[Webkit-unassigned] [Bug 233206] New: [JSC] indirect eval GC/memory leak

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Nov 16 11:42:01 PST 2021


https://bugs.webkit.org/show_bug.cgi?id=233206

            Bug ID: 233206
           Summary: [JSC] indirect eval GC/memory leak
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: pmates at igalia.com

While working on the Shadow Realm implementation in JSC I noticed some OOM issues related to indirect eval.

I was able to reproduce them with the following `example.js` snippet:

```
for (i = 0; i<50000; i++) {
    // indirect eval: has issues
    let f = (0, eval)("{x: " + Math.random() + "}"); 

    // direct eval: is fine
    // let f = eval("{x: " + Math.random() + "}");   

    // filler to prevent optimizing anything away                                                                             
    if (f.x === 0.1) {
        print(1);   
    }

    // issue persist even when GC is called after each allocation                                                                                                                
    fullGC();
} 

```

running this snippet in the jsc console with llint disabled results in a out-of-memory crash

```
$ Tools/Scripts/run-jsc --jsc-only --debug --useLLInt=false --logExecutableAllocation=1 --gcMaxHeapSize=1024 --jitMemoryReservationSize=102400 examples.js

...
Allocating 896 bytes of executable memory with 101248 bytes allocated, 102400 bytes reserved, and 102400 committed.
Allocating 896 bytes of executable memory with 102144 bytes allocated, 102400 bytes reserved, and 102400 committed.
Ran out of executable memory while allocating 896 bytes.
[1]    26356 abort (core dumped)  Tools/Scripts/run-jsc --jsc-only --debug --useLLInt=false
```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211116/034748f7/attachment-0001.htm>


More information about the webkit-unassigned mailing list