Bug 254331

Summary: Aborted at Source/JavaScriptCore/runtime/ArrayBuffer.cpp(113)
Product: WebKit Reporter: xiangwei1895
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: mark.lam, msaboff, ysuzuki
Priority: P2    
Version: WebKit Local Build   
Hardware: PC   
OS: Linux   

Description xiangwei1895 2023-03-23 06:16:01 PDT 
my JSC crashed when executing the following code:

PoC:
const v2 = new Int16Array(59925);
function f3(a4, a5, a6, a7) {
    const o10 = {
        "maxByteLength": 786701,
    };
    const v12 = new ArrayBuffer(32, o10);
    return a6;
}
v2.forEach(f3);


mprotect failed: Cannot allocate memory
SHOULD NEVER BE REACHED
/home/data/WebKit/Source/JavaScriptCore/runtime/ArrayBuffer.cpp(113) : WTF::RefPtr<JSC::BufferMemoryHandle> JSC::tryAllocateResizableMemory(VM*, size_t, size_t)
Aborted (core dumped)
Comment 1 Alexey Proskuryakov 2023-03-23 15:00:10 PDT 
On macOS Apple Silicon, I get an exception and no crash.

>>> const v2 = new Int16Array(59925);
undefined
>>> function f3(a4, a5, a6, a7) {
...     const o10 = {
...         "maxByteLength": 786701,
...     };
...     const v12 = new ArrayBuffer(32, o10);
...     return a6;
... }
undefined
>>> v2.forEach(f3);
Exception: RangeError: Out of memory
>>>
Comment 2 Yusuke Suzuki 2023-03-23 15:28:18 PDT 
This is memory exhaustion on Linux platform, and RELEASE_ASSERT_NOT_REACHED. Thus, not a security issue.