<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - ASan detects container-overflow in HeapUtil::findGCObjectPointersForMarking"
href="https://bugs.webkit.org/show_bug.cgi?id=164880">164880</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>ASan detects container-overflow in HeapUtil::findGCObjectPointersForMarking
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>Other
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>OS</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>JavaScriptCore
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>ap@webkit.org
</td>
</tr>
<tr>
<th>CC</th>
<td>fpizlo@apple.com, ryanhaddad@apple.com
</td>
</tr></table>
<p>
<div>
<pre>Seen on bots. False positive?
Application Specific Information:
=================================================================
==41956==ERROR: AddressSanitizer: container-overflow on address 0x60c0003d0ad8 at pc 0x00011254bb2f bp 0x7000003a4930 sp 0x7000003a4928
READ of size 8 at 0x60c0003d0ad8 thread T1579
#0 0x11254bb2e in void JSC::HeapUtil::findGCObjectPointersForMarking<void JSC::ConservativeRoots::genericAddPointer<JSC::CompositeMarkHook>(void*, unsigned int, JSC::TinyBloomFilter, JSC::CompositeMarkHook&)::'lambda'(void*)>(JSC::Heap&, unsigned int, JSC::TinyBloomFilter, void*, JSC::CompositeMarkHook const&) (JavaScriptCore+0x228b2e)
#1 0x11254b3d8 in void JSC::ConservativeRoots::genericAddPointer<JSC::CompositeMarkHook>(void*, unsigned int, JSC::TinyBloomFilter, JSC::CompositeMarkHook&) (JavaScriptCore+0x2283d8)
#2 0x112549b17 in void JSC::ConservativeRoots::genericAddSpan<JSC::CompositeMarkHook>(void*, void*, JSC::CompositeMarkHook&) (JavaScriptCore+0x226b17)
#3 0x1125499bd in JSC::ConservativeRoots::add(void*, void*, JSC::JITStubRoutineSet&, JSC::CodeBlockSet&) (JavaScriptCore+0x2269bd)
#4 0x112e72334 in JSC::MachineThreads::gatherConservativeRoots(JSC::ConservativeRoots&, JSC::JITStubRoutineSet&, JSC::CodeBlockSet&) (JavaScriptCore+0xb4f334)
#5 0x11297da70 in JSC::Heap::markToFixpoint(double) (JavaScriptCore+0x65aa70)
#6 0x1129836a2 in JSC::Heap::collectInThread() (JavaScriptCore+0x6606a2)
#7 0x112989ce8 in JSC::Heap::Thread::work() (JavaScriptCore+0x666ce8)
#8 0x113304785 in WTF::AutomaticThread::start(WTF::Locker<WTF::LockBase> const&)::$_0::operator()() const (JavaScriptCore+0xfe1785)
#9 0x113313b7d in WTF::threadEntryPoint(void*) (JavaScriptCore+0xff0b7d)
#10 0x11331425d in WTF::wtfThreadEntryPoint(void*) (JavaScriptCore+0xff125d)
#11 0x10eea799c in _pthread_body (libsystem_pthread.dylib+0x399c)
#12 0x10eea7919 in _pthread_start (libsystem_pthread.dylib+0x3919)
#13 0x10eea5350 in thread_start (libsystem_pthread.dylib+0x1350)
0x60c0003d0ad8 is located 88 bytes inside of 128-byte region [0x60c0003d0a80,0x60c0003d0b00)
allocated by thread T0 here:
#0 0x10c8860b0 in wrap_malloc (libclang_rt.asan_iossim_dynamic.dylib+0x490b0)
#1 0x11332ae1e in bmalloc::Allocator::allocateSlowCase(unsigned long) (JavaScriptCore+0x1007e1e)
#2 0x1132c7875 in bmalloc::Allocator::allocate(unsigned long) (JavaScriptCore+0xfa4875)
#3 0x112eab160 in WTF::VectorBufferBase<JSC::LargeAllocation*>::allocateBuffer(unsigned long) (JavaScriptCore+0xb88160)
#4 0x112eab0d3 in WTF::Vector<JSC::LargeAllocation*, 0ul, WTF::CrashOnOverflow, 16ul>::reserveCapacity(unsigned long) (JavaScriptCore+0xb880d3)
#5 0x112eab033 in WTF::Vector<JSC::LargeAllocation*, 0ul, WTF::CrashOnOverflow, 16ul>::expandCapacity(unsigned long, JSC::LargeAllocation**) (JavaScriptCore+0xb88033)
#6 0x112eaaf21 in void WTF::Vector<JSC::LargeAllocation*, 0ul, WTF::CrashOnOverflow, 16ul>::appendSlowCase<JSC::LargeAllocation*&>(JSC::LargeAllocation*&&&) (JavaScriptCore+0xb87f21)
#7 0x112ea3a44 in JSC::MarkedSpace::tryAllocateLarge(JSC::MarkedSpace::Subspace&, JSC::GCDeferralContext*, unsigned long) (JavaScriptCore+0xb80a44)
#8 0x112ea3598 in JSC::MarkedSpace::allocateLarge(JSC::MarkedSpace::Subspace&, JSC::GCDeferralContext*, unsigned long) (JavaScriptCore+0xb80598)
#9 0x11234e42a in JSC::Butterfly::createUninitialized(JSC::VM&, JSC::JSCell*, unsigned long, unsigned long, bool, unsigned long) (JavaScriptCore+0x2b42a)
#10 0x112cb53ae in JSC::Butterfly::createOrGrowPropertyStorage(JSC::Butterfly*, JSC::VM&, JSC::JSCell*, JSC::Structure*, unsigned long, unsigned long) (JavaScriptCore+0x9923ae)
#11 0x112379209 in bool JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)1>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&)::'lambda'(JSC::GCSafeConcurrentJSLocker const&, int)::operator()(JSC::GCSafeConcurrentJSLocker const&, int) const (JavaScriptCore+0x56209)
#12 0x112379099 in int JSC::Structure::add<bool JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)1>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&)::'lambda'(JSC::GCSafeConcurrentJSLocker const&, int)>(JSC::VM&, JSC::PropertyName, unsigned int, bool JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)1>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&)::'lambda'(JSC::GCSafeConcurrentJSLocker const&, int) const&) (JavaScriptCore+0x56099)
#13 0x112377ca3 in bool JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)1>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&) (JavaScriptCore+0x54ca3)
#14 0x112caa690 in JSC::JSObject::putDirectCustomAccessor(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int) (JavaScriptCore+0x987690)
#15 0x112cb0b9d in JSC::reifyStaticProperty(JSC::VM&, JSC::PropertyName const&, JSC::HashTableValue const&, JSC::JSObject&) (JavaScriptCore+0x98db9d)
#16 0x112cac884 in JSC::JSObject::reifyAllStaticProperties(JSC::ExecState*) (JavaScriptCore+0x989884)
#17 0x112c9d8cd in JSC::JSObject::deleteProperty(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName) (JavaScriptCore+0x97a8cd)
#18 0x112cf5bc3 in JSC::JSSymbolTableObject::deleteProperty(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName) (JavaScriptCore+0x9d2bc3)
#19 0x115f7f031 in WebCore::JSDOMWindow::deleteProperty(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName) (WebCore+0x1313031)
#20 0x112e5141f in llint_slow_path_del_by_id (JavaScriptCore+0xb2e41f)
#21 0x112e6d03b in llint_entry (JavaScriptCore+0xb4a03b)
#22 0x112e673ea in vmEntryToJavaScript (JavaScriptCore+0xb443ea)
#23 0x112b26c6d in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (JavaScriptCore+0x803c6d)
#24 0x112a9dadc in JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) (JavaScriptCore+0x77aadc)
#25 0x112546e46 in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (JavaScriptCore+0x223e46)
#26 0x11254704e in JSC::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (JavaScriptCore+0x22404e)
#27 0x1170811b3 in WebCore::JSMainThreadExecState::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (WebCore+0x24151b3)
#28 0x117080e54 in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*) (WebCore+0x2414e54)
#29 0x117093d0d in WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) (WebCore+0x2427d0d)</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>