[Webkit-unassigned] [Bug 182168] New: Infinite loop that occupies all available memory space on WebKitGTK/JavaScriptCore 64 bit release build

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jan 26 02:51:44 PST 2018


https://bugs.webkit.org/show_bug.cgi?id=182168

            Bug ID: 182168
           Summary: Infinite loop that occupies all available memory space
                    on WebKitGTK/JavaScriptCore 64 bit release build
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sevendays37 at gmail.com

Test Code:

function func_0(args) {
}

for (var var_2 = 10; ;) {
  func_0 += var_2;
}

I have tested the code above on WebKitGTK/JavaScriptCore 2.18.6/2.19.6 32/64 bit release build.
The result was interesting.
On 32 bit release build, they crashed immediately(SIGSEGV on 2.18.6 and SIGILL on 2.19.6).
On 64 bit release build, however, they occupied all available memory space making the machine extremely slow.
I have also tested the code on Google V8 6.2.1 32/64 bit release build.
They did not show any slowdown and crashed with an error message saying the process is out of memory.
I think JavaScriptCore 64 bit release build should also crash before it occupies all available memory space.

OS: Ubuntu 16.04 LTS 64 bit
Memory: 16GB

###########################

2.18.6, 32 bit, release build

###########################

Thread 1 "jsc" received signal SIGSEGV, Segmentation fault.
0xf7dfecc2 in bmalloc::Heap::allocateSmallChunk(std::lock_guard<bmalloc::StaticMutex>&, unsigned int) ()
   from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
(gdb) bt
#0  0xf7dfecc2 in bmalloc::Heap::allocateSmallChunk(std::lock_guard<bmalloc::StaticMutex>&, unsigned int) ()
   from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#1  0xf7dfef89 in bmalloc::Heap::allocateSmallPage(std::lock_guard<bmalloc::StaticMutex>&, unsigned int, std::array<bmalloc::List<bmalloc::SmallPage>, 112u>&) () from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#2  0xf7dff1a1 in bmalloc::Heap::allocateSmallBumpRangesByObject(std::lock_guard<bmalloc::StaticMutex>&, unsigned int, bmalloc::BumpAllocator&, bmalloc::FixedVector<bmalloc::BumpRange, 3u>&, std::array<bmalloc::List<bmalloc::SmallPage>, 112u>&) () from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#3  0xf7df9c3c in bmalloc::Allocator::refillAllocatorSlowCase(bmalloc::BumpAllocator&, unsigned int) ()
   from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#4  0xf7df9dd5 in bmalloc::Allocator::allocateLogSizeClass(unsigned int) ()
   from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#5  0xf7df9e39 in bmalloc::Allocator::allocateSlowCase(unsigned int) ()
   from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#6  0xf7dfa243 in bmalloc::Allocator::allocateImpl(unsigned int, unsigned int, bool) ()
   from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#7  0xf7dfa34d in bmalloc::Allocator::tryAllocate(unsigned int, unsigned int) ()
   from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#8  0xf7da8081 in WTF::tryFastAlignedMalloc(unsigned int, unsigned int) ()
   from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#9  0xf77fe3c7 in JSC::FastMallocAlignedMemoryAllocator::tryAllocateAlignedMemory(unsigned int, unsigned int) ()
   from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#10 0xf7818217 in JSC::MarkedBlock::tryCreate(JSC::Heap&, JSC::AlignedMemoryAllocator*) ()
   from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#11 0xf7817a38 in JSC::MarkedAllocator::tryAllocateBlock() ()
   from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#12 0xf7817e0c in JSC::MarkedAllocator::allocateSlowCaseImpl(JSC::GCDeferralContext*, bool) ()
   from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#13 0xf7817f0f in JSC::MarkedAllocator::allocateSlowCase(JSC::GCDeferralContext*) ()
   from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#14 0xf7826be8 in JSC::Subspace::allocate(unsigned int) ()
   from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#15 0xf76f967e in operationMakeRope2 () from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#16 0xf28048d7 in ?? ()
#17 0xf7963249 in vmEntryToJavaScript () from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#18 0xf78dc6a8 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) ()
   from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#19 0xf788a93e in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) ()
   from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#20 0xf7ae987c in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) ()
   from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#21 0x0805f628 in jscmain(int, char**) ()
#22 0x0805203c in main ()

##############################

2.19.6, 32 bit, release build

##############################

Thread 1 "jsc" received signal SIGILL, Illegal instruction.
0xf7dc231a in bmalloc::Heap::allocateLarge(std::lock_guard<bmalloc::StaticMutex>&, unsigned int, unsigned int, bmalloc::AllocationKind) () from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
(gdb) bt
#0  0xf7dc231a in bmalloc::Heap::allocateLarge(std::lock_guard<bmalloc::StaticMutex>&, unsigned int, unsigned int, bmalloc::AllocationKind) () from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#1  0xf7dc23df in bmalloc::Heap::allocateSmallChunk(std::lock_guard<bmalloc::StaticMutex>&, unsigned int) ()
   from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#2  0xf7dc460d in bmalloc::Heap::allocateSmallPage(std::lock_guard<bmalloc::StaticMutex>&, unsigned int, std::array<bmalloc::List<bmalloc::SmallPage>, 112u>&) () from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#3  0xf7dc485d in bmalloc::Heap::allocateSmallBumpRangesByObject(std::lock_guard<bmalloc::StaticMutex>&, unsigned int, bmalloc::BumpAllocator&, bmalloc::FixedVector<bmalloc::BumpRange, 3u>&, std::array<bmalloc::List<bmalloc::SmallPage>, 112u>&) () from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#4  0xf7dbea0c in bmalloc::Allocator::refillAllocatorSlowCase(bmalloc::BumpAllocator&, unsigned int) ()
   from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#5  0xf7dbeba5 in bmalloc::Allocator::allocateLogSizeClass(unsigned int) ()
   from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#6  0xf7dbec09 in bmalloc::Allocator::allocateSlowCase(unsigned int) ()
   from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#7  0xf7dbf013 in bmalloc::Allocator::allocateImpl(unsigned int, unsigned int, bool) ()
   from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#8  0xf7dbf11d in bmalloc::Allocator::tryAllocate(unsigned int, unsigned int) ()
   from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#9  0xf7d6b32c in WTF::tryFastAlignedMalloc(unsigned int, unsigned int) ()
   from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#10 0xf783404d in JSC::FastMallocAlignedMemoryAllocator::tryAllocateAlignedMemory(unsigned int, unsigned int) ()
   from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#11 0xf78534d5 in JSC::MarkedBlock::tryCreate(JSC::Heap&, JSC::AlignedMemoryAllocator*) ()
   from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#12 0xf78318b6 in JSC::BlockDirectory::tryAllocateBlock() ()
   from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#13 0xf7832bdc in JSC::BlockDirectory::allocateSlowCase(JSC::GCDeferralContext*, JSC::AllocationFailureMode) ()
   from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#14 0xf783380f in JSC::CompleteSubspace::allocateNonVirtual(unsigned int, JSC::GCDeferralContext*, JSC::AllocationFailureMode) () from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#15 0xf77372eb in JSC::JSRopeString::create(JSC::VM&, JSC::JSString*, JSC::JSString*) ()
   from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#16 0xf7711139 in operationMakeRope2 () from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#17 0xf47fef37 in ?? ()
#18 0xf796f222 in vmEntryToJavaScript () from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#19 0xf79131c2 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) ()
   from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#20 0xf78ea3d2 in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) ()
   from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#21 0xf7b03644 in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) ()
   from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#22 0x0805be70 in jscmain(int, char**) ()
#23 0x0805142c in main ()

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180126/549b6e1a/attachment-0001.html>


More information about the webkit-unassigned mailing list