebKit!WebCore::CachedResource::checkNotify+0x3d [d:\webkit\source\webcore\loader\cache\cachedresource.cpp @ 303]
19 0017f594 6d068ce1 WebKit!WebCore::CachedResource::finishLoading+0xc [d:\webkit\source\webcore\loader\cache\cachedresource.cpp @ 320]
1a 0017f5c0 6caf21f1 WebKit!WebCore::CachedRawResource::finishLoading+0x91 [d:\webkit\source\webcore\loader\cache\cachedrawresource.cpp @ 105]
1b 0017f5e4 6caed1cf WebKit!WebCore::SubresourceLoader::didFinishLoading+0xa1 [d:\webkit\source\webcore\loader\subresourceloader.cpp @ 567]
1c 0017f6d8 6d0704f9 WebKit!WebCore::ResourceLoader::didFinishLoading+0x2f [d:\webkit\source\webcore\loader\resourceloader.cpp @ 655]
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Common Files\Apple\Apple Application Support\CFNetwork.dll - 
1d 0017f6e4 7491c437 WebKit!WebCore::SynchronousResourceHandleCFURLConnectionDelegate::didFinishLoading+0x19 [d:\webkit\source\webcore\platform\network\cf\synchronousresourcehandlecfurlconnectiondelegate.cpp @ 195]
1e 0017f730 7491a2a1 CFNetwork!CFHTTPCookieCreateWithResponseHeaderFields+0xc3f7
1f 0017f8a4 74919500 CFNetwork!CFHTTPCookieCreateWithResponseHeaderFields+0xa261
20 0017f8c8 7491a963 CFNetwork!CFHTTPCookieCreateWithResponseHeaderFields+0x94c0
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\syswow64\USER32.dll - 
21 0017f8d4 773b62fa CFNetwork!CFHTTPCookieCreateWithResponseHeaderFields+0xa923
22 0017f900 773b6d3a USER32!gapfnScSendMessage+0x332
23 0017f978 773b77c4 USER32!GetThreadDesktop+0xd7
24 0017f9d8 773b788a USER32!CharPrevW+0x138
25 0017f9e8 6c9f243a USER32!DispatchMessageW+0xf
*** WARNING: Unable to verify checksum for D:\webkit\WebKitBuild\Release\bin32\MiniBrowserLib.dll
26 0017fa24 751967dd WebKit!WebKitMessageLoop::run+0x7a [d:\webkit\source\webkit\win\webkitmessageloop.cpp @ 90]
*** WARNING: Unable to verify checksum for D:\webkit\WebKitBuild\Release\bin32\MiniBrowser.exe
27 0017faa8 01101412 MiniBrowserLib!wWinMain+0x5bd [d:\webkit\tools\minibrowser\win\winmain.cpp @ 187]
28 0017fd80 01102ef2 MiniBrowser!wWinMain+0x412 [d:\webkit\tools\win\dlllauncher\dlllaunchermain.cpp @ 249]
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\syswow64\kernel32.dll - 
29 0017fdcc 757b33aa MiniBrowser!__scrt_common_main_seh+0xf6 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253]
2a 0017fdd8 77d19f72 kernel32!BaseThreadInitThunk+0x12
2b 0017fe18 77d19f45 ntdll!RtlInitializeExceptionChain+0x63
2c 0017fe30 00000000 ntdll!RtlInitializeExceptionChain+0x36

the root cause of the bug is that JavaScriptCore!JSC::Subspace::tryAllocate can fail in the condition that we have  consumed all the system memory,but JavaScriptCore!JSC::setProtoFuncDelete can not handle it properly.
the poc file is on the attachment.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170428/85cc7cd8/attachment.html>


More information about the webkit-unassigned mailing list