[Webkit-unassigned] [Bug 274052] New: ASSERTION FAILED: isMarked(cell) in JSC::Heap::reportExtraMemoryAllocatedPossiblyFromAlreadyMarkedCell(const JSC::JSCell *, size_t)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun May 12 04:22:13 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=274052

            Bug ID: 274052
           Summary: ASSERTION FAILED: isMarked(cell) in
                    JSC::Heap::reportExtraMemoryAllocatedPossiblyFromAlrea
                    dyMarkedCell(const JSC::JSCell *, size_t)
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: qbtly201 at gmail.com

Created attachment 471376

  --> https://bugs.webkit.org/attachment.cgi?id=471376&action=review

original_poc

###### Webkit
af7bd70a44bb1e3adae77f36bcc34a47daeeb9a4

###### Build platform
Ubuntu 22.04.3

###### Build steps
./Tools/Scripts/build-jsc --jsc-only --debug --build-dir=0512 --cmakeargs="-DENABLE_STATIC_JSC=ON"

###### Test case
```
function main() {
    error = (new Function(`return (function () { arguments.callee.displayName = 'a'.repeat(0x100000) + 'b'; `.repeat(100) + `return new Error();` + ` })();`.repeat(100)))();
    main.apply();
}
main();
```

###### Execution steps
./jsc poc.js

###### Output

ASSERTION FAILED: isMarked(cell)
../../../Source/JavaScriptCore/heap/Heap.cpp(615) : void JSC::Heap::reportExtraMemoryAllocatedPossiblyFromAlreadyMarkedCell(const JSC::JSCell *, size_t)

Thread 1 "jsc" received signal SIGABRT, Aborted.

pwndbg> bt
#0  __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff5aa3859 in __GI_abort () at abort.c:79
#2  0x000000000042777a in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:846
#3  0x00000000013804a0 in JSC::Heap::reportExtraMemoryAllocatedPossiblyFromAlreadyMarkedCell (this=this at entry=0x7fffa90000c8, cell=<optimized out>, cell at entry=0x7fffa94d94a0, size=<optimized out>, size at entry=1048577) at ../../../Source/JavaScriptCore/heap/Heap.cpp:615
#4  0x0000000001380828 in JSC::Heap::reportExtraMemoryAllocatedSlowCase (this=0x7fffa90000c8, deferralContext=0x0, cell=0x7fffa94d94a0, size=1048577) at ../../../Source/JavaScriptCore/heap/Heap.cpp:630
#5  0x0000000001c6a7da in JSC::Heap::reportExtraMemoryAllocated (this=0x7fffa90000c8, cell=0x7fffa94d94a0, size=1048577) at ../../../Source/JavaScriptCore/heap/HeapInlines.h:216
#6  JSC::JSRopeString::resolveRopeWithFunction<JSC::JSRopeString::resolveRope(JSC::JSGlobalObject*) const::$_3>(JSC::JSGlobalObject*, JSC::JSRopeString::resolveRope(JSC::JSGlobalObject*) const::$_3&&) const (this=0x7fffa94d94a0, nullOrGlobalObjectForOOM=<optimized out>, function=...) at ../../../Source/JavaScriptCore/runtime/JSString.cpp:249
#7  JSC::JSRopeString::resolveRope (this=0x7fffa94d94a0, nullOrGlobalObjectForOOM=<optimized out>) at ../../../Source/JavaScriptCore/runtime/JSString.cpp:270
#8  0x0000000001b18fa2 in JSC::JSString::tryGetValue (this=0x7fffa94d94a0, allocationAllowed=true) at ../../../Source/JavaScriptCore/runtime/JSString.h:889
#9  JSC::getCalculatedDisplayName (vm=..., object=object at entry=0x7fffa947b440) at ../../../Source/JavaScriptCore/runtime/JSFunction.cpp:496
#10 0x0000000001eab3ff in JSC::StackFrame::functionName (this=<optimized out>, this at entry=0x7fffa95409b0, vm=...) at ../../../Source/JavaScriptCore/runtime/StackFrame.cpp:125
#11 0x0000000001eab881 in JSC::StackFrame::toString (this=0x7fffa95409b0, vm=...) at ../../../Source/JavaScriptCore/runtime/StackFrame.cpp:154
#12 0x00000000014d3067 in JSC::Interpreter::stackTraceAsString (vm=..., stackTrace=...) at ../../../Source/JavaScriptCore/interpreter/Interpreter.cpp:548
#13 0x00000000019b67ef in JSC::ErrorInstance::computeErrorInfo (this=0x7fffeb0384d8, vm=...) at ../../../Source/JavaScriptCore/runtime/ErrorInstance.cpp:266
#14 0x0000000001383588 in JSC::Heap::finalizeMarkedUnconditionalFinalizers<JSC::ErrorInstance, JSC::IsoSubspace>(JSC::IsoSubspace&, JSC::CollectionScope)::{lambda(JSC::HeapCell*, JSC::HeapCell::Kind)#1}::operator()(JSC::HeapCell*, JSC::HeapCell::Kind) const (this=<optimized out>, cell=0x2, cell at entry=0x7fffa9000000) at ../../../Source/JavaScriptCore/heap/Heap.cpp:712
#15 JSC::Subspace::forEachMarkedCell<JSC::Heap::finalizeMarkedUnconditionalFinalizers<JSC::ErrorInstance, JSC::IsoSubspace>(JSC::IsoSubspace&, JSC::CollectionScope)::{lambda(JSC::HeapCell*, JSC::HeapCell::Kind)#1}>(JSC::Heap::finalizeMarkedUnconditionalFinalizers<JSC::ErrorInstance, JSC::IsoSubspace>(JSC::IsoSubspace&, JSC::CollectionScope)::{lambda(JSC::HeapCell*, JSC::HeapCell::Kind)#1} const&)::{lambda(JSC::PreciseAllocation*)#1}::operator()(JSC::PreciseAllocation*) const (this=<optimized out>, allocation=0x7fffeb038468) at ../../../Source/JavaScriptCore/heap/SubspaceInlines.h:84
#16 JSC::Subspace::forEachPreciseAllocation<JSC::Subspace::forEachMarkedCell<JSC::Heap::finalizeMarkedUnconditionalFinalizers<JSC::ErrorInstance, JSC::IsoSubspace>(JSC::IsoSubspace&, JSC::CollectionScope)::{lambda(JSC::HeapCell*, JSC::HeapCell::Kind)#1}>(JSC::Heap::finalizeMarkedUnconditionalFinalizers<JSC::ErrorInstance, JSC::IsoSubspace>(JSC::IsoSubspace&, JSC::CollectionScope)::{lambda(JSC::HeapCell*, JSC::HeapCell::Kind)#1} const&)::{lambda(JSC::PreciseAllocation*)#1}>(JSC::Subspace::forEachMarkedCell<JSC::Heap::finalizeMarkedUnconditionalFinalizers<JSC::ErrorInstance, JSC::IsoSubspace>(JSC::IsoSubspace&, JSC::CollectionScope)::{lambda(JSC::HeapCell*, JSC::HeapCell::Kind)#1}>(JSC::Heap::finalizeMarkedUnconditionalFinalizers<JSC::ErrorInstance, JSC::IsoSubspace>(JSC::IsoSubspace&, JSC::CollectionScope)::{lambda(JSC::HeapCell*, JSC::HeapCell::Kind)#1} const&)::{lambda(JSC::PreciseAllocation*)#1} const&) (this=<optimized out>, func=...) at ../../../Source/JavaScriptCore/heap/SubspaceInlines.h:66
#17 JSC::Subspace::forEachMarkedCell<JSC::Heap::finalizeMarkedUnconditionalFinalizers<JSC::ErrorInstance, JSC::IsoSubspace>(JSC::IsoSubspace&, JSC::CollectionScope)::{lambda(JSC::HeapCell*, JSC::HeapCell::Kind)#1}>(JSC::Heap::finalizeMarkedUnconditionalFinalizers<JSC::ErrorInstance, JSC::IsoSubspace>(JSC::IsoSubspace&, JSC::CollectionScope)::{lambda(JSC::HeapCell*, JSC::HeapCell::Kind)#1} const&) (this=<optimized out>, func=...) at ../../../Source/JavaScriptCore/heap/SubspaceInlines.h:81
#18 JSC::Heap::finalizeMarkedUnconditionalFinalizers<JSC::ErrorInstance, JSC::IsoSubspace> (this=0x7fffa90000c8, cellSet=..., collectionScope=<optimized out>) at ../../../Source/JavaScriptCore/heap/Heap.cpp:710
#19 JSC::Heap::finalizeUnconditionalFinalizers (this=this at entry=0x7fffa90000c8) at ../../../Source/JavaScriptCore/heap/Heap.cpp:752
#20 0x000000000138e6aa in JSC::Heap::runEndPhase (this=<optimized out>, this at entry=0x7fffa90000c8, conn=JSC::GCConductor::Mutator) at ../../../Source/JavaScriptCore/heap/Heap.cpp:1667
#21 0x000000000138b308 in JSC::Heap::runCurrentPhase (this=this at entry=0x7fffa90000c8, conn=conn at entry=JSC::GCConductor::Mutator, currentThreadState=currentThreadState at entry=0x7fffffffcb00) at ../../../Source/JavaScriptCore/heap/Heap.cpp:1372
#22 0x00000000013d0edd in JSC::Heap::collectInMutatorThread()::$_0::operator()(JSC::CurrentThreadState&) const (this=<optimized out>, state=...) at ../../../Source/JavaScriptCore/heap/Heap.cpp:1993
#23 WTF::ScopedLambdaFunctor<void (JSC::CurrentThreadState&), JSC::Heap::collectInMutatorThread()::$_0>::implFunction(void*, JSC::CurrentThreadState&) (argument=<optimized out>, arguments=...) at WTF/Headers/wtf/ScopedLambda.h:106
#24 0x0000000001418149 in WTF::ScopedLambda<void (JSC::CurrentThreadState&)>::operator()<JSC::CurrentThreadState&>(JSC::CurrentThreadState&) const (this=0x7fffffffcb68, arguments=...) at WTF/Headers/wtf/ScopedLambda.h:58
#25 JSC::callWithCurrentThreadState(WTF::ScopedLambda<void (JSC::CurrentThreadState&)> const&) (lambda=...) at ../../../Source/JavaScriptCore/heap/MachineStackMarker.cpp:227
#26 0x0000000001393977 in JSC::Heap::collectInMutatorThread (this=this at entry=0x7fffa90000c8) at ../../../Source/JavaScriptCore/heap/Heap.cpp:2005
#27 0x0000000001393724 in JSC::Heap::stopIfNecessarySlow (this=this at entry=0x7fffa90000c8, oldState=5) at ../../../Source/JavaScriptCore/heap/Heap.cpp:1974
#28 0x00000000013935be in JSC::Heap::stopIfNecessarySlow (this=0x7fffa90000c8) at ../../../Source/JavaScriptCore/heap/Heap.cpp:1946
#29 0x000000000043646d in JSC::JSString::create (vm=..., value=...) at ../../../Source/JavaScriptCore/runtime/JSString.h:194
#30 0x0000000000ca14a9 in JSC::jsString (vm=..., s=...) at ../../../Source/JavaScriptCore/runtime/JSString.h:927
#31 JSC::jsString (vm=..., s=...) at ../../../Source/JavaScriptCore/runtime/JSString.h:965
#32 0x00000000018a870e in JSC::repeatCharacter<unsigned char> (globalObject=globalObject at entry=0x7fffa941a088, character=97 'a', repeatCount=repeatCount at entry=1048576) at ../../../Source/JavaScriptCore/runtime/JSStringInlines.h:107
#33 0x0000000001ec83c1 in JSC::stringProtoFuncRepeatCharacter (globalObject=0x7fffa941a088, callFrame=0x7fffffffce10) at ../../../Source/JavaScriptCore/runtime/StringPrototype.cpp:867
#34 0x00007fffaac216a6 in ?? ()
#35 0x00007fffffffcea0 in ?? ()
#36 0x0000000002533bee in llint_op_call ()
#37 0x0000000000000000 in ?? ()

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240512/1e3024c7/attachment.htm>

More information about the webkit-unassigned mailing list