[Webkit-unassigned] [Bug 182168] New: Infinite loop that occupies all available memory space on WebKitGTK/JavaScriptCore 64 bit release build
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jan 26 02:51:44 PST 2018
https://bugs.webkit.org/show_bug.cgi?id=182168
Bug ID: 182168
Summary: Infinite loop that occupies all available memory space
on WebKitGTK/JavaScriptCore 64 bit release build
Product: WebKit
Version: WebKit Local Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: sevendays37 at gmail.com
Test Code:
function func_0(args) {
}
for (var var_2 = 10; ;) {
func_0 += var_2;
}
I have tested the code above on WebKitGTK/JavaScriptCore 2.18.6/2.19.6 32/64 bit release build.
The result was interesting.
On 32 bit release build, they crashed immediately(SIGSEGV on 2.18.6 and SIGILL on 2.19.6).
On 64 bit release build, however, they occupied all available memory space making the machine extremely slow.
I have also tested the code on Google V8 6.2.1 32/64 bit release build.
They did not show any slowdown and crashed with an error message saying the process is out of memory.
I think JavaScriptCore 64 bit release build should also crash before it occupies all available memory space.
OS: Ubuntu 16.04 LTS 64 bit
Memory: 16GB
###########################
2.18.6, 32 bit, release build
###########################
Thread 1 "jsc" received signal SIGSEGV, Segmentation fault.
0xf7dfecc2 in bmalloc::Heap::allocateSmallChunk(std::lock_guard<bmalloc::StaticMutex>&, unsigned int) ()
from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
(gdb) bt
#0 0xf7dfecc2 in bmalloc::Heap::allocateSmallChunk(std::lock_guard<bmalloc::StaticMutex>&, unsigned int) ()
from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#1 0xf7dfef89 in bmalloc::Heap::allocateSmallPage(std::lock_guard<bmalloc::StaticMutex>&, unsigned int, std::array<bmalloc::List<bmalloc::SmallPage>, 112u>&) () from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#2 0xf7dff1a1 in bmalloc::Heap::allocateSmallBumpRangesByObject(std::lock_guard<bmalloc::StaticMutex>&, unsigned int, bmalloc::BumpAllocator&, bmalloc::FixedVector<bmalloc::BumpRange, 3u>&, std::array<bmalloc::List<bmalloc::SmallPage>, 112u>&) () from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#3 0xf7df9c3c in bmalloc::Allocator::refillAllocatorSlowCase(bmalloc::BumpAllocator&, unsigned int) ()
from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#4 0xf7df9dd5 in bmalloc::Allocator::allocateLogSizeClass(unsigned int) ()
from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#5 0xf7df9e39 in bmalloc::Allocator::allocateSlowCase(unsigned int) ()
from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#6 0xf7dfa243 in bmalloc::Allocator::allocateImpl(unsigned int, unsigned int, bool) ()
from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#7 0xf7dfa34d in bmalloc::Allocator::tryAllocate(unsigned int, unsigned int) ()
from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#8 0xf7da8081 in WTF::tryFastAlignedMalloc(unsigned int, unsigned int) ()
from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#9 0xf77fe3c7 in JSC::FastMallocAlignedMemoryAllocator::tryAllocateAlignedMemory(unsigned int, unsigned int) ()
from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#10 0xf7818217 in JSC::MarkedBlock::tryCreate(JSC::Heap&, JSC::AlignedMemoryAllocator*) ()
from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#11 0xf7817a38 in JSC::MarkedAllocator::tryAllocateBlock() ()
from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#12 0xf7817e0c in JSC::MarkedAllocator::allocateSlowCaseImpl(JSC::GCDeferralContext*, bool) ()
from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#13 0xf7817f0f in JSC::MarkedAllocator::allocateSlowCase(JSC::GCDeferralContext*) ()
from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#14 0xf7826be8 in JSC::Subspace::allocate(unsigned int) ()
from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#15 0xf76f967e in operationMakeRope2 () from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#16 0xf28048d7 in ?? ()
#17 0xf7963249 in vmEntryToJavaScript () from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#18 0xf78dc6a8 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) ()
from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#19 0xf788a93e in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) ()
from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#20 0xf7ae987c in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) ()
from /data/webkit-2.18.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#21 0x0805f628 in jscmain(int, char**) ()
#22 0x0805203c in main ()
##############################
2.19.6, 32 bit, release build
##############################
Thread 1 "jsc" received signal SIGILL, Illegal instruction.
0xf7dc231a in bmalloc::Heap::allocateLarge(std::lock_guard<bmalloc::StaticMutex>&, unsigned int, unsigned int, bmalloc::AllocationKind) () from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
(gdb) bt
#0 0xf7dc231a in bmalloc::Heap::allocateLarge(std::lock_guard<bmalloc::StaticMutex>&, unsigned int, unsigned int, bmalloc::AllocationKind) () from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#1 0xf7dc23df in bmalloc::Heap::allocateSmallChunk(std::lock_guard<bmalloc::StaticMutex>&, unsigned int) ()
from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#2 0xf7dc460d in bmalloc::Heap::allocateSmallPage(std::lock_guard<bmalloc::StaticMutex>&, unsigned int, std::array<bmalloc::List<bmalloc::SmallPage>, 112u>&) () from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#3 0xf7dc485d in bmalloc::Heap::allocateSmallBumpRangesByObject(std::lock_guard<bmalloc::StaticMutex>&, unsigned int, bmalloc::BumpAllocator&, bmalloc::FixedVector<bmalloc::BumpRange, 3u>&, std::array<bmalloc::List<bmalloc::SmallPage>, 112u>&) () from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#4 0xf7dbea0c in bmalloc::Allocator::refillAllocatorSlowCase(bmalloc::BumpAllocator&, unsigned int) ()
from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#5 0xf7dbeba5 in bmalloc::Allocator::allocateLogSizeClass(unsigned int) ()
from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#6 0xf7dbec09 in bmalloc::Allocator::allocateSlowCase(unsigned int) ()
from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#7 0xf7dbf013 in bmalloc::Allocator::allocateImpl(unsigned int, unsigned int, bool) ()
from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#8 0xf7dbf11d in bmalloc::Allocator::tryAllocate(unsigned int, unsigned int) ()
from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#9 0xf7d6b32c in WTF::tryFastAlignedMalloc(unsigned int, unsigned int) ()
from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#10 0xf783404d in JSC::FastMallocAlignedMemoryAllocator::tryAllocateAlignedMemory(unsigned int, unsigned int) ()
from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#11 0xf78534d5 in JSC::MarkedBlock::tryCreate(JSC::Heap&, JSC::AlignedMemoryAllocator*) ()
from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#12 0xf78318b6 in JSC::BlockDirectory::tryAllocateBlock() ()
from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#13 0xf7832bdc in JSC::BlockDirectory::allocateSlowCase(JSC::GCDeferralContext*, JSC::AllocationFailureMode) ()
from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#14 0xf783380f in JSC::CompleteSubspace::allocateNonVirtual(unsigned int, JSC::GCDeferralContext*, JSC::AllocationFailureMode) () from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#15 0xf77372eb in JSC::JSRopeString::create(JSC::VM&, JSC::JSString*, JSC::JSString*) ()
from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#16 0xf7711139 in operationMakeRope2 () from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#17 0xf47fef37 in ?? ()
#18 0xf796f222 in vmEntryToJavaScript () from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#19 0xf79131c2 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) ()
from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#20 0xf78ea3d2 in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) ()
from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#21 0xf7b03644 in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) ()
from /data/webkit-2.19.6/WebKitBuild/ia32.release/lib/libJavaScriptCore.so.1
#22 0x0805be70 in jscmain(int, char**) ()
#23 0x0805142c in main ()
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180126/549b6e1a/attachment-0001.html>
More information about the webkit-unassigned
mailing list