[Webkit-unassigned] [Bug 254331] New: Aborted at Source/JavaScriptCore/runtime/ArrayBuffer.cpp(113)
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Mar 23 06:16:01 PDT 2023
https://bugs.webkit.org/show_bug.cgi?id=254331
Bug ID: 254331
Summary: Aborted at
Source/JavaScriptCore/runtime/ArrayBuffer.cpp(113)
Product: WebKit
Version: WebKit Local Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: xiangwei1895 at gmail.com
my JSC crashed when executing the following code:
PoC:
const v2 = new Int16Array(59925);
function f3(a4, a5, a6, a7) {
const o10 = {
"maxByteLength": 786701,
};
const v12 = new ArrayBuffer(32, o10);
return a6;
}
v2.forEach(f3);
mprotect failed: Cannot allocate memory
SHOULD NEVER BE REACHED
/home/data/WebKit/Source/JavaScriptCore/runtime/ArrayBuffer.cpp(113) : WTF::RefPtr<JSC::BufferMemoryHandle> JSC::tryAllocateResizableMemory(VM*, size_t, size_t)
Aborted (core dumped)
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230323/ac88b453/attachment.htm>
More information about the webkit-unassigned
mailing list