[Webkit-unassigned] [Bug 188917] New: RELEASE_ASSERT at ../../Source/JavaScriptCore/heap/MarkedSpace.h:83
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Aug 24 02:41:23 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=188917
Bug ID: 188917
Summary: RELEASE_ASSERT at
../../Source/JavaScriptCore/heap/MarkedSpace.h:83
Product: WebKit
Version: WebKit Local Build
Hardware: PC
OS: Other
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: zhunkibatu at gmail.com
the following poc triggers a RELEASE_ASSERT at ../../Source/JavaScriptCore/heap/MarkedSpace.h:83
static size_t sizeClassToIndex(size_t size)
{
RELEASE_ASSERT(size); ==>(1)
return (size + sizeStep - 1) / sizeStep - 1;
}
where size=0, without this RELEASE_ASSERT, the function will return 18446744073709551615.
the poc may need to run several times to trigger crash.
poc:
==================================================================
function foo(o){}
function test() {
var floatArray = foo(new Float64Array(0));
}
for (var i = 0; i < 100000; ++i){
test();
}
test();
==================================================================
stack trace:
1 0x42c45b
2 0x7fd3cc70c9ef
3 0x7fd3cc6d05cd
4 0x7fd3cc66c682 JSC::FTL::lowerDFGToB3(JSC::FTL::State&)
5 0x7fd3cc44e7f3 JSC::DFG::Plan::compileInThreadImpl()
6 0x7fd3cc44a0da JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*)
7 0x7fd3cc64f372 JSC::DFG::Worklist::ThreadBody::work()
8 0x7fd3ccdaaa7c
9 0x7fd3ccdc39c1 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*)
10 0x7fd3ccdf7003
11 0x7fd3c99ba6ba
12 0x7fd3c89ed41d clone
Segmentation fault
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180824/80e7fd54/attachment-0001.html>
More information about the webkit-unassigned
mailing list