[Webkit-unassigned] [Bug 195875] New: errorDescriptionForValue would trigger another out-of-memory error for rope string

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Mar 17 22:27:29 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=195875

            Bug ID: 195875
           Summary: errorDescriptionForValue would trigger another
                    out-of-memory error for rope string
           Product: WebKit
           Version: Safari 12
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: dwfault at 163.com

PoC:

let o0 = '\ud801';
let o1 = o0.padEnd(0x7fffffff, 'x');

function f() {
}

print(describe(o0));
//String (rope) (unresolved): (null StringImpl*), StructureID: 29020


print(describe(o1));
//nothing?

//debug(o1);
//print();
//Out of memory.

print(describe(f));
//Object: 0x1212cbc60 with butterfly 0x0 (Structure 0x1212fd9d0:[Function, {}, NonArray, Proto:0x1212d4000, Leaf]), StructureID: 39799

try {
    o1(f);   //---> here.
} catch (e) {
    print(e);
}












crash:

2019-03-18 13:23:54.286323+0800 jsc[70531:7728936] ASSERTION FAILED: Unexpected exception observed on thread Thread:0x11e5fa000 at:
    1   0x1019398e6 JSC::ExceptionScope::unexpectedExceptionMessage()
    2   0x100f7b34b JSC::ExceptionScope::assertNoException()
    3   0x101938750 JSC::createError(JSC::ExecState*, JSC::JSValue, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred))
    4   0x101938f52 JSC::createNotAFunctionError(JSC::ExecState*, JSC::JSValue)
    5   0x1016fb71e JSC::LLInt::handleHostCall(JSC::ExecState*, JSC::JSValue, JSC::CodeSpecializationKind)
    6   0x1016fac62 JSC::LLInt::setUpCall(JSC::ExecState*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*)
    7   0x1016f38a8 JSC::SlowPathReturnType JSC::LLInt::genericCall<JSC::OpCall>(JSC::ExecState*, JSC::OpCall&&, JSC::CodeSpecializationKind)
    8   0x1016f37b2 llint_slow_path_call
    9   0x10097c663 llint_entry
    10  0x1009692e2 vmEntryToJavaScript
    11  0x1015de45e JSC::JITC
ASSERTION FAILED: Unexpected exception observed on thread Thread:0x11e5fa000 at:
    1   0x1019398e6 JSC::ExceptionScope::unexpectedExceptionMessage()
    2   0x100f7b34b JSC::ExceptionScope::assertNoException()
    3   0x101938750 JSC::createError(JSC::ExecState*, JSC::JSValue, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred))
    4   0x101938f52 JSC::createNotAFunctionError(JSC::ExecState*, JSC::JSValue)
    5   0x1016fb71e JSC::LLInt::handleHostCall(JSC::ExecState*, JSC::JSValue, JSC::CodeSpecializationKind)
    6   0x1016fac62 JSC::LLInt::setUpCall(JSC::ExecState*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*)
    7   0x1016f38a8 JSC::SlowPathReturnType JSC::LLInt::genericCall<JSC::OpCall>(JSC::ExecState*, JSC::OpCall&&, JSC::CodeSpecializationKind)
    8   0x1016f37b2 llint_slow_path_call
    9   0x10097c663 llint_entry
    10  0x1009692e2 vmEntryToJavaScript
    11  0x1015de45e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
    12  0x1015dd9e0 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*)
    13  0x10190b1e5 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
    14  0x10004f56b runWithOptions(GlobalObject*, CommandLine&, bool&)
    15  0x1000251ba jscmain(int, char**)::$_6::operator()(JSC::VM&, GlobalObject*, bool&) const
    16  0x100006ab4 int runJSC<jscmain(int, char**)::$_6>(CommandLine const&, bool, jscmain(int, char**)::$_6 const&)
    17  0x100005197 jscmain(int, char**)
    18  0x100004ffe main
    19  0x7fff63403ed9 start
The exception was thrown from thread Thread:0x11e5fa000 at:
    1   0x101bd009f JSC::VM::throwException(JSC::ExecState*, JSC::Exception*)
    2   0x101bd0420 JSC::VM::throwException(JSC::ExecState*, JSC::JSValue)
    3   0x101bd04e8 JSC::VM::throwException(JSC::ExecState*, JSC::JSObject*)
    4   0x101baa6d5 JSC::ThrowScope::throwException(JSC::ExecState*, JSC::JSObject*)
    5   0x10099b405 JSC::throwException(JSC::ExecState*, JSC::ThrowScope&, JSC::JSObject*)
    6   0x1019395bc JSC::throwOutOfMemoryError(JSC::ExecState*, JSC::ThrowScope&)
    7   0x101a7e26b JSC::JSRopeString::outOfMemory(JSC::ExecState*) const
    8   0x101a7df37 WTF::String const& JSC::JSRopeString::resolveRopeWithFunction<JSC::JSRopeString::resolveRope(JSC::ExecState*) const::$_3>(JSC::ExecState*, JSC::JSRopeString::resolveRope(JSC::ExecState*) const::$_3&&) const
    9   0x101a7db91 JSC::JSRopeString::resolveRope(JSC::ExecState*) const
    10  0x100985859 JSC::JSString::value(JSC::ExecState*) const
    11  0x1019381b4 JSC::errorDescriptionForValue(JSC::ExecState*, JSC::JSValue)
    12  0x1019386ad JSC::createError(JSC::ExecState*, JSC::JSValue, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred))
    13  0x101938f52 JSC::createNotAFunctionError(JSC::ExecState*, JSC::JSValue)
    14  0x1016fb71e JSC::LLInt::handleHostCall(JSC::ExecState*, JSC::JSValue, JSC::CodeSpecializationKind)
    15  0x1016fac62 JSC::LLInt::setUpCall(JSC::ExecState*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*)
    16  0x1016f38a8 JSC::SlowPathReturnType JSC::LLInt::genericCall<JSC::OpCall>(JSC::ExecState*, JSC::OpCall&&, JSC::CodeSpecializationKind)
    17  0x1016f37b2 llint_slow_path_call
    18  0x10097c663 llint_entry
    19  0x1009692e2 vmEntryToJavaScript
    20  0x1015de45e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
    21  0x1015dd9e0 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*)
    22  0x10190b1e5 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
    23  0x10004f56b runWithOptions(GlobalObject*, CommandLine&, bool&)
    24  0x1000251ba jscmain(int, char**)::$_6::operator()(JSC::VM&, GlobalObject*, bool&) const
    25  0x100006ab4 int runJSC<jscmain(int, char**)::$_6>(CommandLine const&, bool, jscmain(int, char**)::$_6 const&)
    26  0x100005197 jscmain(int, char**)
    27  0x100004ffe main
    28  0x7fff63403ed9 start
    29  0x5

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190318/99212fca/attachment.html>

More information about the webkit-unassigned mailing list